2 files changed, 9 insertions, 1 deletions

diff --git a/src/array.c b/src/array.c
index 48dc1ff10..1ca7dd2a4 100644
--- a/src/array.c
+++ b/src/array.c
@@ -298,6 +298,9 @@ mrb_ary_plus(mrb_state *mrb, mrb_value self)
   mrb_int blen;
 
   mrb_get_args(mrb, "a", &ptr, &blen);
+  if (ARY_MAX_SIZE - blen < a1->len) {
+    mrb_raise(mrb, E_ARGUMENT_ERROR, "array size too big"); 
+  }
   ary = mrb_ary_new_capa(mrb, a1->len + blen);
   a2 = mrb_ary_ptr(ary);
   array_copy(a2->ptr, a1->ptr, a1->len);
@@ -351,7 +354,9 @@ mrb_ary_times(mrb_state *mrb, mrb_value self)
     mrb_raise(mrb, E_ARGUMENT_ERROR, "negative argument");
   }
   if (times == 0) return mrb_ary_new(mrb);
-
+  if (ARY_MAX_SIZE / times < a1->len) {
+    mrb_raise(mrb, E_ARGUMENT_ERROR, "array size too big"); 
+  }
   ary = mrb_ary_new_capa(mrb, a1->len * times);
   a2 = mrb_ary_ptr(ary);
   ptr = a2->ptr;
diff --git a/src/kernel.c b/src/kernel.c
index 9d056178e..b5b13f874 100644
--- a/src/kernel.c
+++ b/src/kernel.c
@@ -369,6 +369,9 @@ mrb_obj_dup(mrb_state *mrb, mrb_value obj)
   if (mrb_immediate_p(obj)) {
     mrb_raisef(mrb, E_TYPE_ERROR, "can't dup %S", obj);
   }
+  if (mrb_type(obj) == MRB_TT_SCLASS) {
+    mrb_raise(mrb, E_TYPE_ERROR, "can't dup singleton class");
+  }
   p = mrb_obj_alloc(mrb, mrb_type(obj), mrb_obj_class(mrb, obj));
   dup = mrb_obj_value(p);
   init_copy(mrb, dup, obj);