Fixed ##3211 (Crash in gitHEAD when arglist count is smaller than format string)

2011-10-16 07:06:18 +02:00 · 2011-10-16 07:06:18 +02:00 · 71a1d98693
parent 8afc1b6f2d
commit 71a1d98693
2 changed files with 38 additions and 2 deletions
--- a/lib/checknullpointer.cpp
+++ b/lib/checknullpointer.cpp
@ -141,18 +141,24 @@ void CheckNullPointer::parseFunctionCall(const Token &tok, std::list<const Token
                if (*i == '%') {
                    percent = !percent;
                } else if (percent && std::isalpha(*i)) {
-                    if (*i == 'n' || *i == 's' || scan) {
+                    if ((*i == 'n' || *i == 's' || scan) && (!scan || value == 0)) {
                        if ((value == 0 && argListTok->str() == "0") || (Token::Match(argListTok, "%var%") && argListTok->varId() > 0)) {
                            var.push_back(argListTok);
                        }
                    }

                    for (; argListTok; argListTok = argListTok->next()) { // Find next argument
+                        if (argListTok->str() == "(")
+                            argListTok = argListTok->link();
+                        if(argListTok == 0)
+                            break;
                        if (argListTok->str() == ",") {
                            argListTok = argListTok->next();
                            break;
                        }
                    }
+                    if(!argListTok)
+                        break;
                    percent = false;
                }
            }
--- a/test/testnullpointer.cpp
+++ b/test/testnullpointer.cpp
@ -1406,8 +1406,38 @@ private:
              "    printf(\"%s\", s);\n"
              "}");
        ASSERT_EQUALS("", errout.str());
+
+        check("void f(char* foo) {\n"
+              "    char location[200];\n"
+              "    int width, height;\n"
+              "    sscanf(imgInfo, \"%s %d %d\", location, &width, &height);\n"
+              "}");
+        ASSERT_EQUALS("", errout.str()); // ticket #3207
+
+        check("void f(char *dummy) {\n"
+              "    int iVal;\n"
+              "    sscanf(dummy, \"%d%c\", &iVal);\n"
+              "}");
+        ASSERT_EQUALS("", errout.str()); // ticket #3211
+
+        check("void f(char *dummy) {\n"
+              "    int* iVal = 0;\n"
+              "    sscanf(dummy, \"%d\", iVal);\n"
+              "}");
+        ASSERT_EQUALS("[test.cpp:3]: (error) Possible null pointer dereference: iVal\n", errout.str());
+
+        check("void f(char *dummy) {\n"
+              "    int* iVal;\n"
+              "    sscanf(dummy, \"%d\", foo(iVal));\n"
+              "}");
+        ASSERT_EQUALS("", errout.str());
+
+        check("void f(char *dummy) {\n"
+              "    int* iVal = 0;\n"
+              "    sscanf(dummy, \"%d%d\", foo(iVal), iVal);\n"
+              "}");
+        ASSERT_EQUALS("[test.cpp:3]: (error) Possible null pointer dereference: iVal\n", errout.str());
    }
 };

 REGISTER_TEST(TestNullPointer)
-