From 7ad96abb1ad587ddcec56cda2faec929c6a20956 Mon Sep 17 00:00:00 2001
From: Nicholas Clark <nick@ccl4.org>
Date: Sun, 11 Dec 2005 12:54:14 +0000
Subject: [PATCH] Quench the other 2 ways obscure ways of abusing positional
 parameters to generate bogus array indexes. These two are inside the vector
 formatting code.

p4raw-id: //depot/perl@26320
---
 sv.c           | 11 +++++++----
 t/op/sprintf.t |  2 ++
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/sv.c b/sv.c
index 19a2ce7..fc2540d 100644
--- a/sv.c
+++ b/sv.c
@@ -7977,9 +7977,12 @@ Perl_sv_vcatpvfn(pTHX_ SV *sv, const char *pat, STRLEN patlen, va_list *args, SV
 	    if (vectorarg) {
 		if (args)
 		    vecsv = va_arg(*args, SV*);
-		else
-		    vecsv = (evix ? evix <= svmax : svix < svmax) ?
-			svargs[evix ? evix-1 : svix++] : &PL_sv_undef;
+		else if (evix) {
+		    vecsv = (evix > 0 && evix <= svmax)
+			? svargs[evix-1] : &PL_sv_undef;
+		} else {
+		    vecsv = svix < svmax ? svargs[svix++] : &PL_sv_undef;
+		}
 		dotstr = SvPV_const(vecsv, dotstrlen);
 		if (DO_UTF8(vecsv))
 		    is_utf8 = TRUE;
@@ -7987,7 +7990,7 @@ Perl_sv_vcatpvfn(pTHX_ SV *sv, const char *pat, STRLEN patlen, va_list *args, SV
 	    if (args) {
 		VECTORIZE_ARGS
 	    }
-	    else if (efix ? efix <= svmax : svix < svmax) {
+	    else if (efix ? (efix > 0 && efix <= svmax) : svix < svmax) {
 		vecsv = svargs[efix ? efix-1 : svix++];
 		vecstr = (U8*)SvPV_const(vecsv,veclen);
 		vec_utf8 = DO_UTF8(vecsv);
diff --git a/t/op/sprintf.t b/t/op/sprintf.t
index 35bb8e6..4130a5a 100755
--- a/t/op/sprintf.t
+++ b/t/op/sprintf.t
@@ -421,3 +421,5 @@ __END__
 >%#b<		>0<	>0<
 >%#o<		>0<	>0<
 >%#x<		>0<	>0<
+>%2918905856$v2d<	>''<	><
+>%*2918905856$v2d<	>''<	> UNINIT<
-- 
1.8.3.1