From 7fc9930b38e9e06484bdd2b4ba84f80a86abb912 Mon Sep 17 00:00:00 2001
From: Alexander Mai <amai@users.sf.net>
Date: Tue, 2 Jun 2015 19:48:20 +0200
Subject: [PATCH] #6740 segmentation fault (invalid code) in
 Tokenizer::simplifyFunctionPointers. Throw syntaxError instead

---
 lib/tokenize.cpp     | 4 ++++
 test/testgarbage.cpp | 7 ++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
index e75c4dbac..814a99802 100644
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@@ -5283,6 +5283,10 @@ void Tokenizer::simplifyFunctionPointers()
             tok = tok->next();
 
         // check that the declaration ends
+        if (!tok || !tok->link() || !tok->link()->next()) {
+            syntaxError(nullptr);
+            return;
+        }
         Token *endTok = tok->link()->next()->link();
         if (!Token::Match(endTok, ") const| ;|,|)|=|[|{"))
             continue;
diff --git a/test/testgarbage.cpp b/test/testgarbage.cpp
index e9c39565f..f5770c44b 100644
--- a/test/testgarbage.cpp
+++ b/test/testgarbage.cpp
@@ -102,6 +102,7 @@ private:
         TEST_CASE(garbageCode61);
         TEST_CASE(garbageCode62);
         TEST_CASE(garbageCode63);
+        TEST_CASE(garbageCode64);
 
         TEST_CASE(garbageValueFlow);
         TEST_CASE(garbageSymbolDatabase);
@@ -572,7 +573,11 @@ private:
     }
 
     void garbageCode63() { // #6739
-        ASSERT_THROW(checkCode(" { } { } typedef int u_array[]; typedef u_array &u_array_ref; (u_array_ref arg) { } u_array_ref u_array_ref_gbl_obj0"), InternalError);
+        ASSERT_THROW(checkCode("{ } { } typedef int u_array[]; typedef u_array &u_array_ref; (u_array_ref arg) { } u_array_ref u_array_ref_gbl_obj0"), InternalError);
+    }
+
+    void garbageCode64() { // #6740
+        ASSERT_THROW(checkCode("{ } foo(void (*bar)(void))"), InternalError);
     }