diff --git a/lib/checkbufferoverrun.cpp b/lib/checkbufferoverrun.cpp
index d74f6ea85..7efedad2b 100644
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@@ -2214,9 +2214,13 @@ void CheckBufferOverrun::arrayIndexThenCheck()
 
             // skip array index..
             tok = tok->tokAt(4);
-            while (tok->str() == "[")
+            while (tok && tok->str() == "[")
                 tok = tok->link()->next();
 
+            // syntax error
+            if (!tok)
+                return;
+
             // skip comparison
             if (Token::Match(tok, "==|!=|<|<=|>|>= %any% &&"))
                 tok = tok->tokAt(2);
diff --git a/test/testbufferoverrun.cpp b/test/testbufferoverrun.cpp
index c3af55976..ec7d320ff 100644
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@@ -140,6 +140,7 @@ private:
         TEST_CASE(buffer_overrun_17); // ticket #2548
         TEST_CASE(buffer_overrun_18); // ticket #2576 - for, calculation with loop variable
         TEST_CASE(buffer_overrun_19); // #2597 - class member with unknown type
+        TEST_CASE(buffer_overrun_20); // #2986 (segmentation fault)
         TEST_CASE(buffer_overrun_bailoutIfSwitch);  // ticket #2378 : bailoutIfSwitch
 
         // It is undefined behaviour to point out of bounds of an array
@@ -1969,6 +1970,12 @@ private:
         ASSERT_EQUALS("", errout.str());
     }
 
+    void buffer_overrun_20() // #2986(segmentation fault)
+    {
+        check("x[y]\n");
+        ASSERT_EQUALS("", errout.str());
+    }
+
     void buffer_overrun_bailoutIfSwitch()
     {
         // No false positive