From d0b977039960c1e7f2a88033c5ac1085ebb6f923 Mon Sep 17 00:00:00 2001
From: Ted Kremenek <kremenek@apple.com>
Date: Fri, 12 Oct 2012 22:56:36 +0000
Subject: [PATCH] Fix potential crash in ObjCContainersChecker by properly
 validating the number of arguments.

llvm-svn: 165838
---
 .../lib/StaticAnalyzer/Checkers/ObjCContainersASTChecker.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/clang/lib/StaticAnalyzer/Checkers/ObjCContainersASTChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/ObjCContainersASTChecker.cpp
index e0eb01d31b0c..9c0c3cd3b6fd 100644
--- a/clang/lib/StaticAnalyzer/Checkers/ObjCContainersASTChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/ObjCContainersASTChecker.cpp
@@ -105,6 +105,8 @@ void WalkAST::VisitCallExpr(CallExpr *CE) {
   unsigned ArgNum = InvalidArgIndex;
 
   if (Name.equals("CFArrayCreate") || Name.equals("CFSetCreate")) {
+    if (CE->getNumArgs() != 4)
+      return;
     ArgNum = 1;
     Arg = CE->getArg(ArgNum)->IgnoreParenCasts();
     if (hasPointerToPointerSizedType(Arg))
@@ -112,6 +114,8 @@ void WalkAST::VisitCallExpr(CallExpr *CE) {
   }
 
   if (Arg == 0 && Name.equals("CFDictionaryCreate")) {
+    if (CE->getNumArgs() != 6)
+      return;
     // Check first argument.
     ArgNum = 1;
     Arg = CE->getArg(ArgNum)->IgnoreParenCasts();
@@ -127,6 +131,7 @@ void WalkAST::VisitCallExpr(CallExpr *CE) {
 
   if (ArgNum != InvalidArgIndex) {
     assert(ArgNum == 1 || ArgNum == 2);
+    assert(Arg);
 
     SmallString<256> BufName;
     llvm::raw_svector_ostream OsName(BufName);