From fe75686595d3880eaff9ba05b0d07c214f88aecb Mon Sep 17 00:00:00 2001
From: Simon Martin <simartin@users.sourceforge.net>
Date: Sat, 30 Nov 2013 07:40:32 +0100
Subject: [PATCH] Ticket #5203: Don't crash when checking buffer overrun for
 invalid code.

---
 lib/checkbufferoverrun.cpp | 2 ++
 test/testbufferoverrun.cpp | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/lib/checkbufferoverrun.cpp b/lib/checkbufferoverrun.cpp
index 56d8c0cc9..efa2b2496 100644
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@@ -229,6 +229,8 @@ static bool bailoutIfSwitch(const Token *tok, const unsigned int varid)
     const Token* end = tok->linkAt(1)->linkAt(1);
     if (Token::simpleMatch(end, "} else {")) // scan the else-block
         end = end->linkAt(2);
+    if (Token::simpleMatch(end, "{")) // Ticket #5203: Invalid code, bailout
+        return true;
     for (; tok != end; tok = tok->next()) {
         // If scanning a "if" block then bailout for "break"
         if (is_if && (tok->str() == "break" || tok->str() == "continue"))
diff --git a/test/testbufferoverrun.cpp b/test/testbufferoverrun.cpp
index ea4658062..0d0bef50d 100644
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@@ -240,6 +240,8 @@ private:
         TEST_CASE(crash2);  // Ticket #2607 - crash
         TEST_CASE(crash3);  // Ticket #3034 - crash
 
+        TEST_CASE(garbage1);  // Ticket #5203
+
         TEST_CASE(executionPaths1);
         TEST_CASE(executionPaths2);
         TEST_CASE(executionPaths3);   // no FP for function parameter
@@ -3633,6 +3635,9 @@ private:
               "}");
     }
 
+    void garbage1() { // Ticket #5203
+        check("int f ( int* r ) { {  int s[2] ; f ( s ) ; if ( ) } }");
+    }
 
     void epcheck(const char code[], const char filename[] = "test.cpp") {
         // Clear the error buffer..