#6880, 6881 Crashes on invalid code. Fix null pointer access

2015-07-28 18:41:50 +02:00 · 2015-07-28 18:41:50 +02:00 · 1f43550688
parent 544932734f
commit 1f43550688
2 changed files with 17 additions and 1 deletions
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@ -226,6 +226,8 @@ bool Tokenizer::duplicateTypedef(Token **tokPtr, const Token *name, const Token
        const Token * end = tok->next();

        if (end->str() == "[") {
+            if (!end->link())
+                syntaxError(end); // #6680 invalid code
            end = end->link()->next();
        } else if (end->str() == ",") {
            // check for derived class
@ -5526,8 +5528,11 @@ void Tokenizer::simplifyVarDecl(Token * tokBegin, Token * tokEnd, bool only_k_r_
                        while (tok2 && tok2->str() != "," && tok2->str() != ";") {
                            if (Token::Match(tok2, "{|(|["))
                                tok2 = tok2->link();
-                            if (!isC() && tok2->str() == "<" && TemplateSimplifier::templateParameters(tok2) > 0)
+                            if (!isC() && tok2->str() == "<" && TemplateSimplifier::templateParameters(tok2) > 0) {
                                tok2 = tok2->findClosingBracket();
+                            }
+                            if (!tok2)
+                                syntaxError(nullptr); // #6881 invalid code
                            tok2 = tok2->next();
                        }
                        if (tok2 && tok2->str() == ";")
--- a/test/testgarbage.cpp
+++ b/test/testgarbage.cpp
@ -145,6 +145,8 @@ private:
        TEST_CASE(garbageCode103); // #6824
        TEST_CASE(garbageCode104); // #6847
        TEST_CASE(garbageCode105); // #6859
+        TEST_CASE(garbageCode106);
+        TEST_CASE(garbageCode107);

        TEST_CASE(garbageValueFlow);
        TEST_CASE(garbageSymbolDatabase);
@ -819,6 +821,15 @@ private:
        checkCode("void foo (int i) { int a , for (a 1; a( < 4; a++) if (a) (b b++) (b);) n++; }");
    }

+    void garbageCode106() { // #6880
+        ASSERT_THROW(checkCode("[ ] typedef typedef b_array b_array_ref [ ; ] ( ) b_array_ref b_array_ref_gbl_obj0 { ; { b_array_ref b_array_ref_gbl_obj0 } }"), InternalError);
+    }
+
+    void garbageCode107() { // #6881
+        ASSERT_THROW(checkCode("enum { val = 1{ }; { const} }; { } Bar { const int A = val const } ;"), InternalError);
+    }
+
+
    void garbageValueFlow() {
        // #6089
        const char* code = "{} int foo(struct, x1, struct x2, x3, int, x5, x6, x7)\n"