diff --git a/lib/ctu.cpp b/lib/ctu.cpp index 9981c6c80..ee9cf829a 100644 --- a/lib/ctu.cpp +++ b/lib/ctu.cpp @@ -365,7 +365,8 @@ CTU::FileInfo *CTU::getFileInfo(const Tokenizer *tokenizer) functionCall.location = FileInfo::Location(tokenizer, tok); functionCall.callArgNr = argnr + 1; functionCall.callArgumentExpression = argtok->expressionString(); - functionCall.callArgValue = argtok->variable()->dimension(0) * argtok->valueType()->typeSize(*tokenizer->getSettings()); + const auto typeSize = argtok->valueType()->typeSize(*tokenizer->getSettings()); + functionCall.callArgValue = typeSize > 0 ? argtok->variable()->dimension(0) * typeSize : -1; functionCall.warning = false; fileInfo->functionCalls.push_back(std::move(functionCall)); } @@ -528,7 +529,7 @@ static bool findPath(const std::string &callId, case CTU::FileInfo::InvalidValueType::bufferOverflow: if (functionCall->callValueType != ValueFlow::Value::ValueType::BUFFER_SIZE) continue; - if (unsafeValue < 0 || unsafeValue >= functionCall->callArgValue) + if (unsafeValue < 0 || (unsafeValue >= functionCall->callArgValue && functionCall->callArgValue >= 0)) break; continue; } diff --git a/test/testbufferoverrun.cpp b/test/testbufferoverrun.cpp index a15e5cb81..7cddfd28e 100644 --- a/test/testbufferoverrun.cpp +++ b/test/testbufferoverrun.cpp @@ -5236,6 +5236,13 @@ private: "}\n"); ASSERT_EQUALS("[test.cpp:4] -> [test.cpp:1]: (error) Array index out of bounds; 'argv' buffer size is 1 and it is accessed at offset 5.\n", errout.str()); + + ctu("void g(int *b) { b[0] = 0; }\n" + "void f() {\n" + " GLint a[1];\n" + " g(a);\n" + "}\n"); + ASSERT_EQUALS("", errout.str()); } void ctu_variable() {