Possible bug - containerOutOfBounds error not detected

[LukeL]

Hi, an error was picked up in the below code when running cppcheck 2.6.

void SomeClass::__receiveData(const std::string& qData)
{
    switch(mReceivingService)
    {
    case PEI::kType4: // TL
    case PEI::kType4_IncomingMessageToMTCopiedToTE:
        {
            // decode data
            std::bitset<24> bits = __getMessageHeaderInBinary(qData.substr(0, 6));
            std::string data;
            for(std::string::const_iterator chp = qData.begin(); chp < qData.end(); )
            {
                QString digits;
                digits += QChar(*chp++);
                digits += QChar(chp < qData.end() ? *chp++ : '0');
                data += static_cast<char>(digits.toInt(0, 16)); // convert from hex
            }

            int id = static_cast<int>(static_cast<unsigned char>(data[0]));
            switch(id)
            {
            case PEI::kComplexTlTtextTranser:
            case PEI::kTlImmedidateDisplay:
                if ( (data.length() >= 4) || (data[1] & 0xf0) == 0 )  
                {
                    // publish received message
                    PagingHandler::receivedPage(lexical_cast<std::string>(mReceivingFrom), lexical_cast<std::string>(mReceivingTo), data.substr(4), std::string()); // remove header and encoding bytes
                }

                //sds report requested
                if(bits[10] && !bits[11])
                {
                    __deliveryReport(mReceivingFrom, qData.substr(4,2));
                }
                break;

            default:
                PagingHandler::receivedPage(lexical_cast<std::string>(mReceivingFrom), lexical_cast<std::string>(mReceivingTo), qData.substr(2), lexical_cast<std::string>(id)); // remove ID
                break;
            }
        }
        break;
        ...
}

containerOutOfBounds - Out of bounds access in expression 'data[0]' because 'data' is empty.
This error makes sense as 'qData' may be empty, hence 'data' will be empty.

The concern is with the line further down
'if ( (data.length() >= 4) || (data[1] & 0xf0) == 0 )'
No error was raised here even though data[1] will also be out of bounds if the length of data is less than 4.

[CHR]

Reduced example:

void f(const std::string& data)
{
    if ( (data.length() >= 4) || (data[1] & 0xf0) == 0 ) {}
}

There is a warning when accessing data[3], since it directly contradicts the first condition. data[1] could be safe even when data.length() is less than four.