From 5f4902c613571071c3d903fa1c34969accdaea70 Mon Sep 17 00:00:00 2001
From: Alexander Mai <amai@users.sf.net>
Date: Thu, 4 Jun 2015 17:45:12 +0200
Subject: [PATCH] 6755 segmentation fault (invalid code) in
 Token::isAssignmentOp. #6756 segmentation fault (invalid code) in
 Tokenizer::simplifyTypedef. Fix two crashes.

---
 lib/checkunusedvar.cpp |  6 +++---
 lib/tokenize.cpp       |  2 ++
 test/testgarbage.cpp   | 10 ++++++++++
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/lib/checkunusedvar.cpp b/lib/checkunusedvar.cpp
index 5ca1a0b89..3abdf299e 100644
--- a/lib/checkunusedvar.cpp
+++ b/lib/checkunusedvar.cpp
@@ -957,7 +957,7 @@ void CheckUnusedVar::checkFunctionVariableUsage_iterateScopes(const Scope* const
 
             // checked for chained assignments
             if (tok != start && equal && equal->str() == "=") {
-                unsigned int varId = tok->varId();
+                const unsigned int varId = tok->varId();
                 Variables::VariableUsage *var = variables.find(varId);
 
                 if (var && var->_type != Variables::reference) {
@@ -977,7 +977,7 @@ void CheckUnusedVar::checkFunctionVariableUsage_iterateScopes(const Scope* const
                     tok = tok->link()->next();
             }
 
-            unsigned int varid = tok->varId();
+            const unsigned int varid = tok->varId();
             const Variables::VariableUsage *var = variables.find(varid);
 
             if (var) {
@@ -1061,7 +1061,7 @@ void CheckUnusedVar::checkFunctionVariableUsage_iterateScopes(const Scope* const
                 if (tok2->varId()) {
                     if (tok2->strAt(1) == "=")
                         variables.write(tok2->varId(), tok);
-                    else if (tok2->next()->isAssignmentOp())
+                    else if (tok2->next() && tok2->next()->isAssignmentOp())
                         variables.use(tok2->varId(), tok);
                     else
                         variables.read(tok2->varId(), tok);
diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
index cde47a3e5..d58ec03ec 100644
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@@ -1529,6 +1529,8 @@ void Tokenizer::simplifyTypedef()
 
                     simplifyType = false;
                 }
+				if (!tok2)
+					break;
             }
 
             if (tok->str() == ";")
diff --git a/test/testgarbage.cpp b/test/testgarbage.cpp
index 175a48852..39b6f4dc6 100644
--- a/test/testgarbage.cpp
+++ b/test/testgarbage.cpp
@@ -115,6 +115,8 @@ private:
         TEST_CASE(garbageCode74);
         TEST_CASE(garbageCode75);
         TEST_CASE(garbageCode76);
+		TEST_CASE(garbageCode77);
+		TEST_CASE(garbageCode78);
 
         TEST_CASE(garbageValueFlow);
         TEST_CASE(garbageSymbolDatabase);
@@ -640,6 +642,14 @@ private:
         checkCode(" ( ) ( ) { ( ) [ ] } TEST ( ) { ( _broadcast_f32x4 ) ( ) ( ) ( ) ( ) if ( ) ( ) ; } E mask = ( ) [ ] ( ) res1.x =");
     }
 
+	void garbageCode77() { // #6755
+        checkCode("void foo (int **p) { { { };>= } } unsigned *d = (b b--) --*d");
+    }
+
+	void garbageCode78() { // #6756
+        checkCode("( ) { [ ] } ( ) { } const_array_of_int ( ) { } typedef int A [ ] [ ] ; A a = { { } { } }");
+    }
+
     void garbageValueFlow() {
         // #6089
         const char* code = "{} int foo(struct, x1, struct x2, x3, int, x5, x6, x7)\n"