Fix #14774 FP bufferAccessOutOfBounds: Wrong size for sizeof( ref ) (#8572)

chrchr-github · web-flow · commit 96d4a9626ada · 2026-05-27T09:37:54.000+02:00
diff --git a/lib/vf_common.cpp b/lib/vf_common.cpp
@@ -160,11 +160,13 @@ namespace ValueFlow
                 value.setKnown();
             setTokenValue(tok, std::move(value), settings);
         } else if (Token::simpleMatch(tok, "sizeof (")) {
-            if (tok->next()->astOperand2() && !tok->next()->astOperand2()->isLiteral() && tok->next()->astOperand2()->valueType() &&
-                (tok->next()->astOperand2()->valueType()->pointer == 0 || // <- TODO this is a bailout, abort when there are array->pointer conversions
-                 (tok->next()->astOperand2()->variable() && !tok->next()->astOperand2()->variable()->isArray())) &&
-                !tok->next()->astOperand2()->valueType()->isEnum()) { // <- TODO this is a bailout, handle enum with non-int types
-                const size_t sz = tok->next()->astOperand2()->valueType()->getSizeOf(settings, ValueType::Accuracy::ExactOrZero, ValueType::SizeOf::Pointer);
+            const Token* const obj = tok->next()->astOperand2();
+            if (obj && !obj->isLiteral() && obj->valueType() &&
+                (obj->valueType()->pointer == 0 || // <- TODO this is a bailout, abort when there are array->pointer conversions
+                 (obj->variable() && !obj->variable()->isArray())) &&
+                !obj->valueType()->isEnum()) { // <- TODO this is a bailout, handle enum with non-int types
+                const auto ptrPointee = obj->valueType()->pointer > 0 ? ValueType::SizeOf::Pointer : ValueType::SizeOf::Pointee;
+                const size_t sz = obj->valueType()->getSizeOf(settings, ValueType::Accuracy::ExactOrZero, ptrPointee);
                 if (sz) {
                     Value value(sz);
                     value.setKnown();
diff --git a/test/testvalueflow.cpp b/test/testvalueflow.cpp
@@ -1396,6 +1396,30 @@ class TestValueFlow : public TestFixture {
         ASSERT_EQUALS(1U, values.size());
         ASSERT_EQUALS(4, values.back().intvalue);
 
+        code = "char& r = i;\n"
+               "sizeof(r);";
+        values = tokenValues(code, "( r");
+        ASSERT_EQUALS(1U, values.size());
+        ASSERT_EQUALS(1, values.back().intvalue);
+
+        code = "char* p;\n"
+               "sizeof(p);";
+        values = tokenValues(code, "( p");
+        ASSERT_EQUALS(1U, values.size());
+        ASSERT_EQUALS(settings.platform.sizeof_pointer, values.back().intvalue);
+
+        code = "char*& pr = p;\n"
+               "sizeof(pr);";
+        values = tokenValues(code, "( pr");
+        ASSERT_EQUALS(1U, values.size());
+        ASSERT_EQUALS(settings.platform.sizeof_pointer, values.back().intvalue);
+
+        code = "struct { char& r; char* p; } s{ x, y };\n"
+               "sizeof(s);\n";
+        values = tokenValues(code, "( s");
+        ASSERT_EQUALS(1U, values.size());
+        ASSERT_EQUALS(2 * settings.platform.sizeof_pointer, values.back().intvalue);
+
 #define CHECK3(A, B, C)                          \
     do {                                     \
         code = "void f() {\n"                    \
