From 518a495334bcb00dba99db1514bc8c235cecf396 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Marjam=C3=A4ki?= <danielm77@spray.se>
Date: Sat, 12 Feb 2011 18:34:12 +0100
Subject: [PATCH] Fixed #2576 (False positive: (error) Buffer access
 out-of-bounds)

---
 lib/checkbufferoverrun.cpp |  2 +-
 test/testbufferoverrun.cpp | 30 ++++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/lib/checkbufferoverrun.cpp b/lib/checkbufferoverrun.cpp
index a0f417975..85963c36e 100644
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@@ -791,7 +791,7 @@ void CheckBufferOverrun::checkScopeForBody(const Token *tok, const ArrayInfo &ar
         return;
 
     // Get index variable and stopsize.
-    bool condition_out_of_bounds = true;
+    bool condition_out_of_bounds = bool(size > 0);
     if (MathLib::toLongNumber(max_counter_value) < size)
         condition_out_of_bounds = false;
 
diff --git a/test/testbufferoverrun.cpp b/test/testbufferoverrun.cpp
index d7137ee35..4111dfa50 100644
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@@ -135,6 +135,7 @@ private:
         TEST_CASE(buffer_overrun_15); // ticket #1787
         TEST_CASE(buffer_overrun_16);
         TEST_CASE(buffer_overrun_17); // ticket #2548
+        TEST_CASE(buffer_overrun_18); // ticket #2576 - for, calculation with loop variable
         TEST_CASE(buffer_overrun_bailoutIfSwitch);  // ticket #2378 : bailoutIfSwitch
 
         // It is undefined behaviour to point out of bounds of an array
@@ -1883,6 +1884,35 @@ private:
         ASSERT_EQUALS("[test.cpp:3]: (error) Buffer access out-of-bounds\n", errout.str());
     }
 
+    void buffer_overrun_18() // ticket #2576
+    {
+        check("class A {\n"
+              "    void foo();\n"
+              "    bool b[7];\n"
+              "};\n"
+              "\n"
+              "void A::foo() {\n"
+              "    for (int i=0; i<6; i++) {\n"
+              "        b[i] = b[i+1];\n"
+              "    }\n"
+              "}\n");
+        ASSERT_EQUALS("", errout.str());
+
+        check("class A {\n"
+              "    void foo();\n"
+              "    bool b[7];\n"
+              "};\n"
+              "\n"
+              "void A::foo() {\n"
+              "    for (int i=0; i<7; i++) {\n"
+              "        b[i] = b[i+1];\n"
+              "    }\n"
+              "}\n");
+        TODO_ASSERT_EQUALS("error",    // wanted result
+                           "",         // current result
+                           errout.str());
+    }
+
     void buffer_overrun_bailoutIfSwitch()
     {
         // No false positive