From abe84399172f5b720fd9b2b4feac97cabe6edeb7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Marjam=C3=A4ki?= <daniel.marjamaki@gmail.com>
Date: Tue, 28 Jan 2014 16:55:10 +0100
Subject: [PATCH] Fixed #5416 (False positive: Array accessed at index, which
 is out of bounds.)

---
 lib/checkbufferoverrun.cpp | 2 +-
 lib/tokenize.cpp           | 6 +++---
 test/testbufferoverrun.cpp | 6 ++++++
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/lib/checkbufferoverrun.cpp b/lib/checkbufferoverrun.cpp
index 76c12a415..6c1235be5 100644
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@@ -1176,7 +1176,7 @@ void CheckBufferOverrun::checkScope(const Token *tok, const ArrayInfo &arrayInfo
             for (int warn = 0; warn == 0 || warn == 1; ++warn) {
                 std::vector<ValueFlow::Value> indexes;
                 unsigned int valuevarid = 0;
-                for (const Token *tok2 = tok->next(); Token::Match(tok2, "["); tok2 = tok2->link()->next()) {
+                for (const Token *tok2 = tok->next(); indexes.size() < arrayInfo.num().size() && Token::Match(tok2, "["); tok2 = tok2->link()->next()) {
                     if (!tok2->astOperand2()) {
                         indexes.clear();
                         break;
diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
index 1c629fbd7..7b90c10d8 100644
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@@ -3520,8 +3520,8 @@ bool Tokenizer::simplifyTokenList2()
     }
 
     for (Token *tok = list.front(); tok; tok = tok->next()) {
-        if (!Token::Match(tok, "%num%|%var%") && !Token::Match(tok, "]|)") &&
-            (Token::Match(tok->next(), "& %var% [ %num%|%var% ]"))) {
+        if (!Token::Match(tok, "%num%|%var%|]|)") &&
+            (Token::Match(tok->next(), "& %var% [ %num%|%var% ] !!["))) {
             tok = tok->next();
 
             if (tok->next()->varId()) {
@@ -5018,7 +5018,7 @@ void Tokenizer::simplifyPointerToStandardType()
         return;
 
     for (Token *tok = list.front(); tok; tok = tok->next()) {
-        if (!Token::Match(tok, "& %var% [ 0 ]"))
+        if (!Token::Match(tok, "& %var% [ 0 ] !!["))
             continue;
 
         // Remove '[ 0 ]' suffix
diff --git a/test/testbufferoverrun.cpp b/test/testbufferoverrun.cpp
index 9bcd88570..473967e5f 100644
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@@ -2069,6 +2069,12 @@ private:
               "    str[((unsigned char)3) - 1] = 0;\n"
               "}", false, "test.cpp", false);
         ASSERT_EQUALS("", errout.str());
+
+        check("void f() {\n"  // #5416 FP
+              "    char *str[3];\n"
+              "    do_something(&str[0][5]);\n"
+              "}", false, "test.cpp", false);
+        ASSERT_EQUALS("", errout.str());
     }
 
     void buffer_overrun_1_standard_functions() {