+
+
+# [perl #130915] heap-buffer-overflow in Perl_do_vecget
+
+{
+ # ensure that out-of-STRLEN-range offsets are handled correctly. This
+ # partially duplicates some tests above, but those cases are repeated
+ # here for completeness.
+ #
+ # Note that all the 'Out of memory!' errors trapped eval {} are 'fake'
+ # croaks generated by pp_vec() etc when they have detected something
+ # that would have otherwise overflowed. The real 'Out of memory!'
+ # error thrown by safesysrealloc() etc is not trappable. If it were
+ # accidentally triggered in this test script, the script would exit at
+ # that point.
+
+
+ my $s = "abcdefghijklmnopqrstuvwxyz";
+ my $x;
+
+ # offset is SvIOK_UV
+
+ $x = vec($s, ~0, 8);
+ is($x, 0, "RT 130915: UV_MAX rval");
+ eval { vec($s, ~0, 8) = 1 };
+ like($@, qr/^Out of memory!/, "RT 130915: UV_MAX lval");
+
+ # offset is negative
+
+ $x = vec($s, -1, 8);
+ is($x, 0, "RT 130915: -1 rval");
+ eval { vec($s, -1, 8) = 1 };
+ like($@, qr/^Negative offset to vec in lvalue context/,
+ "RT 130915: -1 lval");
+
+ # offset positive but doesn't fit in a STRLEN
+
+ SKIP: {
+ skip 'IV is no longer than size_t', 2
+ if $Config{ivsize} <= $Config{sizesize};
+
+ my $size_max = (1 << (8 *$Config{sizesize})) - 1;
+ my $sm2 = $size_max * 2;
+
+ $x = vec($s, $sm2, 8);
+ is($x, 0, "RT 130915: size_max*2 rval");
+ eval { vec($s, $sm2, 8) = 1 };
+ like($@, qr/^Out of memory!/, "RT 130915: size_max*2 lval");
+ }
+}