diff --git a/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c b/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c
index 1faa25d0c28c04a8b946451bf40feb68012510ba..2912230610880e1ad8c11dc0f31e111a7c3e1728 100644
--- a/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c
+++ b/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c
@@ -900,6 +900,13 @@ ecma_builtin_array_prototype_object_slice (ecma_value_t arg1, /**< start */
         return new_array;
       }
 
+      /* Source array's length could be changed during the start/end normalization.
+       * If the "end" value is greater than the current length, clamp the value to avoid buffer-overflow. */
+      if (ext_from_obj_p->u.array.length < end)
+      {
+        end = ext_from_obj_p->u.array.length;
+      }
+
       ecma_extended_object_t *ext_to_obj_p = (ecma_extended_object_t *) new_array_p;
 
 #if ENABLED (JERRY_ES2015)