diff --git a/lib/exprengine.cpp b/lib/exprengine.cpp
index da2aa1268..095730651 100644
--- a/lib/exprengine.cpp
+++ b/lib/exprengine.cpp
@@ -1635,6 +1635,19 @@ static ExprEngine::ValuePtr getValueRangeFromValueType(const std::string &name,
 
 static ExprEngine::ValuePtr getValueRangeFromValueType(const ValueType *valueType, Data &data)
 {
+    if (valueType && valueType->pointer) {
+        ExprEngine::ValuePtr val;
+        if (valueType->pointer == 0 && valueType->isIntegral()) {
+            ValueType datatype(*valueType);
+            datatype.pointer = 0;
+            val = getValueRangeFromValueType(data.getNewSymbolName(), &datatype, *data.settings);
+        }
+        if (!val)
+            val = std::make_shared<ExprEngine::BailoutValue>();
+        auto bufferSize = std::make_shared<ExprEngine::IntRange>(data.getNewSymbolName(), 1, ExprEngine::ArrayValue::MAXSIZE);
+        return std::make_shared<ExprEngine::ArrayValue>(data.getNewSymbolName(), bufferSize, val, true, true, false);
+    }
+
     if (!valueType || valueType->pointer)
         return ExprEngine::ValuePtr();
     if (valueType->container) {
@@ -1837,11 +1850,10 @@ static ExprEngine::ValuePtr executeAssign(const Token *tok, Data &data)
             if (rhsValue)
                 call(data.callbacks, tok->astOperand2(), rhsValue, &data);
         }
+        if (!rhsValue)
+            rhsValue = std::make_shared<ExprEngine::BailoutValue>();
     }
 
-    if (!rhsValue)
-        rhsValue = std::make_shared<ExprEngine::BailoutValue>();
-
     ExprEngine::ValuePtr assignValue;
     if (tok->str() == "=")
         assignValue = rhsValue;
diff --git a/test/testexprengine.cpp b/test/testexprengine.cpp
index 774df1d0c..948f99e5d 100644
--- a/test/testexprengine.cpp
+++ b/test/testexprengine.cpp
@@ -98,6 +98,7 @@ private:
         TEST_CASE(functionCall2);
         TEST_CASE(functionCall3);
         TEST_CASE(functionCall4);
+        TEST_CASE(functionCall5);
 
         TEST_CASE(functionCallContract1);
 
@@ -724,6 +725,14 @@ private:
         ASSERT_EQUALS("1:2147483647", getRange("void f() { sizeof(data); }", "sizeof(data)"));
     }
 
+    void functionCall5() { // unknown result from function, pointer type..
+        ASSERT_EQUALS("1:36: $3=ArrayValue([$2],[:]=bailout,null)\n"
+                      "1:36: $2=IntRange(1:2147483647)\n"
+                      "1:36: bailout=BailoutValue(bailout)\n"
+                      "1:46: 0:memory:{p=($3,[$2],[:]=bailout)}\n",
+                      trackExecution("char *foo(int); void bar() { char *p = foo(1); }"));
+    }
+
     void functionCallContract1() {
         const char code[] = "void foo(int x);\n"
                             "void bar(unsigned short x) { foo(x); }";