Fixed #569 (Buffer overrun not detected when strcat() called few times)

http://sourceforge.net/apps/trac/cppcheck/ticket/569

src/checkbufferoverrun.cpp

@@ -352,8 +352,8 @@ void CheckBufferOverrun::checkScope(const Token *tok, const char *varname[], con
             if (len >= static_cast<size_t>(size))
             {
                 bufferOverrun(tok);
+                continue;
             }
-            continue;
         }
 
 
@@ -374,6 +374,23 @@ void CheckBufferOverrun::checkScope(const Token *tok, const char *varname[], con
                 strncatUsage(tok->tokAt(9));
         }
 
+        // Detect few strcat() calls
+        if (varid > 0 && Token::Match(tok, "strcat ( %varid% , %str% ) ;", varid))
+        {
+            size_t charactersAppend = 0;
+            const Token *tok2 = tok;
+
+            while (tok2 && Token::Match(tok2, "strcat ( %varid% , %str% ) ;", varid))
+            {
+                charactersAppend += Token::getStrLength(tok2->tokAt(4));
+                if (charactersAppend >= static_cast<size_t>(size))
+                {
+                    bufferOverrun(tok2);
+                    break;
+                }
+                tok2 = tok2->tokAt(7);
+            }
+        }
 
         // sprintf..
         if (varid > 0 && Token::Match(tok, "sprintf ( %varid% , %str% [,)]", varid))

test/testbufferoverrun.cpp

@@ -93,6 +93,7 @@ private:
         TEST_CASE(buffer_overrun_3);
         TEST_CASE(buffer_overrun_4);
         TEST_CASE(buffer_overrun_5);
+        TEST_CASE(buffer_overrun_6);
 
         TEST_CASE(sprintf1);
         TEST_CASE(sprintf2);
@@ -558,6 +559,16 @@ private:
         ASSERT_EQUALS("", errout.str());
     }
 
+    void buffer_overrun_6()
+    {
+        check("void f()\n"
+              "{\n"
+              "   char n[5];\n"
+              "   strcat(n, \"abc\");\n"
+              "   strcat(n, \"def\");\n"
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:5]: (possible error) Buffer overrun\n", errout.str());
+    }
 
     void sprintf1()
     {