6755 segmentation fault (invalid code) in Token::isAssignmentOp. #6756 segmentation fault (invalid code) in Tokenizer::simplifyTypedef. Fix two crashes.

2015-06-04 17:45:12 +02:00 · 2015-06-04 17:45:12 +02:00 · 5f4902c613
parent f2d397882f
commit 5f4902c613
3 changed files with 15 additions and 3 deletions
--- a/lib/checkunusedvar.cpp
+++ b/lib/checkunusedvar.cpp
@ -957,7 +957,7 @@ void CheckUnusedVar::checkFunctionVariableUsage_iterateScopes(const Scope* const

            // checked for chained assignments
            if (tok != start && equal && equal->str() == "=") {
-                unsigned int varId = tok->varId();
+                const unsigned int varId = tok->varId();
                Variables::VariableUsage *var = variables.find(varId);

                if (var && var->_type != Variables::reference) {
@ -977,7 +977,7 @@ void CheckUnusedVar::checkFunctionVariableUsage_iterateScopes(const Scope* const
                    tok = tok->link()->next();
            }

-            unsigned int varid = tok->varId();
+            const unsigned int varid = tok->varId();
            const Variables::VariableUsage *var = variables.find(varid);

            if (var) {
@ -1061,7 +1061,7 @@ void CheckUnusedVar::checkFunctionVariableUsage_iterateScopes(const Scope* const
                if (tok2->varId()) {
                    if (tok2->strAt(1) == "=")
                        variables.write(tok2->varId(), tok);
-                    else if (tok2->next()->isAssignmentOp())
+                    else if (tok2->next() && tok2->next()->isAssignmentOp())
                        variables.use(tok2->varId(), tok);
                    else
                        variables.read(tok2->varId(), tok);
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@ -1529,6 +1529,8 @@ void Tokenizer::simplifyTypedef()

                    simplifyType = false;
                }
+				if (!tok2)
+					break;
            }

            if (tok->str() == ";")
--- a/test/testgarbage.cpp
+++ b/test/testgarbage.cpp
@ -115,6 +115,8 @@ private:
        TEST_CASE(garbageCode74);
        TEST_CASE(garbageCode75);
        TEST_CASE(garbageCode76);
+		TEST_CASE(garbageCode77);
+		TEST_CASE(garbageCode78);

        TEST_CASE(garbageValueFlow);
        TEST_CASE(garbageSymbolDatabase);
@ -640,6 +642,14 @@ private:
        checkCode(" ( ) ( ) { ( ) [ ] } TEST ( ) { ( _broadcast_f32x4 ) ( ) ( ) ( ) ( ) if ( ) ( ) ; } E mask = ( ) [ ] ( ) res1.x =");
    }

+	void garbageCode77() { // #6755
+        checkCode("void foo (int **p) { { { };>= } } unsigned *d = (b b--) --*d");
+    }
+
+	void garbageCode78() { // #6756
+        checkCode("( ) { [ ] } ( ) { } const_array_of_int ( ) { } typedef int A [ ] [ ] ; A a = { { } { } }");
+    }
+
    void garbageValueFlow() {
        // #6089
        const char* code = "{} int foo(struct, x1, struct x2, x3, int, x5, x6, x7)\n"