Fixed ticket #571 (Buffer overrun for sprintf() not detected after first ')' symbol)

http://sourceforge.net/apps/trac/cppcheck/ticket/571

src/checkbufferoverrun.cpp

@@ -385,7 +385,9 @@ void CheckBufferOverrun::checkScope(const Token *tok, const char *varname[], con
         if (varid > 0 && Token::Match(tok, "sprintf ( %varid% , %str% ,", varid))
         {
             int len = 0;
-            for (const Token *tok2 = tok->tokAt(6); tok2 && tok2->str() != ")"; tok2 = tok2->next())
+            const Token *end = tok->next()->link();
+
+            for (const Token *tok2 = tok->tokAt(6); tok2 && tok2 != end; tok2 = tok2->next())
             {
                 if (tok2->str()[0] == '\"')
                 {

test/testbufferoverrun.cpp

@@ -94,6 +94,8 @@ private:
         TEST_CASE(buffer_overrun_4);
 
         TEST_CASE(sprintf1);
+        TEST_CASE(sprintf2);
+
         TEST_CASE(snprintf1);
         TEST_CASE(snprintf2);
         TEST_CASE(snprintf3);
@@ -563,6 +565,17 @@ private:
         ASSERT_EQUALS("[test.cpp:4]: (possible error) Buffer overrun\n", errout.str());
     }
 
+    void sprintf2()
+    {
+        check("void f()\n"
+              "{\n"
+              "    char str[5];\n"
+              "    sprintf(str, \"%d: %s\", getnumber(), \"abcde\");\n"
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:4]: (possible error) Buffer overrun\n", errout.str());
+
+    }
+
     void snprintf1()
     {
         check("void f()\n"