diff --git a/sys/dev/sound/pcm/sndstat.c b/sys/dev/sound/pcm/sndstat.c
--- a/sys/dev/sound/pcm/sndstat.c
+++ b/sys/dev/sound/pcm/sndstat.c
@@ -956,11 +956,33 @@
 {
 	int err;
 	struct sndstat_file *pf;
+	struct sndstioc_nv_arg *arg;
+#ifdef COMPAT_FREEBSD32
+	struct sndstioc_nv_arg32 *arg32;
+#endif
 
 	err = devfs_get_cdevpriv((void **)&pf);
 	if (err != 0)
 		return (err);
 
+	/* Make sure we do not pass an invalid size to malloc(). */
+	switch (cmd) {
+	case SNDSTIOC_GET_DEVS:
+	case SNDSTIOC_ADD_USER_DEVS:
+		arg = (struct sndstioc_nv_arg *)data;
+		if (arg->nbytes < 0 || arg->nbytes > (sizeof(size_t) * 8 - 1))
+			return (EINVAL);
+		break;
+#ifdef COMPAT_FREEBSD32
+	case SNDSTIOC_GET_DEVS32:
+	case SNDSTIOC_ADD_USER_DEVS32:
+		arg32 = (struct sndstioc_nv_arg32 *)data;
+		if (arg32->nbytes < 0 || arg32->nbytes > (sizeof(uint32_t) * 8 - 1))
+			return (EINVAL);
+		break;
+#endif
+	}
+
 	switch (cmd) {
 	case SNDSTIOC_GET_DEVS:
 		err = sndstat_get_devs(pf, data);