Fixed #4432 (Crash on parsing PHP interpreter)

2012-12-26 08:29:10 +01:00 · 2012-12-26 08:29:10 +01:00 · ce380301fd
parent 33f4bd0298
commit ce380301fd
2 changed files with 13 additions and 1 deletions
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@ -700,7 +700,7 @@ void CheckBufferOverrun::checkFunctionParameter(const Token &tok, unsigned int p
        // If argument is '%type% a[num]' then check bounds against num
        if (func) {
            const Variable* argument = func->getArgumentVar(par-1);
-            if (Token::Match(argument->typeStartToken(), "%type% %var% [ %num% ] [,)[]")) {
+            if (argument && Token::Match(argument->typeStartToken(), "%type% %var% [ %num% ] [,)[]")) {
                const Token *tok2 = argument->nameToken()->next();

                MathLib::bigint argsize = _tokenizer->sizeOfType(argument->typeStartToken());
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@ -158,6 +158,7 @@ private:
        TEST_CASE(buffer_overrun_23); // #3153
        TEST_CASE(buffer_overrun_24); // #4106
        TEST_CASE(buffer_overrun_25); // #4096
+        TEST_CASE(buffer_overrun_26); // #4432 (segmentation fault)
        TEST_CASE(buffer_overrun_bailoutIfSwitch);  // ticket #2378 : bailoutIfSwitch
        TEST_CASE(buffer_overrun_function_array_argument);
        TEST_CASE(possible_buffer_overrun_1); // #3035
@ -2634,6 +2635,17 @@ private:
        ASSERT_EQUALS("[test.cpp:4]: (error) Buffer is accessed out of bounds: array\n", errout.str());
    }

+    void buffer_overrun_26() { // ticket #4432 (segmentation fault)
+        check("extern int split();\n"
+              "void regress() {\n"
+              "    char inbuf[1000];\n"
+              "    char *f[10];\n"
+              "    split(inbuf, f, 10, \"\t\t\");\n"
+              "}n");
+
+        ASSERT_EQUALS("", errout.str());
+    }
+
    void buffer_overrun_bailoutIfSwitch() {
        // No false positive
        check("void f1(char *s) {\n"