Correct.  The bitcoins will be safe as long as you don't try to spend them.  As soon as you spend them, you will make your public key available and then (if ECDSA is completely broken) someone can alter the transaction and re-transmit it.  At that point you have a race to see which transaction is confirmed first.

As such, if ECDSA is suddenly completely broken such that there isn't time to move to a new signature algorithm, then an industry of trusted mining will have to evolve.  It will become necessary to be able to submit a transaction directly to a trusted miner that will confirm the transaction into a block without relaying it to others that might modify before it is confirmed.

Furthermore, if SHA-256 becomes so broken that a block can be solved within fractions of a second regardless of difficulty, then there are likely to be some issues with confirmations that will need to be resolved.  There are a few ways to deal with such a situation. They are all pretty messy, but it can be done if necessary.

Far more likely is that these algorithms slowly become slightly weaker over time.  As such there is plenty of time to replace any of them before they become a serious problem.