[BZ #13592]
There are several signed compares of the size argument, whereas
it really is unsigned. Depending on situations e.g. a "memset(ptr, 0,
-1)" segfault (but for the wrong reasons, because jumping into nirvana)
or succeeds even.
In normal use this is harmless, as a size with signbit set indicates
more than half the address space which on x86_64 is impossible to
allocate, but as the size is used to index some jump tables this
potentially could have other unwanted side effects.