diff --git a/lib/checkbufferoverrun.cpp b/lib/checkbufferoverrun.cpp index 0978ab222..27c2ab974 100644 --- a/lib/checkbufferoverrun.cpp +++ b/lib/checkbufferoverrun.cpp @@ -700,8 +700,10 @@ void CheckBufferOverrun::checkFunctionParameter(const Token &tok, unsigned int p // If argument is '%type% a[num]' then check bounds against num if (func) { const Variable* argument = func->getArgumentVar(par-1); - if (argument && Token::Match(argument->typeStartToken(), "%type% %var% [ %num% ] [,)[]")) { - const Token *tok2 = argument->nameToken()->next(); + const Token *nameToken; + if (argument && Token::Match(argument->typeStartToken(), "%type% %var% [ %num% ] [,)[]") + && (nameToken = argument->nameToken()) != NULL) { + const Token *tok2 = nameToken->next(); MathLib::bigint argsize = _tokenizer->sizeOfType(argument->typeStartToken()); if (argsize == 100) // unknown size diff --git a/test/testbufferoverrun.cpp b/test/testbufferoverrun.cpp index d1d339681..ca50d7130 100644 --- a/test/testbufferoverrun.cpp +++ b/test/testbufferoverrun.cpp @@ -159,6 +159,7 @@ private: TEST_CASE(buffer_overrun_24); // #4106 TEST_CASE(buffer_overrun_25); // #4096 TEST_CASE(buffer_overrun_26); // #4432 (segmentation fault) + TEST_CASE(buffer_overrun_27); // #4444 (segmentation fault) TEST_CASE(buffer_overrun_bailoutIfSwitch); // ticket #2378 : bailoutIfSwitch TEST_CASE(buffer_overrun_function_array_argument); TEST_CASE(possible_buffer_overrun_1); // #3035 @@ -2646,6 +2647,16 @@ private: ASSERT_EQUALS("", errout.str()); } + void buffer_overrun_27() { // ticket #4444 (segmentation fault) + check("void abc(struct foobar[5]);\n" + "void main() {\n" + "struct foobar x[5];\n" + "abc(x);\n" + "}"); + + ASSERT_EQUALS("", errout.str()); + } + void buffer_overrun_bailoutIfSwitch() { // No false positive check("void f1(char *s) {\n"