diff --git a/ChangeLog b/ChangeLog
index c109511374..00d7d2842c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 Wed Sep  5 22:02:27 2007  Yukihiro Matsumoto  <matz@ruby-lang.org>
 
+	* array.c (rb_ary_subseq): need integer overflow check.
+	  [ruby-dev:31736]
+
+	* array.c (rb_ary_splice): ditto.  [ruby-dev:31737]
+
+	* array.c (rb_ary_fill): ditto.  [ruby-dev:31738]
+
 	* string.c (rb_str_splice): integer overflow for length.
 	  [ruby-dev:31739]
 
diff --git a/array.c b/array.c
index 7718305d5a..d2cf5ac1f8 100644
--- a/array.c
+++ b/array.c
@@ -683,10 +683,8 @@ rb_ary_subseq(VALUE ary, long beg, long len)
     if (beg > RARRAY_LEN(ary)) return Qnil;
     if (beg < 0 || len < 0) return Qnil;
 
-    if (beg + len > RARRAY_LEN(ary)) {
+    if (RARRAY_LEN(ary) < len || RARRAY_LEN(ary) < beg + len) {
 	len = RARRAY_LEN(ary) - beg;
-	if (len < 0)
-	    len = 0;
     }
     klass = rb_obj_class(ary);
     if (len == 0) return ary_new(klass, 0);
@@ -994,7 +992,7 @@ rb_ary_splice(VALUE ary, long beg, long len, VALUE rpl)
 	    rb_raise(rb_eIndexError, "index %ld out of array", beg);
 	}
     }
-    if (beg + len > RARRAY_LEN(ary)) {
+    if (RARRAY_LEN(ary) < len || RARRAY_LEN(ary) < beg + len) {
 	len = RARRAY_LEN(ary) - beg;
     }
 
@@ -2140,7 +2138,10 @@ rb_ary_fill(int argc, VALUE *argv, VALUE ary)
     rb_ary_modify(ary);
     ary_iter_check(ary);
     end = beg + len;
-    if (end > RARRAY_LEN(ary)) {
+    if (end < 0) {
+	rb_raise(rb_eArgError, "argument too big");
+    }
+    if (RARRAY_LEN(ary) < end) {
 	if (end >= ARY_CAPA(ary)) {
 	    RESIZE_CAPA(ary, end);
 	}