#6735, #6735 Fix segfault on garbage code

Throw syntax error instead
2015-06-01 21:47:06 +02:00 · 2015-06-01 21:47:06 +02:00 · 4b2fb4b76c
parent 4bde4d5a4a
commit 4b2fb4b76c
2 changed files with 19 additions and 1 deletions
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@ -1490,9 +1490,13 @@ void Tokenizer::simplifyTypedef()
                            }

                            tok2 = copyTokens(tok2, arrayStart, arrayEnd);
+							if (!tok2->next())
+								syntaxError(tok2);
                            tok2 = tok2->next();

                            if (tok2->str() == "=") {
+								if (!tok2->next())
+									syntaxError(tok2);
                                if (tok2->next()->str() == "{")
                                    tok2 = tok2->next()->link()->next();
                                else if (tok2->next()->str().at(0) == '\"')
@ -3032,6 +3036,10 @@ bool Tokenizer::simplifySizeof()
                    sizeOfVar[varId] = size;
                    declTokOfVar[varId] = tok;
                }
+				if (!tok2) {
+					syntaxError(tok);
+					return false;
+				}
                tok = tok2;
            }

@ -4005,7 +4013,7 @@ void Tokenizer::removeMacroInClassDef()
 void Tokenizer::removeMacroInVarDecl()
 {
    for (Token *tok = list.front(); tok; tok = tok->next()) {
-        if (Token::Match(tok, "[;{}] %name% (") && tok->next()->isUpperCaseName()) {
+        if (Token::Match(tok, "[;{}] %name% (") && tok->next() && tok->next()->isUpperCaseName()) {
            // goto ')' parentheses
            const Token *tok2 = tok;
            int parlevel = 0;
--- a/test/testgarbage.cpp
+++ b/test/testgarbage.cpp
@ -97,6 +97,8 @@ private:
        TEST_CASE(garbageCode56); // #6713
        TEST_CASE(garbageCode57); // #6733
        TEST_CASE(garbageCode58); // #6732
+		TEST_CASE(garbageCode59); // #6735
+		TEST_CASE(garbageCode60); // #6736

        TEST_CASE(garbageValueFlow);
        TEST_CASE(garbageSymbolDatabase);
@ -550,6 +552,14 @@ private:
        ASSERT_THROW(checkCode("{ }> {= ~A()^{} }P { }"), InternalError);
    }

+	void garbageCode59() { // #6735
+		ASSERT_THROW(checkCode("{ { } }; char font8x8[256][8]"), InternalError);
+	}
+
+	void garbageCode60() { // #6736
+		ASSERT_THROW(checkCode("{ } { } typedef int int_array[]; int_array &right ="), InternalError);
+	}
+

    void garbageValueFlow() {
        // #6089