Index: /trunk/src/VBox/Devices/Graphics/DevVGA.cpp
===================================================================
--- /trunk/src/VBox/Devices/Graphics/DevVGA.cpp	(revision 88544)
+++ /trunk/src/VBox/Devices/Graphics/DevVGA.cpp	(revision 88545)
@@ -3922,4 +3922,24 @@
                                ("Unsupported %u compression.\n", pThisCC->LogoCompression),
                                VERR_INVALID_PARAMETER);
+
+        AssertLogRelMsgReturn(pFileHdr->cbFileSize > pFileHdr->offBits,
+                               ("Wrong bitmap data offset %u.\n", pFileHdr->offBits),
+                               VERR_INVALID_PARAMETER);
+
+        uint32_t cbFileData = pFileHdr->cbFileSize - pFileHdr->offBits;
+        uint32_t cbImageData = pThisCC->cxLogo * pThisCC->cyLogo * pThisCC->cLogoPlanes;
+
+        /* TBD: Take 32bit rows padding into account */
+        if (pThisCC->cLogoBits == 4)
+        {
+            cbImageData /= 2;
+        } else if (pThisCC->cLogoBits == 24)
+        {
+            cbImageData *= 3;
+        }
+
+        AssertLogRelMsgReturn(cbImageData <= cbFileData,
+            ("Wrong BMP header data %d\n", cbImageData),
+            VERR_INVALID_PARAMETER);
 
         /*