From 32d96104d6151617ab63113a24238a465ff99e50 Mon Sep 17 00:00:00 2001
From: Paul Fultz II <pfultz2@yahoo.com>
Date: Wed, 7 Sep 2022 12:16:07 -0500
Subject: [PATCH] Fix 6370: ValueFlow: array element with known value (#4447)

* Fix 6370: ValueFlow: array element with known value

* Format

* Move comment
---
 lib/valueflow.cpp          |  8 ++++++--
 test/testbufferoverrun.cpp | 13 +++++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/lib/valueflow.cpp b/lib/valueflow.cpp
index 578909e99..078b65706 100644
--- a/lib/valueflow.cpp
+++ b/lib/valueflow.cpp
@@ -1433,16 +1433,20 @@ static void valueFlowArrayElement(TokenList* tokenlist, const Settings* settings
         for (const ValueFlow::Value& arrayValue : arrayTok->values()) {
             if (!arrayValue.isTokValue())
                 continue;
+            if (arrayValue.isImpossible())
+                continue;
             for (const ValueFlow::Value& indexValue : indexTok->values()) {
                 if (!indexValue.isIntValue())
                     continue;
-                if (arrayValue.varId != 0 && indexValue.varId != 0 &&
+                if (indexValue.isImpossible())
+                    continue;
+                if (!arrayValue.isKnown() && !indexValue.isKnown() && arrayValue.varId != 0 && indexValue.varId != 0 &&
                     !(arrayValue.varId == indexValue.varId && arrayValue.varvalue == indexValue.varvalue))
                     continue;
 
                 ValueFlow::Value result(0);
                 result.condition = arrayValue.condition ? arrayValue.condition : indexValue.condition;
-                result.setInconclusive(arrayValue.isInconclusive() | indexValue.isInconclusive());
+                result.setInconclusive(arrayValue.isInconclusive() || indexValue.isInconclusive());
                 result.varId = (arrayValue.varId != 0) ? arrayValue.varId : indexValue.varId;
                 result.varvalue = (result.varId == arrayValue.varId) ? arrayValue.intvalue : indexValue.intvalue;
                 if (arrayValue.valueKind == indexValue.valueKind)
diff --git a/test/testbufferoverrun.cpp b/test/testbufferoverrun.cpp
index 7bd86d11e..aafeb3eaa 100644
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@@ -194,6 +194,7 @@ private:
         TEST_CASE(array_index_66); // #10740
         TEST_CASE(array_index_67); // #1596
         TEST_CASE(array_index_68); // #6655
+        TEST_CASE(array_index_69); // #6370
         TEST_CASE(array_index_multidim);
         TEST_CASE(array_index_switch_in_for);
         TEST_CASE(array_index_for_in_for);   // FP: #2634
@@ -1889,6 +1890,18 @@ private:
         ASSERT_EQUALS("[test.cpp:4]: (error) Array 'ia[10]' accessed at index 19, which is out of bounds.\n", errout.str());
     }
 
+    // #6370
+    void array_index_69()
+    {
+        check("void f() {\n"
+              "    const int e[] = {0,10,20,30};\n"
+              "    int a[4];\n"
+              "    for(int i = 0; i < 4; ++i)\n"
+              "      a[e[i]] = 0;\n"
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:5]: (error) Array 'a[4]' accessed at index 30, which is out of bounds.\n", errout.str());
+    }
+
     void array_index_multidim() {
         check("void f()\n"
               "{\n"