Index: sys/i386/isa/vesa.c
diff -u sys/i386/isa/vesa.c:1.32 sys/i386/isa/vesa.c:1.32.10.1
--- sys/i386/isa/vesa.c:1.32	Sat Jan 29 07:08:40 2000
+++ sys/i386/isa/vesa.c	Tue Aug 13 05:12:40 2002
@@ -1317,7 +1317,9 @@
 	int bits;
 	int error;
 
-	if ((base < 0) || (base >= 256) || (base + count > 256))
+	if ((base < 0) || (base >= 256) || (count < 0) || (count > 256))
+		return 1;
+	if (base + count > 256)
 		return 1;
 	if (!(vesa_adp_info->v_flags & V_DAC8) || !VESA_MODE(adp->va_mode))
 		return 1;
Index: sys/kern/uipc_syscalls.c
diff -u sys/kern/uipc_syscalls.c:1.65.2.9 sys/kern/uipc_syscalls.c:1.65.2.9.6.1
--- sys/kern/uipc_syscalls.c:1.65.2.9	Tue Jul 31 03:49:39 2001
+++ sys/kern/uipc_syscalls.c	Tue Aug 13 05:12:41 2002
@@ -206,6 +206,8 @@
 			sizeof (namelen));
 		if(error)
 			return (error);
+		if (namelen < 0)
+			return (EINVAL);
 	}
 	error = holdsock(fdp, uap->s, &lfp);
 	if (error)
@@ -1193,6 +1195,10 @@
 		fdrop(fp, p);
 		return (error);
 	}
+	if (len < 0) {
+		fdrop(fp, p);
+		return (EINVAL);
+	}
 	so = (struct socket *)fp->f_data;
 	sa = 0;
 	error = (*so->so_proto->pr_usrreqs->pru_sockaddr)(so, &sa);
@@ -1271,6 +1277,10 @@
 	if (error) {
 		fdrop(fp, p);
 		return (error);
+	}
+	if (len < 0) {
+		fdrop(fp, p);
+		return (EINVAL);
 	}
 	sa = 0;
 	error = (*so->so_proto->pr_usrreqs->pru_peeraddr)(so, &sa);