DevVGA_VDMA.cpp: Added missing+buggy bits from ?bugref:9054.

git-svn-id: https://www.virtualbox.org/svn/vbox/trunk@71588 cfe28804-0f27-0410-a406-dd0f0b0b656f

1 files changed, 20 insertions, 1 deletions

diff --git a/src/VBox/Devices/Graphics/DevVGA_VDMA.cpp b/src/VBox/Devices/Graphics/DevVGA_VDMA.cpp
index ddef389219e..175500d7cda 100644
--- a/src/VBox/Devices/Graphics/DevVGA_VDMA.cpp
+++ b/src/VBox/Devices/Graphics/DevVGA_VDMA.cpp
@@ -2558,7 +2558,7 @@ static int vboxVDMACmdExecBltPerform(PVBOXVDMAHOST pVdma, const VBOXVIDEOOFFSET
         for (uint32_t i = 0; ; ++i)
         {
             if (   cbDstLine <= cbVRamSize
-                && (uintptr_t)pbSrcStart - (uintptr_t)pbRam <= cbVRamSize - cbDstLine
+                && (uintptr_t)pbDstStart - (uintptr_t)pbRam <= cbVRamSize - cbDstLine
                 && (uintptr_t)pbSrcStart - (uintptr_t)pbRam <= cbVRamSize - cbDstLine)
                 memcpy(pbDstStart, pbSrcStart, cbDstLine);
             else
@@ -2714,6 +2714,25 @@ static int vboxVDMACmdExecBpbTransfer(PVBOXVDMAHOST pVdma, const VBOXVDMACMD_DMA
      */
     uint32_t    cbTransfered = 0;
     int         rc           = VINF_SUCCESS;
+
+    if (pTransfer->fFlags & VBOXVDMACMD_DMA_BPB_TRANSFER_F_SRC_VRAMOFFSET)
+    {
+        if (RT_LIKELY(   pTransfer->cbTransferSize <= pVGAState->vram_size
+                      && pTransfer->Src.offVramBuf <= pVGAState->vram_size - pTransfer->cbTransferSize))
+        { /* likely */ }
+        else
+            return VERR_INVALID_PARAMETER;
+    }
+
+    if (pTransfer->fFlags & VBOXVDMACMD_DMA_BPB_TRANSFER_F_DST_VRAMOFFSET)
+    {
+        if (RT_LIKELY(   pTransfer->cbTransferSize <= pVGAState->vram_size
+                      && pTransfer->Dst.offVramBuf <= pVGAState->vram_size - pTransfer->cbTransferSize))
+        { /* likely */ }
+        else
+            return VERR_INVALID_PARAMETER;
+    }
+
     do
     {
         uint32_t cbSubTransfer = cbTransfer;