diff --git a/glx/single2.c b/glx/single2.c
index 36a01f0cb..948d00f1d 100644
--- a/glx/single2.c
+++ b/glx/single2.c
@@ -61,6 +61,10 @@ __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
     pc += __GLX_SINGLE_HDR_SIZE;
     size = *(GLsizei *) (pc + 0);
     type = *(GLenum *) (pc + 4);
+    if (size < 0) {
+        cl->client->errorValue = size;
+        return BadValue;
+    }
     if (cx->feedbackBufSize < size) {
         cx->feedbackBuf = reallocarray(cx->feedbackBuf,
                                        (size_t) size, __GLX_SIZE_FLOAT32);
@@ -91,6 +95,10 @@ __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
 
     pc += __GLX_SINGLE_HDR_SIZE;
     size = *(GLsizei *) (pc + 0);
+    if (size < 0) {
+        cl->client->errorValue = size;
+        return BadValue;
+    }
     if (cx->selectBufSize < size) {
         cx->selectBuf = reallocarray(cx->selectBuf,
                                      (size_t) size, __GLX_SIZE_CARD32);
diff --git a/glx/single2swap.c b/glx/single2swap.c
index b140946ba..fdc093900 100644
--- a/glx/single2swap.c
+++ b/glx/single2swap.c
@@ -62,6 +62,10 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
     __GLX_SWAP_INT(pc + 4);
     size = *(GLsizei *) (pc + 0);
     type = *(GLenum *) (pc + 4);
+    if (size < 0) {
+        cl->client->errorValue = size;
+        return BadValue;
+    }
     if (cx->feedbackBufSize < size) {
         cx->feedbackBuf = reallocarray(cx->feedbackBuf,
                                        (size_t) size, __GLX_SIZE_FLOAT32);
@@ -96,6 +100,10 @@ __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
     pc += __GLX_SINGLE_HDR_SIZE;
     __GLX_SWAP_INT(pc + 0);
     size = *(GLsizei *) (pc + 0);
+    if (size < 0) {
+        cl->client->errorValue = size;
+        return BadValue;
+    }
     if (cx->selectBufSize < size) {
         cx->selectBuf = reallocarray(cx->selectBuf,
                                      (size_t) size, __GLX_SIZE_CARD32);