diff --git a/lib/Runtime/Library/JavascriptArray.cpp b/lib/Runtime/Library/JavascriptArray.cpp
index d33b7f125a2..4aa84f0c9c9 100644
--- a/lib/Runtime/Library/JavascriptArray.cpp
+++ b/lib/Runtime/Library/JavascriptArray.cpp
@@ -5334,7 +5334,7 @@ namespace Js
                         ((SparseArraySegment<Var>*)seg)->ReverseSegment(recycler);
                     }
 
-                    seg->left = ((uint32)length) - (seg->left + seg->length);
+                    seg->left = ((uint32)length) > (seg->left + seg->length) ? ((uint32)length) - (seg->left + seg->length) : 0;
 
                     seg->next = prevSeg;
                     // Make sure size doesn't overlap with next segment.
diff --git a/test/Array/Array_TypeConfusion_bugs.js b/test/Array/Array_TypeConfusion_bugs.js
index d432607f1aa..e1867424929 100644
--- a/test/Array/Array_TypeConfusion_bugs.js
+++ b/test/Array/Array_TypeConfusion_bugs.js
@@ -574,5 +574,24 @@ var tests = [
             assert.areEqual([0x41424344], Array.prototype.slice.call(y));
         }
     },
+    {
+        name: "[MSRC34994,35226] heap overflow in Array.prototype.reverse",
+        body: function ()
+        {
+            var count = 0;
+            arr = new Array(100);
+            var desc = Object.getOwnPropertyDescriptor(Array.prototype, 1);
+            Object.defineProperty(Array.prototype, 1, { get: function () {
+                    count++;
+                    if (count == 1) {
+                        arr.push(null);
+                    }
+                }});
+
+            arr.reverse();
+            restorePropertyFromDescriptor(Array.prototype, 1, desc);
+            assert.areEqual(101, arr.length);
+        }
+    },
 ];
 testRunner.runTests(tests, { verbose: WScript.Arguments[0] != "summary" });