Fix #2840, False positive: Null pointer dereference

http://sourceforge.net/apps/trac/cppcheck/ticket/2840

lib/checknullpointer.cpp

@@ -103,7 +103,9 @@ void CheckNullPointer::parseFunctionCall(const Token &tok, std::list<const Token
     {
         if (functionNames1.find(tok.str()) != functionNames1.end())
             var.push_back(tok.tokAt(2));
-        else if (value == 0 && Token::Match(&tok, "memchr|memcmp|memcpy|memmove|memset|strcpy|printf|sprintf|snprintf"))
+        else if (value == 0 && Token::Match(&tok, "memchr|memcmp|memcpy|memmove|memset|strcpy|printf|sprintf"))
+            var.push_back(tok.tokAt(2));
+        else if (value == 0 && Token::simpleMatch(&tok, "snprintf") && tok.strAt(4) != "0")
             var.push_back(tok.tokAt(2));
         else if (value != 0 && Token::simpleMatch(&tok, "fflush"))
             var.push_back(tok.tokAt(2));

test/testnullpointer.cpp

@@ -49,6 +49,8 @@ private:
         TEST_CASE(pointerCheckAndDeRef);	// check if pointer is null and then dereference it
         TEST_CASE(nullConstantDereference);		// Dereference NULL constant
         TEST_CASE(gcc_statement_expression);    // Don't crash
+        TEST_CASE(snprintf_with_zero_size);
+        TEST_CASE(snprintf_with_non_zero_size);
     }
 
     void check(const char code[])
@@ -1175,6 +1177,24 @@ private:
               "}");
         ASSERT_EQUALS("", errout.str());
     }
+
+    void snprintf_with_zero_size()
+    {
+        // Ticket #2840
+        check("void f() {\n"
+              "    int bytes = snprintf(0, 0, \"%u\", 1);\n"
+              "}");
+        ASSERT_EQUALS("", errout.str());
+    }
+
+    void snprintf_with_non_zero_size()
+    {
+        // Ticket #2840
+        check("void f() {\n"
+              "    int bytes = snprintf(0, 10, \"%u\", 1);\n"
+              "}");
+        ASSERT_EQUALS("[test.cpp:2]: (error) Null pointer dereference\n", errout.str());
+    }
 };
 
 REGISTER_TEST(TestNullPointer)