--- array.c.old 2008-07-21 12:41:28.000000000 -0700 +++ array.c 2008-07-21 12:50:34.000000000 -0700 @@ -20,6 +20,7 @@ static ID id_cmp; #define ARY_DEFAULT_SIZE 16 +#define ARY_MAX_SIZE (LONG_MAX / sizeof(VALUE)) void rb_mem_clear(mem, size) @@ -2265,10 +2266,10 @@ break; } rb_ary_modify(ary); - end = beg + len; - if (end < 0) { + if (beg >= ARY_MAX_SIZE || len > ARY_MAX_SIZE - beg) { rb_raise(rb_eArgError, "argument too big"); } + end = beg + len; if (end > RARRAY(ary)->len) { if (end >= RARRAY(ary)->aux.capa) { REALLOC_N(RARRAY(ary)->ptr, VALUE, end);