From 9ea886ef9253d6195790c25103b0598d8a5d162c Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 18 Dec 2012 11:41:32 +0300
Subject: [PATCH] param_limit: fix read beyond end of array (segfault)

This was crashing on functions with more than 16 parameters.  I've made
the array large enouch to hold 32 parameters.  I've also added a check in
print_return_value_param() so that it doesn't read beyond the end.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 smatch_param_limit.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/smatch_param_limit.c b/smatch_param_limit.c
index 183412b5..2002bf5b 100644
--- a/smatch_param_limit.c
+++ b/smatch_param_limit.c
@@ -15,7 +15,7 @@ static int orig_id;
 static int modify_id;
 static int side_effects;
 
-static struct smatch_state *orig_states[16];
+static struct smatch_state *orig_states[32];
 
 STATE(modified);
 
@@ -181,7 +181,7 @@ static void match_after_def(struct symbol *sym)
 	param = -1;
 	FOR_EACH_PTR(cur_func_sym->ctype.base_type->arguments, tmp) {
 		param++;
-		if (param >= 16)
+		if (param >= 32)
 			return;
 
 		orig_states[param] = NULL;
@@ -204,7 +204,8 @@ static void print_return_value_param(int return_id, char *return_ranges, struct
 		state = get_orig_estate(tmp);
 		if (!state)
 			continue;
-		if (range_lists_equiv(estate_ranges(orig_states[param]), estate_ranges(state)))
+		if (param < 32 &&
+		    range_lists_equiv(estate_ranges(orig_states[param]), estate_ranges(state)))
 			continue;
 		sm_msg("info: return_limited_param %d %d '%s' '$$' '%s' %s",
 		       return_id, param, return_ranges,
-- 
2.11.4.GIT