yeah it returns one, but the tx is still valid in the blockchain. i know it's a big wtf.
the actual hash looks like 00 00 00 ... 00 01 (last byte is 0x01 but all the rest is 0x00).
Now we've found the first and only way to test the execution of the line:
// Drop the signature, since there's no way for a signature to sign itself
scriptCode.FindAndDelete(CScript(vchSig));
(for which I thought it would be impossible to ever test in a live transaction)
Since the hash "00 .. 01" does not depend on the script hash that spends the output, you can create a scriptpub that actually includes the signature of the hash "00 .. 01" in the script.
For example:
<sig("00 .. 01")> OP_DROP OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
Will result in <sig("00 .. 01")> being stripped from the script when the output transaction is redeem by a SIGHASH_SINGLE signature with an out-of-bounds nOut.
Nevertheless since it won't affect in any way the outcome of the signature checking, you'll only be checking if that execution path aborts with an exception or continues normally.