diff --git a/ChangeLog b/ChangeLog
index 45f11b6413..de313392c1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Thu Aug  5 12:39:14 2010  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* string.c (str_make_independent_expand): fix buffer overflow
+	  while shrinking.
+
 Thu Aug  5 06:42:31 2010  Tanaka Akira  <akr@fsij.org>
 
 	* file.c (realpath_rec): call rb_str_modify before rb_str_set_len.
diff --git a/string.c b/string.c
index d27c67a948..865de57271 100644
--- a/string.c
+++ b/string.c
@@ -1271,8 +1271,9 @@ str_make_independent_expand(VALUE str, long expand)
 
     ptr = ALLOC_N(char, len+expand+1);
     if (RSTRING_PTR(str)) {
-	memcpy(ptr, RSTRING_PTR(str), len);
+	memcpy(ptr, RSTRING_PTR(str), expand < 0 ? len + expand : len);
     }
+    len += expand;
     STR_SET_NOEMBED(str);
     ptr[len] = 0;
     RSTRING(str)->as.heap.ptr = ptr;