diff --git a/lib/exprengine.cpp b/lib/exprengine.cpp index 536913509..157425388 100644 --- a/lib/exprengine.cpp +++ b/lib/exprengine.cpp @@ -1675,6 +1675,10 @@ static void assignExprValue(const Token *expr, ExprEngine::ValuePtr value, Data if (!loopAssign) arrayValue->assign(indexValue, value); } + } else { + const Token * const indexToken = expr->astOperand2(); + auto indexValue = executeExpression(indexToken, data); + call(data.callbacks, indexToken, indexValue, &data); } } else if (expr->isUnaryOp("*")) { auto pval = executeExpression(expr->astOperand1(), data); @@ -2509,6 +2513,7 @@ static std::string execute(const Token *start, const Token *end, Data &data) data.assignValue(tok2, varid, getValueRangeFromValueType(vartok->valueType(), data)); } } + tok = tok->linkAt(1); } if (Token::simpleMatch(tok, "} else {")) diff --git a/test/testbughuntingchecks.cpp b/test/testbughuntingchecks.cpp index bcc898521..8e70221d6 100644 --- a/test/testbughuntingchecks.cpp +++ b/test/testbughuntingchecks.cpp @@ -37,6 +37,7 @@ private: LOAD_LIB_2(settings.library, "std.cfg"); TEST_CASE(checkAssignment); TEST_CASE(arrayIndexOutOfBounds1); + TEST_CASE(arrayIndexOutOfBounds2); TEST_CASE(bufferOverflowMemCmp1); TEST_CASE(bufferOverflowMemCmp2); TEST_CASE(bufferOverflowStrcpy1); @@ -82,6 +83,17 @@ private: errout.str()); } + void arrayIndexOutOfBounds2() { + check("void foo(int n) {\n" + " int p[8];" + " for (int i = 0; i < n; i++)" + " p[i] = 0;\n" + "}"); + ASSERT_EQUALS("[test.cpp:2]: (error) Array index out of bounds, cannot determine that i is less than 8\n" + "[test.cpp:2]: (error) Array index out of bounds, cannot determine that i is not negative\n", + errout.str()); + } + void bufferOverflowMemCmp1() { // CVE-2020-24265 check("void foo(const char *pktdata, int datalen) {\n"