In the last argument to sbi_memset() we essentially have the following multiplication: size_t = u16 * u16 Due to C's integer semantics, both u16's are implicitly converted to int before the multiplication, which cannot hold all possible values of a u16 * u16. If the multiplication overflows, the intermediate result will be a negative number. On 64-bit platforms, this will be sign-extended to a huge integer in the conversion to a u64 (aka size_t). Being the size argument to sbi_memset(), this could potentially cause a large out-of-bounds write. The solution is to manually cast one of the u16 to a size_t, which will make it large enough to avoid the implicit conversion and any overflow. Signed-off-by: Jacob Garber <jgarber1@ualberta.ca> Reviewed-by: Bin Meng <bmeng.cn@gmail.com> Reviewed-by: Atish Patra <atish.patra@wdc.com>