From d642ea0082376dd7e7a48bd276482d6a330ab3dd Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Thu, 28 Feb 2013 14:10:00 +0300
Subject: [PATCH] buf_size: fix a NULL dereference

Apparently "expr" can be NULL here.  I've lost my test case, sorry.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 smatch_buf_size.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/smatch_buf_size.c b/smatch_buf_size.c
index 1ada81a8..7e088d39 100644
--- a/smatch_buf_size.c
+++ b/smatch_buf_size.c
@@ -292,7 +292,7 @@ static struct expression *remove_addr_fluff(struct expression *expr)
 	expr = strip_expr(expr);
 
 	/* remove '&' and '*' operations that cancel */
-	while (expr->type == EXPR_PREOP && expr->op == '&') {
+	while (expr && expr->type == EXPR_PREOP && expr->op == '&') {
 		tmp = strip_expr(expr->unop);
 		if (tmp->type != EXPR_PREOP)
 			break;
@@ -301,6 +301,9 @@ static struct expression *remove_addr_fluff(struct expression *expr)
 		expr = strip_expr(tmp->unop);
 	}
 
+	if (!expr)
+		return NULL;
+
 	/* "foo + 0" is just "foo" */
 	if (expr->type == EXPR_BINOP && expr->op == '+' &&
 	    get_value(expr->right, &sval) && sval.value == 0)
-- 
2.11.4.GIT