From 4b2fb4b76c755cd4aa2565e884286b416f803bf1 Mon Sep 17 00:00:00 2001
From: amai2012 <amai@users.sf.net>
Date: Mon, 1 Jun 2015 21:47:06 +0200
Subject: [PATCH] #6735, #6735 Fix segfault on garbage code

Throw syntax error instead
---
 lib/tokenize.cpp     | 10 +++++++++-
 test/testgarbage.cpp | 10 ++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
index ddd3fd1e7..9c4e614ef 100644
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@@ -1490,9 +1490,13 @@ void Tokenizer::simplifyTypedef()
                             }
 
                             tok2 = copyTokens(tok2, arrayStart, arrayEnd);
+							if (!tok2->next())
+								syntaxError(tok2);
                             tok2 = tok2->next();
 
                             if (tok2->str() == "=") {
+								if (!tok2->next())
+									syntaxError(tok2);
                                 if (tok2->next()->str() == "{")
                                     tok2 = tok2->next()->link()->next();
                                 else if (tok2->next()->str().at(0) == '\"')
@@ -3032,6 +3036,10 @@ bool Tokenizer::simplifySizeof()
                     sizeOfVar[varId] = size;
                     declTokOfVar[varId] = tok;
                 }
+				if (!tok2) {
+					syntaxError(tok);
+					return false;
+				}
                 tok = tok2;
             }
 
@@ -4005,7 +4013,7 @@ void Tokenizer::removeMacroInClassDef()
 void Tokenizer::removeMacroInVarDecl()
 {
     for (Token *tok = list.front(); tok; tok = tok->next()) {
-        if (Token::Match(tok, "[;{}] %name% (") && tok->next()->isUpperCaseName()) {
+        if (Token::Match(tok, "[;{}] %name% (") && tok->next() && tok->next()->isUpperCaseName()) {
             // goto ')' parentheses
             const Token *tok2 = tok;
             int parlevel = 0;
diff --git a/test/testgarbage.cpp b/test/testgarbage.cpp
index 80c07b599..b4de88738 100644
--- a/test/testgarbage.cpp
+++ b/test/testgarbage.cpp
@@ -97,6 +97,8 @@ private:
         TEST_CASE(garbageCode56); // #6713
         TEST_CASE(garbageCode57); // #6733
         TEST_CASE(garbageCode58); // #6732
+		TEST_CASE(garbageCode59); // #6735
+		TEST_CASE(garbageCode60); // #6736
 
         TEST_CASE(garbageValueFlow);
         TEST_CASE(garbageSymbolDatabase);
@@ -550,6 +552,14 @@ private:
         ASSERT_THROW(checkCode("{ }> {= ~A()^{} }P { }"), InternalError);
     }
 
+	void garbageCode59() { // #6735
+		ASSERT_THROW(checkCode("{ { } }; char font8x8[256][8]"), InternalError);
+	}
+
+	void garbageCode60() { // #6736
+		ASSERT_THROW(checkCode("{ } { } typedef int int_array[]; int_array &right ="), InternalError);
+	}
+
 
     void garbageValueFlow() {
         // #6089