Fixed #2136 (false negative: array bounds)

lib/checkbufferoverrun.cpp

@@ -48,7 +48,7 @@ CheckBufferOverrun instance;
 
 void CheckBufferOverrun::arrayIndexOutOfBounds(const Token *tok, int size, int index)
 {
-    if (size > 1)
+    if (size >= 1)
     {
         std::ostringstream errmsg;
         errmsg << "Array '";
@@ -1278,6 +1278,11 @@ void CheckBufferOverrun::checkStructVariable()
             if (arrayInfo.num.size() > 1)
                 continue;
 
+            // Skip array with only 0/1 elements because those are
+            // often overrun intentionally
+            if (arrayInfo.num[0] <= 1)
+                continue;
+
             std::vector<std::string> varname;
             varname.push_back("");
             varname.push_back(arrayInfo.varname);

test/testbufferoverrun.cpp

@@ -1855,7 +1855,7 @@ private:
               "  struct Foo x;\n"
               "  sprintf(x.a, \"aa\");\n"
               "}\n");
-        ASSERT_EQUALS("[test.cpp:5]: (error) Buffer access out-of-bounds\n", errout.str());
+        ASSERT_EQUALS("", errout.str());
     }
 
     void sprintf8()
@@ -1937,7 +1937,7 @@ private:
               "  struct Foo x;\n"
               "  snprintf(x.a, 2, \"aa\");\n"
               "}\n");
-        ASSERT_EQUALS("[test.cpp:5]: (error) snprintf size is out of bounds\n", errout.str());
+        ASSERT_EQUALS("", errout.str());
     }
 
     void snprintf6()
@@ -2198,6 +2198,13 @@ private:
               "    s[10] = 0;\n"
               "}\n");
         ASSERT_EQUALS("[test.cpp:4]: (error) Array 's[4]' index 10 out of bounds\n", errout.str());
+
+        check("void foo()\n"
+              "{\n"
+              "    char *s; s = \"\";\n"
+              "    s[10] = 0;\n"
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:4]: (error) Array 's[1]' index 10 out of bounds\n", errout.str());
     }
 
     void memset1()