diff --git a/ChangeLog b/ChangeLog
index a3428beaa2..6138281a9c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Fri Jun 18 23:12:22 2004  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* eval.c (proc_save_safe_level, rb_set_safe_level, safe_setter): limit
+	  safe level.
+
 Wed Jun 16 23:05:57 2004  Yukihiro Matsumoto  <matz@ruby-lang.org>
 
 	* object.c (rb_mod_freeze): prepare string representation before
diff --git a/eval.c b/eval.c
index 2d8eca0ab7..79f3f2ef1b 100644
--- a/eval.c
+++ b/eval.c
@@ -7876,12 +7876,17 @@ rb_f_binding(self)
 
 #define PROC_TSHIFT (FL_USHIFT+1)
 #define PROC_TMASK  (FL_USER1|FL_USER2|FL_USER3)
+#define PROC_TMAX   (PROC_TMASK >> PROC_TSHIFT)
+
+#define SAFE_LEVEL_MAX PROC_TMASK
 
 static void
 proc_save_safe_level(data)
     VALUE data;
 {
-    FL_SET(data, (ruby_safe_level << PROC_TSHIFT) & PROC_TMASK);
+    int safe = ruby_safe_level;
+    if (safe > PROC_TMAX) safe = PROC_TMAX;
+    FL_SET(data, (safe << PROC_TSHIFT) & PROC_TMASK);
 }
 
 static int
@@ -9582,6 +9587,7 @@ rb_set_safe_level(level)
     int level;
 {
     if (level > ruby_safe_level) {
+	if (level > SAFE_LEVEL_MAX) level = SAFE_LEVEL_MAX;
 	ruby_safe_level = level;
 	curr_thread->safe = level;
     }
@@ -9603,6 +9609,7 @@ safe_setter(val)
 	rb_raise(rb_eSecurityError, "tried to downgrade safe level from %d to %d",
 		 ruby_safe_level, level);
     }
+    if (level > SAFE_LEVEL_MAX) level = SAFE_LEVEL_MAX;
     ruby_safe_level = level;
     curr_thread->safe = level;
 }