Fixed #3163 (Out of bounds pointer arithmetic not reset)

lib/checkbufferoverrun.cpp

@@ -912,11 +912,14 @@ void CheckBufferOverrun::checkScope(const Token *tok, const std::vector<std::str
             break;
         }
 
-        // reassign buffer => bailout
+        // reassign buffer
-        if (varid > 0 &&
+        if (varid > 0 && Token::Match(tok, "[;{}] %varid% =", varid))
-            Token::Match(tok, "[;{}] %varid% =", varid) &&
+        {
-            !Token::Match(tok->tokAt(3), "%varid%", varid))
+			// using varid .. bailout
-            break;
+			if (!Token::Match(tok->tokAt(3), "%varid%", varid))
+			    break;
+			pointerIsOutOfBounds = false;
+		}
 
         // Array index..
         if ((varid > 0 && ((tok->str() == "return" || (!tok->isName() && !Token::Match(tok, "[.&]"))) && Token::Match(tok->next(), "%varid% [ %num% ]", varid))) ||

test/testbufferoverrun.cpp

@@ -2446,6 +2446,15 @@ private:
               "}");
         ASSERT_EQUALS("[test.cpp:4]: (error) p is out of bounds\n", errout.str());
 
+        check("void f() {\n"
+              "    char *p = malloc(10);\n"
+              "    p += 10;\n"
+              "    p -= 10;\n"
+              "    *p = 0;\n"
+              "    free(p);"
+              "}");
+        ASSERT_EQUALS("", errout.str());
+
         check("void f() {\n"
               "    char *p = malloc(10);\n"
               "    p += 10;\n"