diff --git a/lib/checknullpointer.cpp b/lib/checknullpointer.cpp
index b234eca4e..90711282b 100644
--- a/lib/checknullpointer.cpp
+++ b/lib/checknullpointer.cpp
@@ -1208,7 +1208,7 @@ private:
             if (Token::Match(tok.previous(), "[;{}=] %var% = 0 ;"))
                 setnull(checks, tok.varId());
             else if (!deref &&
-                     !tok.previous()->isOp() && !tok.previous()->isAssignmentOp() &&
+                     (!tok.previous()->isOp() || tok.previous()->str() == "&") && !tok.previous()->isAssignmentOp() &&
                      (!tok.next()->isOp() || tok.next()->str() == ">>"))
                 bailOutVar(checks, tok.varId()); // If its possible that the pointers value changes, bail out.
         }
diff --git a/test/testnullpointer.cpp b/test/testnullpointer.cpp
index 325296014..50452334f 100644
--- a/test/testnullpointer.cpp
+++ b/test/testnullpointer.cpp
@@ -49,6 +49,7 @@ private:
         TEST_CASE(nullpointer13); // ticket #1708
         TEST_CASE(nullpointer14);
         TEST_CASE(nullpointer15); // #3560 (fp: return p ? f(*p) : f(0))
+        TEST_CASE(nullpointer16); // #3591
         TEST_CASE(pointerCheckAndDeRef);     // check if pointer is null and then dereference it
         TEST_CASE(nullConstantDereference);  // Dereference NULL constant
         TEST_CASE(gcc_statement_expression); // Don't crash
@@ -1200,6 +1201,15 @@ private:
         ASSERT_EQUALS("", errout.str());
     }
 
+    void nullpointer16() {  // #3591
+        check("void foo() {\n"
+              "    int *p = 0;\n"
+              "    bar(&p);\n"
+              "    *p = 0;\n"
+              "}");
+        ASSERT_EQUALS("", errout.str());
+    }
+
     // Check if pointer is null and the dereference it
     void pointerCheckAndDeRef() {
         check("void foo(char *p) {\n"