@@ -281,6 +281,9 @@ static bool isNullablePointer(const Token* tok)
281281
282282void CheckNullPointer::nullPointerByDeRefAndCheckToken (const Token *tok, const bool printInconclusive)
283283{
284+ if (!tok)
285+ return ;
286+
284287 if (Token::Match (tok, " %num%|%char%|%str%"
285288 return ;
286289
@@ -311,13 +314,26 @@ const Token * CheckNullPointer::nullPointerByDeRefAndCheck(const Token *start, c
311314{
312315 for (const Token* tok = start; tok != end; tok = tok->next ()) {
313316 if (Token::simpleMatch (tok, " while ("
317+ if (!tok->next () || !tok->next ()->link () || !tok->next ()->astOperand2 ()) {
318+ /* Garbage code */
319+ return end;
320+ }
321+
314322 /* Analyze tokens inside condition */
315323 const Token *condTok = tok->next ()->astOperand2 ();
316324 const Token *startCondTok = tok->next ();
317325 const Token *endCondTok = tok->next ()->link ();
326+ if (!Token::simpleMatch (startCondTok, " (" Token::simpleMatch (endCondTok, " )"
327+ /* Garbage code */
328+ return end;
329+ }
318330 tok = nullPointerByDeRefAndCheck (startCondTok, endCondTok, printInconclusive);
319331
320332 if (condTok->hasKnownIntValue () && condTok->getKnownIntValue () == 0 ) {
333+ if (!tok->next ()) {
334+ /* Garbage code */
335+ return end;
336+ }
321337 /* Skip body */
322338 if (tok->next ()->link ())
323339 tok = tok->next ()->link ();
@@ -326,33 +342,74 @@ const Token * CheckNullPointer::nullPointerByDeRefAndCheck(const Token *start, c
326342 bool prevBranchTaken = false ;
327343 do {
328344 if (prevBranchTaken) {
345+ if (!tok->next ()) {
346+ /* Garbage code */
347+ return end;
348+ }
329349 tok = tok->next ()->linkAt (3 ); /* Skip condition */
350+ if (!tok || !tok->next () || !tok->next ()->link ()) {
351+ /* Garbage code */
352+ return end;
353+ }
330354 tok = tok->next ()->link (); /* Skip body */
331355 continue ;
332356 }
333357
358+ if (!tok->next () || !tok->next ()->next ()) {
359+ /* Garbage code */
360+ return end;
361+ }
362+
334363 /* Analyze condition */
335364 const Token *ifTok = Token::simpleMatch (tok, " if (" next ()->next ()->next ();
336- const Token *elseIfCondTok = ifTok->next ()->astOperand2 ();
337- const Token *elseIfCondStartTok = ifTok->next ();
338- const Token *elseIfCondEndTok = ifTok->next ()->link ();
339- tok = nullPointerByDeRefAndCheck (elseIfCondStartTok, elseIfCondEndTok, printInconclusive);
365+ if (!ifTok || !ifTok->next () || !ifTok->next ()->link () || !ifTok->next ()->astOperand2 ()) {
366+ /* Garbage code */
367+ return end;
368+ }
369+ const Token *condTok = ifTok->next ()->astOperand2 ();
370+ const Token *condStartTok = ifTok->next ();
371+ const Token *condEndTok = ifTok->next ()->link ();
372+ if (!Token::simpleMatch (condStartTok, " (" Token::simpleMatch (condEndTok, " )"
373+ /* Garbage code */
374+ return end;
375+ }
376+ tok = nullPointerByDeRefAndCheck (condStartTok, condEndTok, printInconclusive);
377+ if (!tok || !tok->next () || !tok->next ()->link ()) {
378+ /* Garbage code */
379+ return end;
380+ }
340381
341- prevBranchTaken = prevBranchTaken || (elseIfCondTok->hasKnownIntValue () && elseIfCondTok->getKnownIntValue ());
342- if (elseIfCondTok->hasKnownIntValue () && elseIfCondTok->getKnownIntValue () == 0 ) {
382+ prevBranchTaken = prevBranchTaken || (condTok->hasKnownIntValue () && condTok->getKnownIntValue ());
383+ if (condTok->hasKnownIntValue () && condTok->getKnownIntValue () == 0 ) {
384+ if (!tok->next ()->link ()) {
385+ /* Garbage code */
386+ return end;
387+ }
343388 /* Skip body */
344389 tok = tok->next ()->link ();
345390 } else {
346391 /* Analyze body */
347392 const Token *elseIfBodyStartTok = tok->next ();
348393 const Token *elseIfBodyEndTok = elseIfBodyStartTok->link ();
394+ if (!Token::simpleMatch (elseIfBodyStartTok, " {" Token::simpleMatch (elseIfBodyEndTok, " }"
395+ /* Garbage code */
396+ return end;
397+ }
349398 tok = nullPointerByDeRefAndCheck (elseIfBodyStartTok, elseIfBodyEndTok, printInconclusive);
350399 }
400+ if (!tok || !tok->next ()) {
401+ /* Garbage code */
402+ return end;
403+ }
351404 } while (Token::simpleMatch (tok->next (), " else { if (" Token::simpleMatch (tok->next ()->linkAt (3 ), " ) {"
352405
353406 /* Handle final else branch */
354407 if (prevBranchTaken && Token::simpleMatch (tok->next (), " else"
355408 /* Skip body */
409+ if (!tok->next () || !tok->next ()->next () || !tok->next ()->next ()->link ()) {
410+ /* Garbage code */
411+ return end;
412+ }
356413 tok = tok->next ()->next ()->link ();
357414 }
358415 } else if (Token::simpleMatch (tok, " ?" Token::simpleMatch (tok->astOperand2 (), " :" // ternary operator
@@ -364,11 +421,15 @@ const Token * CheckNullPointer::nullPointerByDeRefAndCheck(const Token *start, c
364421 }
365422 } else {
366423 if (isUnevaluated (tok)) {
424+ if (!tok->next () || !tok->next ()->link ()) {
425+ /* Garbage code */
426+ return end;
427+ }
428+
367429 tok = tok->next ()->link ();
368- continue ;
430+ } else {
431+ nullPointerByDeRefAndCheckToken (tok, printInconclusive);
369432 }
370-
371- nullPointerByDeRefAndCheckToken (tok, printInconclusive);
372433 }
373434 }
374435
0 commit comments