diff --git a/ChangeLog b/ChangeLog
index c402d960db..bf7f3be52b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,7 @@
-Thu Aug  6 10:44:00 2015  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+Thu Aug  6 10:49:57 2015  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* node.c (rb_alloc_tmp_buffer): round up the size and check the
+	  range.
 
 	* ruby_atomic.h (ATOMIC_VALUE_EXCHANGE, ATOMIC_VALUE_CAS): add
 	  atomic operations for VALUE.
diff --git a/node.c b/node.c
index 84e7bddf34..022f5e0925 100644
--- a/node.c
+++ b/node.c
@@ -1079,10 +1079,18 @@ rb_gc_mark_node(NODE *obj)
 void *
 rb_alloc_tmp_buffer(volatile VALUE *store, long len)
 {
-    NODE *s = rb_node_newnode(NODE_ALLOCA, 0, 0, 0);
-    void *ptr = xmalloc(len);
-    s->u1.node = ptr;
-    s->u3.cnt = len / sizeof(VALUE);
+    NODE *s;
+    long cnt;
+    void *ptr;
+
+    if (len < 0 || (cnt = (long)roomof(len, sizeof(VALUE))) < 0) {
+	rb_raise(rb_eArgError, "negative buffer size (or size too big)");
+    }
+
+    s = rb_node_newnode(NODE_ALLOCA, 0, 0, 0);
+    ptr = xmalloc(cnt * sizeof(VALUE));
+    s->u1.value = (VALUE)ptr;
+    s->u3.cnt = cnt;
     *store = (VALUE)s;
     return ptr;
 }