diff --git a/lib/checkleakautovar.cpp b/lib/checkleakautovar.cpp
index 6cef37c10..a69622ddd 100644
--- a/lib/checkleakautovar.cpp
+++ b/lib/checkleakautovar.cpp
@@ -150,8 +150,11 @@ void CheckLeakAutoVar::checkScope(const Token * const startToken,
     // Parse all tokens
     const Token * const endToken = startToken->link();
     for (const Token *tok = startToken; tok && tok != endToken; tok = tok->next()) {
-        if (!tok->scope()->isExecutable())
+        if (!tok->scope()->isExecutable()) {
             tok = tok->scope()->classEnd;
+            if (!tok) // Ticket #6666 (crash upon invalid code)
+                break;
+        }
 
         // Deallocation and then dereferencing pointer..
         if (tok->varId() > 0) {
diff --git a/test/testgarbage.cpp b/test/testgarbage.cpp
index 3bf1c6c2a..7f0338019 100644
--- a/test/testgarbage.cpp
+++ b/test/testgarbage.cpp
@@ -76,6 +76,7 @@ private:
         TEST_CASE(garbageCode35); // #2599, #2604
         TEST_CASE(garbageCode36); // #6334
         TEST_CASE(garbageCode37); // #5166
+        TEST_CASE(garbageCode38); // #6666
 
         TEST_CASE(garbageValueFlow);
         TEST_CASE(garbageSymbolDatabase);
@@ -445,6 +446,10 @@ private:
         checkCode("void * f { } void b ( ) { * f }");
     }
 
+    void garbageCode38() { // Ticket #6666
+        checkCode("{ f2 { } } void f3 () { delete[] } { }");
+    }
+
     void garbageValueFlow() {
         // #6089
         const char* code = "{} int foo(struct, x1, struct x2, x3, int, x5, x6, x7)\n"