diff --git a/ChangeLog b/ChangeLog
index eb110f0b38..3d59e8f21a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Sat Nov  7 20:59:11 2009  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* vm_insnhelper.c (vm_push_frame): get rid of out-of-bounds
+	  access.
+
 Sat Nov  7 12:41:19 2009  Yukihiro Matsumoto  <matz@ruby-lang.org>
 
 	* vm_insnhelper.c (VM_CALLEE_SETUP_ARG): revert r25521.
diff --git a/eval.c b/eval.c
index c3bde6b9e4..9ac63889cf 100644
--- a/eval.c
+++ b/eval.c
@@ -15,6 +15,7 @@
 #include "iseq.h"
 #include "gc.h"
 #include "ruby/vm.h"
+#include "ruby/encoding.h"
 
 #define numberof(array) (int)(sizeof(array) / sizeof((array)[0]))
 
diff --git a/vm.c b/vm.c
index 91a5c6d5ab..2ff61aa645 100644
--- a/vm.c
+++ b/vm.c
@@ -92,7 +92,7 @@ vm_set_top_stack(rb_thread_t * th, VALUE iseqval)
 		  th->top_self, 0, iseq->iseq_encoded,
 		  th->cfp->sp, 0, iseq->local_size);
 
-        CHECK_STACK_OVERFLOW(th->cfp, iseq->stack_max);
+    CHECK_STACK_OVERFLOW(th->cfp, iseq->stack_max);
 }
 
 static void
diff --git a/vm_insnhelper.c b/vm_insnhelper.c
index 6d4887024b..0660c7dd03 100644
--- a/vm_insnhelper.c
+++ b/vm_insnhelper.c
@@ -29,7 +29,9 @@ vm_push_frame(rb_thread_t * th, const rb_iseq_t * iseq,
     rb_control_frame_t * const cfp = th->cfp - 1;
     int i;
 
-    CHECK_STACK_OVERFLOW(th->cfp, local_size);
+    if ((void *)(sp + local_size) >= (void *)cfp) {
+	rb_exc_raise(sysstack_error);
+    }
     th->cfp = cfp;
     /* setup vm value stack */