#6785 segmentation fault (invalid code) in Tokenizer::simplifyTypedef. Avoid null pointer access

lib/tokenize.cpp

@@ -973,8 +973,17 @@ void Tokenizer::simplifyTypedef()
             argEnd = tokOffset->link();
 
             argFuncRetStart = argEnd->tokAt(2);
+            if (!argFuncRetStart)
+            {
+                syntaxError(tokOffset);
+                return;
+            }
             argFuncRetEnd = argFuncRetStart->link();
-
+            if (!argFuncRetEnd)
+            {
+                syntaxError(tokOffset);
+                return;
+            }
             tok = argFuncRetEnd->next();
         } else if (Token::Match(tokOffset, "( * ( %type% ) (")) {
             functionRetFuncPtr = true;
@@ -985,8 +994,17 @@ void Tokenizer::simplifyTypedef()
             argEnd = tokOffset->link();
 
             argFuncRetStart = argEnd->tokAt(2);
+            if (!argFuncRetStart)
+            {
+                syntaxError(tokOffset);
+                return;
+            }
             argFuncRetEnd = argFuncRetStart->link();
-
+            if (!argFuncRetEnd)
+            {
+                syntaxError(tokOffset);
+                return;
+            }
             tok = argFuncRetEnd->next();
         }
 

test/testgarbage.cpp

@@ -125,6 +125,7 @@ private:
         TEST_CASE(garbageCode83);
         TEST_CASE(garbageCode84);
         TEST_CASE(garbageCode85);
+        TEST_CASE(garbageCode86);
 
         TEST_CASE(garbageValueFlow);
         TEST_CASE(garbageSymbolDatabase);
@@ -687,6 +688,10 @@ private:
         ASSERT_THROW(checkCode("{ } { } typedef void ( *VoidFunc() ) ( ) ; VoidFunc"), InternalError); // do not crash
     }
 
+    void garbageCode86() { // #6785
+        ASSERT_THROW(checkCode("{ } typedef char ( *( X ) ( void) , char ) ;"), InternalError); // do not crash
+    }
+
     void garbageValueFlow() {
         // #6089
         const char* code = "{} int foo(struct, x1, struct x2, x3, int, x5, x6, x7)\n"