From 71a1d986938a8d37496a2b7200ff1f8dd2944c17 Mon Sep 17 00:00:00 2001
From: PKEuS <philipp.kloke@web.de>
Date: Sun, 16 Oct 2011 07:06:18 +0200
Subject: [PATCH] Fixed ##3211 (Crash in gitHEAD when arglist count is smaller
 than format string)

---
 lib/checknullpointer.cpp |  8 +++++++-
 test/testnullpointer.cpp | 32 +++++++++++++++++++++++++++++++-
 2 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/lib/checknullpointer.cpp b/lib/checknullpointer.cpp
index 61e99e7b0..5ca5a3159 100644
--- a/lib/checknullpointer.cpp
+++ b/lib/checknullpointer.cpp
@@ -141,18 +141,24 @@ void CheckNullPointer::parseFunctionCall(const Token &tok, std::list<const Token
                 if (*i == '%') {
                     percent = !percent;
                 } else if (percent && std::isalpha(*i)) {
-                    if (*i == 'n' || *i == 's' || scan) {
+                    if ((*i == 'n' || *i == 's' || scan) && (!scan || value == 0)) {
                         if ((value == 0 && argListTok->str() == "0") || (Token::Match(argListTok, "%var%") && argListTok->varId() > 0)) {
                             var.push_back(argListTok);
                         }
                     }
 
                     for (; argListTok; argListTok = argListTok->next()) { // Find next argument
+                        if (argListTok->str() == "(")
+                            argListTok = argListTok->link();
+                        if(argListTok == 0)
+                            break;
                         if (argListTok->str() == ",") {
                             argListTok = argListTok->next();
                             break;
                         }
                     }
+                    if(!argListTok)
+                        break;
                     percent = false;
                 }
             }
diff --git a/test/testnullpointer.cpp b/test/testnullpointer.cpp
index f5fda9642..b7225d851 100644
--- a/test/testnullpointer.cpp
+++ b/test/testnullpointer.cpp
@@ -1406,8 +1406,38 @@ private:
               "    printf(\"%s\", s);\n"
               "}");
         ASSERT_EQUALS("", errout.str());
+
+        check("void f(char* foo) {\n"
+              "    char location[200];\n"
+              "    int width, height;\n"
+              "    sscanf(imgInfo, \"%s %d %d\", location, &width, &height);\n"
+              "}");
+        ASSERT_EQUALS("", errout.str()); // ticket #3207
+
+        check("void f(char *dummy) {\n"
+              "    int iVal;\n"
+              "    sscanf(dummy, \"%d%c\", &iVal);\n"
+              "}");
+        ASSERT_EQUALS("", errout.str()); // ticket #3211
+
+        check("void f(char *dummy) {\n"
+              "    int* iVal = 0;\n"
+              "    sscanf(dummy, \"%d\", iVal);\n"
+              "}");
+        ASSERT_EQUALS("[test.cpp:3]: (error) Possible null pointer dereference: iVal\n", errout.str());
+
+        check("void f(char *dummy) {\n"
+              "    int* iVal;\n"
+              "    sscanf(dummy, \"%d\", foo(iVal));\n"
+              "}");
+        ASSERT_EQUALS("", errout.str());
+
+        check("void f(char *dummy) {\n"
+              "    int* iVal = 0;\n"
+              "    sscanf(dummy, \"%d%d\", foo(iVal), iVal);\n"
+              "}");
+        ASSERT_EQUALS("[test.cpp:3]: (error) Possible null pointer dereference: iVal\n", errout.str());
     }
 };
 
 REGISTER_TEST(TestNullPointer)
-