From 9aa9530e0d2c15aab119ae0b81b1847b8e26448b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Marjam=C3=A4ki?= <daniel.marjamaki@gmail.com>
Date: Fri, 31 Jan 2014 06:19:36 +0100
Subject: [PATCH] Fixed #5426 (crash: btrfs-progs cmds-inspect.c)

---
 lib/checkbufferoverrun.cpp | 2 +-
 test/testbufferoverrun.cpp | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/checkbufferoverrun.cpp b/lib/checkbufferoverrun.cpp
index 6c1235be5..5c7e88337 100644
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@@ -1670,7 +1670,7 @@ void CheckBufferOverrun::checkStructVariable()
                                         if (size != 100) { // magic number for size of struct
                                             // check if a real size was specified and give up
                                             // malloc(10) rather than malloc(sizeof(struct))
-                                            if (size < 100)
+                                            if (size < 100 || arrayInfo.element_size() == 0)
                                                 continue;
 
                                             // calculate real array size based on allocated size
diff --git a/test/testbufferoverrun.cpp b/test/testbufferoverrun.cpp
index 473967e5f..b60247f3c 100644
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@@ -240,6 +240,7 @@ private:
         TEST_CASE(crash1);  // Ticket #1587 - crash
         TEST_CASE(crash2);  // Ticket #2607 - crash
         TEST_CASE(crash3);  // Ticket #3034 - crash
+        TEST_CASE(crash4);  // Ticket #5426 - crash
 
         TEST_CASE(garbage1);  // Ticket #5203
 
@@ -3663,6 +3664,11 @@ private:
               "}");
     }
 
+    void crash4() {
+        check("struct b { unknown v[0]; };\n"
+              "void d() { struct b *f; f = malloc(108); }");
+    }
+
     void garbage1() { // Ticket #5203
         check("int f ( int* r ) { {  int s[2] ; f ( s ) ; if ( ) } }");
     }