From 4050d56169f9c5db54654fa0858852dffd678669 Mon Sep 17 00:00:00 2001
From: Alexander Mai <amai@users.sf.net>
Date: Fri, 29 May 2015 21:44:00 +0200
Subject: [PATCH] #6722 segmentation fault (invalid code) in
 Tokenizer::simplifyTypedef

---
 lib/tokenize.cpp     | 4 ++++
 test/testgarbage.cpp | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
index 5441695e4..9b586b11a 100644
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@@ -903,6 +903,10 @@ void Tokenizer::simplifyTypedef()
             typeName = tokOffset->previous();
             argStart = tokOffset->next();
             argEnd = tokOffset->next()->link();
+            if (!argEnd) {
+                syntaxError(argStart);
+                return;
+            }
             tok = argEnd->next();
             Token *spec = tok;
             if (Token::Match(spec, "const|volatile")) {
diff --git a/test/testgarbage.cpp b/test/testgarbage.cpp
index 23750ec75..f6701b5ef 100644
--- a/test/testgarbage.cpp
+++ b/test/testgarbage.cpp
@@ -92,6 +92,7 @@ private:
         TEST_CASE(garbageCode51); // #6719
         TEST_CASE(garbageCode52); // #6720
         TEST_CASE(garbageCode53); // #6721
+        TEST_CASE(garbageCode54); // #6722
 
         TEST_CASE(garbageValueFlow);
         TEST_CASE(garbageSymbolDatabase);
@@ -525,6 +526,10 @@ private:
         checkCode("{ { } }; void foo (struct int i) { x->b[i] = = }");
     }
 
+    void garbageCode54() { // #6722
+        ASSERT_THROW(checkCode("{ typedef long ((pf) p) (); }"), InternalError);
+    }
+
     void garbageValueFlow() {
         // #6089
         const char* code = "{} int foo(struct, x1, struct x2, x3, int, x5, x6, x7)\n"