From 0f11007c197ec7b93228cdbef70d5fc052a01edf Mon Sep 17 00:00:00 2001
From: umanamente <um@namente.ru>
Date: Tue, 21 Jun 2016 22:42:46 +0200
Subject: [PATCH] Fixed #7083 (false positive: typedef and initialization with
 strings)

---
 lib/checkbufferoverrun.cpp | 17 +++++++++++------
 test/testbufferoverrun.cpp | 14 ++++++++++++++
 2 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/lib/checkbufferoverrun.cpp b/lib/checkbufferoverrun.cpp
index 4a503383e..c3b64d644 100644
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@@ -1502,15 +1502,20 @@ void CheckBufferOverrun::bufferOverrun2()
             varname = tok->str();
 
 
+        const Variable * const var = tok->variable();
+        if (!var)
+            continue;
+
         const Token * const strtoken = tok->getValueTokenMinStrSize();
-        if (strtoken) {
+        if (strtoken && !var->isArray()) {
+            // TODO: check for access to symbol inside the array bounds, but outside the stored string:
+            //  char arr[10] = "123";
+            //  arr[7] = 'x'; // warning: arr[7] is inside the array bounds, but past the string's end
+
             ArrayInfo arrayInfo(tok->varId(), varname, 1U, Token::getStrSize(strtoken));
             valueFlowCheckArrayIndex(tok->next(), arrayInfo);
-        }
-
-        else {
-            const Variable * const var = tok->variable();
-            if (!var || var->nameToken() == tok || !var->isArray())
+        } else {
+            if (var->nameToken() == tok || !var->isArray())
                 continue;
 
             // TODO: last array in struct..
diff --git a/test/testbufferoverrun.cpp b/test/testbufferoverrun.cpp
index d05b754a1..df5fb440f 100644
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@@ -164,6 +164,7 @@ private:
         TEST_CASE(buffer_overrun_26); // #4432 (segmentation fault)
         TEST_CASE(buffer_overrun_27); // #4444 (segmentation fault)
         TEST_CASE(buffer_overrun_28); // Out of bound char array access
+        TEST_CASE(buffer_overrun_29); // #7083: false positive: typedef and initialization with strings
         TEST_CASE(buffer_overrun_bailoutIfSwitch);  // ticket #2378 : bailoutIfSwitch
         TEST_CASE(buffer_overrun_function_array_argument);
         TEST_CASE(possible_buffer_overrun_1); // #3035
@@ -2475,6 +2476,19 @@ private:
         ASSERT_EQUALS("", errout.str());
     }
 
+
+    // #7083: false positive: typedef and initialization with strings
+    void buffer_overrun_29() {
+        check("typedef char testChar[10]; \n"
+              "int main(){ \n"
+              "  testChar tc1 = \"\"; \n"
+              "  tc1[5]='a'; \n"
+              "} \n"
+             );
+        ASSERT_EQUALS("", errout.str());
+    }
+
+
     void buffer_overrun_bailoutIfSwitch() {
         // No false positive
         check("void f1(char *s) {\n"