From 71e5c56bf91e857b2c0cf8ded4a97f637da4093f Mon Sep 17 00:00:00 2001
From: Monika Lukow <mlukow@jpembedded.eu>
Date: Sun, 16 May 2010 23:53:42 +0200
Subject: [PATCH] Fixed #1418 (false negative: buffer access out of bounds)

---
 lib/checkbufferoverrun.cpp | 13 ++++++++++++-
 test/testbufferoverrun.cpp | 13 +++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/lib/checkbufferoverrun.cpp b/lib/checkbufferoverrun.cpp
index 184961cc8..e794e538f 100644
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@@ -48,7 +48,7 @@ CheckBufferOverrun instance;
 
 void CheckBufferOverrun::arrayIndexOutOfBounds(const Token *tok, int size, int index)
 {
-    if (size <= 1)
+    if (size == 1)
         return;
 
     std::ostringstream errmsg;
@@ -779,6 +779,17 @@ void CheckBufferOverrun::checkScope(const Token *tok, const ArrayInfo &arrayInfo
             }
 
         }
+		
+		// in case %var% is declared as a pointer
+		else if (Token::Match(tok, "%var% [ %num% ]"))
+		{
+			const int index = MathLib::toLongNumber(tok->strAt(2));
+			if (index < 0)
+			{
+				arrayIndexOutOfBounds(tok, index, index);
+			}
+			
+		}
 
         // Loop..
         else if (Token::simpleMatch(tok, "for ("))
diff --git a/test/testbufferoverrun.cpp b/test/testbufferoverrun.cpp
index d692c9563..0ebda2a2f 100644
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@@ -101,6 +101,7 @@ private:
         TEST_CASE(array_index_25); // ticket #1536
         TEST_CASE(array_index_26);
         TEST_CASE(array_index_27);
+        TEST_CASE(array_index_28); // ticket #1418
         TEST_CASE(array_index_multidim);
         TEST_CASE(array_index_switch_in_for);
         TEST_CASE(array_index_calculation);
@@ -932,6 +933,18 @@ private:
               "}\n");
         ASSERT_EQUALS("[test.cpp:5]: (error) Array 'a[10]' index -1 out of bounds\n", errout.str());
     }
+	
+	void array_index_28()
+    {
+		// ticket #1418
+        check("void f()\n"
+              "{\n"
+              "    int i[2];\n"
+              "    int *ip = &i[1];\n"
+              "    ip[-10] = 1;\n"
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:5]: (error) Array 'ip[-10]' index -10 out of bounds\n", errout.str());   
+    }
 
     void array_index_multidim()
     {