From 4a1695c8793ea3c8cc3d89fe033eaed998a2ed84 Mon Sep 17 00:00:00 2001
From: amai2012 <amai@users.sf.net>
Date: Wed, 1 Jul 2015 16:31:49 +0200
Subject: [PATCH] #6807 segmentation fault (invalid code) in
 Tokenizer::simplifyTypedef. #6808 segmentation fault (invalid code) in
 Tokenizer::simplifyTypedef. Throw InternalError on garbage code

---
 lib/symboldatabase.cpp |  3 +++
 lib/tokenize.cpp       |  7 ++++++-
 test/testgarbage.cpp   | 10 ++++++++++
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/lib/symboldatabase.cpp b/lib/symboldatabase.cpp
index dd5c5aa3c..10dcfcc78 100644
--- a/lib/symboldatabase.cpp
+++ b/lib/symboldatabase.cpp
@@ -96,6 +96,9 @@ SymbolDatabase::SymbolDatabase(const Tokenizer *tokenizer, const Settings *setti
                 // only create base list for classes and structures
                 if (new_scope->isClassOrStruct()) {
                     // goto initial '{'
+                    if (!new_scope->definedType) {
+                        _tokenizer->syntaxError(nullptr); // #6808
+                    }
                     tok2 = new_scope->definedType->initBaseInfo(tok, tok2);
 
                     // make sure we have valid code
diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
index 49a7b8942..0863daaf9 100644
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@@ -1505,8 +1505,13 @@ void Tokenizer::simplifyTypedef()
                     } else if (typeOf) {
                         tok2 = copyTokens(tok2, argStart, argEnd);
                     } else if (tok2->tokAt(2) && tok2->strAt(2) == "[") {
-                        while (tok2->tokAt(2) && tok2->strAt(2) == "[")
+                        while (tok2->tokAt(2) && tok2->strAt(2) == "[") {
+                            if (!tok2->linkAt(2)) {
+                                syntaxError(tok2); // #6807
+                                return;
+                            }
                             tok2 = tok2->linkAt(2)->previous();
+                        }
                     }
 
                     if (arrayStart && arrayEnd) {
diff --git a/test/testgarbage.cpp b/test/testgarbage.cpp
index 09dda9587..2870cba02 100644
--- a/test/testgarbage.cpp
+++ b/test/testgarbage.cpp
@@ -135,6 +135,8 @@ private:
         TEST_CASE(garbageCode93);
         TEST_CASE(garbageCode94);
         TEST_CASE(garbageCode95);
+        TEST_CASE(garbageCode96);
+        TEST_CASE(garbageCode97);
 
         TEST_CASE(garbageValueFlow);
         TEST_CASE(garbageSymbolDatabase);
@@ -751,6 +753,14 @@ private:
         checkCode("{ } x x ; { } h h [ ] ( ) ( ) { struct x ( x ) ; int __attribute__ ( ) f ( ) { h - > first = & x ; struct x * n = h - > first ; ( ) n > } }");    // do not crash
     }
 
+    void garbageCode96() { // #6807
+        ASSERT_THROW(checkCode("typedef J J[ ; typedef ( ) ( ) { ; } typedef J J ;] ( ) ( J cx ) { n } ;"), InternalError);
+    }
+
+    void garbageCode97() { // #6808
+        ASSERT_THROW(checkCode("namespace A {> } class A{ { }} class A : T< ;"), InternalError);
+    }
+
     void garbageValueFlow() {
         // #6089
         const char* code = "{} int foo(struct, x1, struct x2, x3, int, x5, x6, x7)\n"