From 68b26f8faa07d313f00c219c5ab149b86c2b07a7 Mon Sep 17 00:00:00 2001
From: PKEuS <philipp.kloke@web.de>
Date: Mon, 29 Sep 2014 15:38:33 +0200
Subject: [PATCH] Fixed subsequent false negatives in
 CheckBufferOverrun::checkInsecureCmdLineArgs() (#5835)

---
 lib/checkbufferoverrun.cpp | 8 ++++----
 test/testbufferoverrun.cpp | 9 +++++++++
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/lib/checkbufferoverrun.cpp b/lib/checkbufferoverrun.cpp
index 5e2800ac0..b1c55f591 100644
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@@ -1613,10 +1613,7 @@ void CheckBufferOverrun::checkInsecureCmdLineArgs()
                 continue;
 
             // Jump to the opening curly brace
-            tok = tok->next()->link();
-            if (!Token::simpleMatch(tok, ") {"))
-                continue;
-            tok = tok->next();
+            tok = symbolDatabase->functionScopes[i]->classStart;
 
             // Search within main() for possible buffer overruns involving argv
             for (const Token* end = tok->link(); tok != end; tok = tok->next()) {
@@ -1629,12 +1626,15 @@ void CheckBufferOverrun::checkInsecureCmdLineArgs()
                 if (Token::Match(tok, "strcpy|strcat ( %var% , * %varid%", varid) ||
                     Token::Match(tok, "strcpy|strcat ( %var% , %varid% [", varid)) {
                     cmdLineArgsError(tok);
+                    tok = tok->linkAt(1);
                 } else if (Token::Match(tok, "sprintf ( %var% , %str% , %varid% [", varid) &&
                            tok->strAt(4).find("%s") != std::string::npos) {
                     cmdLineArgsError(tok);
+                    tok = tok->linkAt(1);
                 } else if (Token::Match(tok, "sprintf ( %var% , %str% , * %varid%", varid) &&
                            tok->strAt(4).find("%s") != std::string::npos) {
                     cmdLineArgsError(tok);
+                    tok = tok->linkAt(1);
                 }
             }
         }
diff --git a/test/testbufferoverrun.cpp b/test/testbufferoverrun.cpp
index d7a4db38a..d7f00a488 100644
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@@ -3980,6 +3980,15 @@ private:
               "}");
 
         ASSERT_EQUALS("", errout.str());
+
+        // #5835
+        checkstd("int main(int argc, char* argv[]) {\n"
+                 "    char prog[10];\n"
+                 "    sprintf(prog, \"%s\", argv[0]);\n"
+                 "    sprintf(prog, \"%s\", argv[0]);\n"
+                 "}");
+        ASSERT_EQUALS("[test.cpp:3]: (error) Buffer overrun possible for long command line arguments.\n"
+                      "[test.cpp:4]: (error) Buffer overrun possible for long command line arguments.\n", errout.str());
     }
 
     void scope() {