Fixed crash in CheckBufferOverrun on garbage code (#5595)

2014-03-21 13:20:44 +01:00 · 2014-03-21 13:20:44 +01:00 · 49b25b05d9
parent 1efcd670a1
commit 49b25b05d9
2 changed files with 6 additions and 1 deletions
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@ -273,7 +273,7 @@ static bool bailoutIfSwitch(const Token *tok, const unsigned int varid)
        end = end->linkAt(2);
    if (Token::simpleMatch(end, "{")) // Ticket #5203: Invalid code, bailout
        return true;
-    for (; tok != end; tok = tok->next()) {
+    for (; tok && tok != end; tok = tok->next()) {
        // If scanning a "if" block then bailout for "break"
        if (is_if && (tok->str() == "break" || tok->str() == "continue"))
            return true;
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@ -240,6 +240,7 @@ private:
        TEST_CASE(crash2);  // Ticket #2607 - crash
        TEST_CASE(crash3);  // Ticket #3034 - crash
        TEST_CASE(crash4);  // Ticket #5426 - crash
+        TEST_CASE(crash5);  // TIcket #5595 - crash

        TEST_CASE(garbage1);  // Ticket #5203

@ -3673,6 +3674,10 @@ private:
              "void d() { struct b *f; f = malloc(108); }");
    }

+    void crash5() {
+        check("static f() { int i; int source[1] = { 1 }; for (i = 0; i < 4; i++) (u, if (y u.x e)) }"); // Garbage code
+    }
+
    void garbage1() { // Ticket #5203
        check("int f ( int* r ) { {  int s[2] ; f ( s ) ; if ( ) } }");
    }