--- perl-5.8.7/t/op/sprintf2.t.CVE-2005-3962-bz174684	2004-02-09 16:37:13.000000000 -0500
+++ perl-5.8.7/t/op/sprintf2.t	2005-12-01 13:11:34.000000000 -0500
@@ -6,7 +6,7 @@
     require './test.pl';
 }   
 
-plan tests => 3;
+plan tests => 6;
 
 is(
     sprintf("%.40g ",0.01),
@@ -26,3 +26,20 @@
 		q(width calculation under utf8 upgrade)
 	);
 }
+# check %NNN$ for range bounds, especially negative 2's complement
+{
+    my ($warn, $bad) = (0,0);
+    local $SIG{__WARN__} = sub {
+       if ($_[0] =~ /uninitialized/) {
+           $warn++
+       }
+       else {
+           $bad++
+       }
+    };
+    my $result = sprintf join('', map("%$_\$s%" . ~$_ . '$s', 1..20)),
+       qw(a b c d);
+    is($result, "abcd", "only four valid values");
+    is($warn, 36, "expected warnings");
+    is($bad,   0, "unexpected warnings");
+}
--- perl-5.8.7/sv.c.CVE-2005-3962-bz174684	2005-05-27 06:38:11.000000000 -0400
+++ perl-5.8.7/sv.c	2005-12-01 13:11:14.000000000 -0500
@@ -8707,9 +8707,10 @@
 
 	if (vectorize)
 	    argsv = vecsv;
-	else if (!args)
-	    argsv = (efix ? efix <= svmax : svix < svmax) ?
-		    svargs[efix ? efix-1 : svix++] : &PL_sv_undef;
+	else if (!args) {
+	    I32 i = efix ? efix-1 : svix++;
+	    argsv = (i >= 0 && i < svmax) ? svargs[i] : &PL_sv_undef;
+	}
 
 	switch (c = *q++) {