commit b11b0d3ef18a35595a07a06c91fa4f27c9cacf5b
Author: Andy Dougherty <doughera@lafayette.edu>
Date:   Thu Sep 27 09:52:18 2012 -0400

    avoid calling memset with a negative count
    
    Poorly written perl code that allows an attacker to specify the count to
    perl's 'x' string repeat operator can already cause a memory exhaustion
    denial-of-service attack. A flaw in versions of perl before 5.15.5 can
    escalate that into a heap buffer overrun; coupled with versions of glibc
    before 2.16, it possibly allows the execution of arbitrary code.
    
    The flaw addressed to this commit has been assigned identifier
    CVE-2012-5195.

diff --git a/util.c b/util.c
index 171456f..34f5fa9 100644
--- a/util.c
+++ b/util.c
@@ -3416,6 +3416,9 @@ Perl_repeatcpy(register char *to, register const char *from, I32 len, register I
 {
     PERL_ARGS_ASSERT_REPEATCPY;
 
+    if (count < 0)
+	Perl_croak_nocontext("%s",PL_memory_wrap);
+
     if (len == 1)
 	memset(to, *from, count);
     else if (count) {