diff --git a/lib/programmemory.cpp b/lib/programmemory.cpp
index 1dd612fb0..6f450205e 100644
--- a/lib/programmemory.cpp
+++ b/lib/programmemory.cpp
@@ -354,9 +354,8 @@ void ProgramMemoryState::replace(const ProgramMemory &pm, const Token* origin)
     state.replace(pm);
 }
 
-void ProgramMemoryState::addState(const Token* tok, const ProgramMemory::Map& vars)
+static void addVars(ProgramMemory& pm, const ProgramMemory::Map& vars)
 {
-    ProgramMemory pm = state;
     for (const auto& p:vars) {
         nonneg int exprid = p.first;
         const ValueFlow::Value &value = p.second;
@@ -364,9 +363,16 @@ void ProgramMemoryState::addState(const Token* tok, const ProgramMemory::Map& va
         if (value.varId)
             pm.setIntValue(value.varId, value.varvalue);
     }
+}
+
+void ProgramMemoryState::addState(const Token* tok, const ProgramMemory::Map& vars)
+{
+    ProgramMemory pm = state;
+    addVars(pm, vars);
     fillProgramMemoryFromConditions(pm, tok, settings);
     ProgramMemory local = pm;
     fillProgramMemoryFromAssignments(pm, tok, local, vars);
+    addVars(pm, vars);
     replace(pm, tok);
 }
 
diff --git a/lib/reverseanalyzer.cpp b/lib/reverseanalyzer.cpp
index 84df4a535..87e7f0355 100644
--- a/lib/reverseanalyzer.cpp
+++ b/lib/reverseanalyzer.cpp
@@ -133,6 +133,8 @@ struct ReverseTraversal {
             }
             if (tok != parent->astOperand2())
                 continue;
+            if (Token::simpleMatch(parent, ":"))
+                parent = parent->astParent();
             if (!Token::Match(parent, "%oror%|&&|?"))
                 continue;
             Token* condTok = parent->astOperand1();
diff --git a/test/testnullpointer.cpp b/test/testnullpointer.cpp
index dc5c18c12..b16fdfc3a 100644
--- a/test/testnullpointer.cpp
+++ b/test/testnullpointer.cpp
@@ -130,6 +130,7 @@ private:
         TEST_CASE(nullpointer88); // #9949
         TEST_CASE(nullpointer89); // #10640
         TEST_CASE(nullpointer90); // #6098
+        TEST_CASE(nullpointer91); // #10678
         TEST_CASE(nullpointer_addressOf); // address of
         TEST_CASE(nullpointerSwitch); // #2626
         TEST_CASE(nullpointer_cast); // #4692
@@ -2666,6 +2667,18 @@ private:
             errout.str());
     }
 
+    void nullpointer91() // #10678
+    {
+        check("void f(const char* PBeg, const char* PEnd) {\n"
+              "  while (PEnd != nullptr) {\n"
+              "    const int N = h(PEnd);\n"
+              "    PEnd = g();\n"
+              "    const int Length = PEnd == nullptr ? 0 : PEnd - PBeg;\n"
+              "  };\n"
+              "}\n");
+        ASSERT_EQUALS("", errout.str());
+    }
+
     void nullpointer_addressOf() { // address of
         check("void f() {\n"
               "  struct X *x = 0;\n"