Fix #13496 fuzzing crash in CheckOther::checkIncompleteArrayFill(), use ValueFlow (#7167)

Author: chrchr-github

lib/checkother.cpp

@@ -3203,8 +3203,11 @@ void CheckOther::checkIncompleteArrayFill()
 
     for (const Scope * scope : symbolDatabase->functionScopes) {
         for (const Token* tok = scope->bodyStart->next(); tok != scope->bodyEnd; tok = tok->next()) {
-            if (Token::Match(tok, "memset|memcpy|memmove (") && Token::Match(tok->linkAt(1)->tokAt(-2), ", %num% )")) {
-                const Token* tok2 = tok->tokAt(2);
+            if (Token::Match(tok, "memset|memcpy|memmove (")) {
+                std::vector<const Token*> args = getArguments(tok);
+                if (args.size() != 3)
+                    continue;
+                const Token* tok2 = args[0];
                 if (tok2->str() == "::")
                     tok2 = tok2->next();
                 while (Token::Match(tok2, "%name% ::|."))
@@ -3216,19 +3219,19 @@ void CheckOther::checkIncompleteArrayFill()
                 if (!var || !var->isArray() || var->dimensions().empty() || !var->dimension(0))
                     continue;
 
-                if (MathLib::toBigNumber(tok->linkAt(1)->tokAt(-1)) == var->dimension(0)) {
-                    int size = mTokenizer->sizeOfType(var->typeStartToken());
-                    if (size == 0 && var->valueType()->pointer)
-                        size = mSettings->platform.sizeof_pointer;
-                    else if (size == 0 && var->valueType())
-                        size = ValueFlow::getSizeOf(*var->valueType(), *mSettings);
-                    const Token* tok3 = tok->next()->astOperand2()->astOperand1()->astOperand1();
-                    if ((size != 1 && size != 100 && size != 0) || var->isPointer()) {
-                        if (printWarning)
-                            incompleteArrayFillError(tok, tok3->expressionString(), tok->str(), false);
-                    } else if (var->valueType()->type == ValueType::Type::BOOL && printPortability) // sizeof(bool) is not 1 on all platforms
-                        incompleteArrayFillError(tok, tok3->expressionString(), tok->str(), true);
-                }
+                if (!args[2]->hasKnownIntValue() || args[2]->getKnownIntValue() != var->dimension(0))
+                    continue;
+                int size = mTokenizer->sizeOfType(var->typeStartToken());
+                if (size == 0 && var->valueType()->pointer)
+                    size = mSettings->platform.sizeof_pointer;
+                else if (size == 0 && var->valueType())
+                    size = ValueFlow::getSizeOf(*var->valueType(), *mSettings);
+                const Token* tok3 = tok->next()->astOperand2()->astOperand1()->astOperand1();
+                if ((size != 1 && size != 100 && size != 0) || var->isPointer()) {
+                    if (printWarning)
+                        incompleteArrayFillError(tok, tok3->expressionString(), tok->str(), false);
+                } else if (var->valueType()->type == ValueType::Type::BOOL && printPortability) // sizeof(bool) is not 1 on all platforms
+                    incompleteArrayFillError(tok, tok3->expressionString(), tok->str(), true);
             }
         }
     }

test/cli/fuzz-crash_c/crash-bbf4e88b43fa24873e63d39ab04ef8d3fd00e344

@@ -0,0 +1 @@
+f(){int a[5];memset(a,5)}

test/testother.cpp

@@ -9562,6 +9562,13 @@ class TestOther : public TestFixture {
               "    memset(a, false, 5);\n"
               "}");
         ASSERT_EQUALS("[test.cpp:3]: (portability, inconclusive) Array 'a' might be filled incompletely. Did you forget to multiply the size given to 'memset()' with 'sizeof(*a)'?\n", errout_str());
+
+        check("void f() {\n"
+              "    const int n = 5;"
+              "    int a[n];\n"
+              "    memset(a, 0, n);\n"
+              "}");
+        ASSERT_EQUALS("[test.cpp:3]: (warning, inconclusive) Array 'a' is filled incompletely. Did you forget to multiply the size given to 'memset()' with 'sizeof(*a)'?\n", errout_str());
     }
 
     void redundantVarAssignment() {