diff --git a/lib/checkbufferoverrun.cpp b/lib/checkbufferoverrun.cpp index 8653a277a..0978ab222 100644 --- a/lib/checkbufferoverrun.cpp +++ b/lib/checkbufferoverrun.cpp @@ -700,7 +700,7 @@ void CheckBufferOverrun::checkFunctionParameter(const Token &tok, unsigned int p // If argument is '%type% a[num]' then check bounds against num if (func) { const Variable* argument = func->getArgumentVar(par-1); - if (Token::Match(argument->typeStartToken(), "%type% %var% [ %num% ] [,)[]")) { + if (argument && Token::Match(argument->typeStartToken(), "%type% %var% [ %num% ] [,)[]")) { const Token *tok2 = argument->nameToken()->next(); MathLib::bigint argsize = _tokenizer->sizeOfType(argument->typeStartToken()); diff --git a/test/testbufferoverrun.cpp b/test/testbufferoverrun.cpp index 3e76464ad..045a977a6 100644 --- a/test/testbufferoverrun.cpp +++ b/test/testbufferoverrun.cpp @@ -158,6 +158,7 @@ private: TEST_CASE(buffer_overrun_23); // #3153 TEST_CASE(buffer_overrun_24); // #4106 TEST_CASE(buffer_overrun_25); // #4096 + TEST_CASE(buffer_overrun_26); // #4432 (segmentation fault) TEST_CASE(buffer_overrun_bailoutIfSwitch); // ticket #2378 : bailoutIfSwitch TEST_CASE(buffer_overrun_function_array_argument); TEST_CASE(possible_buffer_overrun_1); // #3035 @@ -2634,6 +2635,17 @@ private: ASSERT_EQUALS("[test.cpp:4]: (error) Buffer is accessed out of bounds: array\n", errout.str()); } + void buffer_overrun_26() { // ticket #4432 (segmentation fault) + check("extern int split();\n" + "void regress() {\n" + " char inbuf[1000];\n" + " char *f[10];\n" + " split(inbuf, f, 10, \"\t\t\");\n" + "}n"); + + ASSERT_EQUALS("", errout.str()); + } + void buffer_overrun_bailoutIfSwitch() { // No false positive check("void f1(char *s) {\n"