From 02dc49624db1b26e5be6cb47ef8f8812805533e4 Mon Sep 17 00:00:00 2001 From: Simon Martin Date: Sat, 21 Dec 2013 08:08:19 +0100 Subject: [PATCH] Ticket #5214: Don't read out of bounds upon invalid ternary operator. --- lib/tokenize.cpp | 9 ++++++++- test/testtokenize.cpp | 6 ++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp index 306e4f6d3..1b02b4a62 100644 --- a/lib/tokenize.cpp +++ b/lib/tokenize.cpp @@ -2566,6 +2566,8 @@ static Token *skipTernaryOp(Token *tok) if (Token::Match(tok->next(), "[{};]")) break; } + if (colonlevel) // Ticket #5214: Make sure the ':' matches the proper '?' + return 0; return tok; } @@ -2606,7 +2608,12 @@ bool Tokenizer::simplifyLabelsCaseDefault() if (tok->str() == "(" || tok->str() == "[") { tok = tok->link(); } else if (tok->str() == "?") { - tok = skipTernaryOp(tok); + Token *tok1 = skipTernaryOp(tok); + if(!tok1) { + syntaxError(tok); + return false; + } + tok = tok1; } if (Token::Match(tok->next(),"[:{};]")) break; diff --git a/test/testtokenize.cpp b/test/testtokenize.cpp index 32d288b1f..65532817f 100644 --- a/test/testtokenize.cpp +++ b/test/testtokenize.cpp @@ -75,6 +75,7 @@ private: TEST_CASE(garbageCode3); // #4869 TEST_CASE(garbageCode4); // #4887 TEST_CASE(garbageCode5); // #5168 + TEST_CASE(garbageCode6); // #5214 TEST_CASE(simplifyFileAndLineMacro); // tokenize "return - __LINE__;" @@ -981,6 +982,11 @@ private: void garbageCode5() { // #5168 tokenizeAndStringify("( asm : ; void : );"); } + + void garbageCode6() { // #5214 + tokenizeAndStringify("int b = ( 0 ? ? ) 1 : 0 ;", /*simplify=*/true); + tokenizeAndStringify("int a = int b = ( 0 ? ? ) 1 : 0 ;", /*simplify=*/true); + } void simplifyFileAndLineMacro() { // tokenize 'return - __LINE__' correctly ASSERT_EQUALS("\"test.cpp\"", tokenizeAndStringify("__FILE__"));