diff --git a/ChangeLog b/ChangeLog
index feb588e0bd..960e8cd7d4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Tue Dec 27 19:34:47 2016  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* variable.c (rb_ivar_count): stop reading past the end of ivptr array.
+	  [Bug #12988]
+
 Tue Dec 27 19:32:03 2016  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* thread.c (rb_thread_s_abort_exc, rb_thread_s_abort_exc_set):
diff --git a/variable.c b/variable.c
index 691af04d3c..290a10b235 100644
--- a/variable.c
+++ b/variable.c
@@ -1322,7 +1322,7 @@ rb_ivar_count(VALUE obj)
     switch (BUILTIN_TYPE(obj)) {
       case T_OBJECT:
 	if ((tbl = ROBJECT_IV_INDEX_TBL(obj)) != 0) {
-	    st_index_t i, count, num = tbl->num_entries;
+	    st_index_t i, count, num = ROBJECT_NUMIV(obj);
 	    const VALUE *const ivptr = ROBJECT_IVPTR(obj);
 	    for (i = count = 0; i < num; ++i) {
 		if (ivptr[i] != Qundef) {
diff --git a/version.h b/version.h
index 536a7bd8cd..b090b5c7f3 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
 #define RUBY_VERSION "2.2.7"
 #define RUBY_RELEASE_DATE "2016-12-27"
-#define RUBY_PATCHLEVEL 404
+#define RUBY_PATCHLEVEL 405
 
 #define RUBY_RELEASE_YEAR 2016
 #define RUBY_RELEASE_MONTH 12