Quench the other 2 ways obscure ways of abusing positional parameters

to generate bogus array indexes. These two are inside the vector
formatting code.

p4raw-id: //depot/perl@26320

diff --git a/sv.c b/sv.c
index 19a2ce7..fc2540d 100644 (file)
--- a/sv.c
+++ b/sv.c
@@ -7977,9 +7977,12 @@ Perl_sv_vcatpvfn(pTHX_ SV *sv, const char *pat, STRLEN patlen, va_list *args, SV
            if (vectorarg) {
                if (args)
                    vecsv = va_arg(*args, SV*);
-               else
-                   vecsv = (evix ? evix <= svmax : svix < svmax) ?
-                       svargs[evix ? evix-1 : svix++] : &PL_sv_undef;
+               else if (evix) {
+                   vecsv = (evix > 0 && evix <= svmax)
+                       ? svargs[evix-1] : &PL_sv_undef;
+               } else {
+                   vecsv = svix < svmax ? svargs[svix++] : &PL_sv_undef;
+               }
                dotstr = SvPV_const(vecsv, dotstrlen);
                if (DO_UTF8(vecsv))
                    is_utf8 = TRUE;
@@ -7987,7 +7990,7 @@ Perl_sv_vcatpvfn(pTHX_ SV *sv, const char *pat, STRLEN patlen, va_list *args, SV
            if (args) {
                VECTORIZE_ARGS
            }
-           else if (efix ? efix <= svmax : svix < svmax) {
+           else if (efix ? (efix > 0 && efix <= svmax) : svix < svmax) {
                vecsv = svargs[efix ? efix-1 : svix++];
                vecstr = (U8*)SvPV_const(vecsv,veclen);
                vec_utf8 = DO_UTF8(vecsv);

diff --git a/t/op/sprintf.t b/t/op/sprintf.t
index 35bb8e6..4130a5a 100755 (executable)
--- a/t/op/sprintf.t
+++ b/t/op/sprintf.t
@@ -421,3 +421,5 @@ __END__
 >%#b<          >0<     >0<
 >%#o<          >0<     >0<
 >%#x<          >0<     >0<
+>%2918905856$v2d<      >''<    ><
+>%*2918905856$v2d<     >''<    > UNINIT<