#6539 Segmentation fault in Tokenizer::duplicateTypedef. Avoid crash on garbage code

2015-02-24 11:15:23 +01:00 · 2015-02-24 11:15:23 +01:00 · 8427398d9d
parent 130ffc5752
commit 8427398d9d
2 changed files with 6 additions and 1 deletions
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@ -184,7 +184,7 @@ bool Tokenizer::duplicateTypedef(Token **tokPtr, const Token *name, const Token
                if (end->next()->str() == "(")
                    end = end->linkAt(1);

-                end = end->next();
+                end = (end)?end->next():nullptr;
            }
            if (end)
                end = end->next();
--- a/test/testgarbage.cpp
+++ b/test/testgarbage.cpp
@ -71,6 +71,7 @@ private:
        TEST_CASE(garbageCode28);
        TEST_CASE(garbageCode29);
        TEST_CASE(garbageCode30); // #5867
+        TEST_CASE(garbageCode31); // #6539

        TEST_CASE(garbageValueFlow);
        TEST_CASE(garbageSymbolDatabase);
@ -393,6 +394,10 @@ private:
                  "}");
    }

+    void garbageCode31() {
+        ASSERT_THROW(checkCode("typedef struct{}x[([],)]typedef e y;(y,x 0){}"), InternalError);
+    }
+
    void garbageValueFlow() {
        // #6089
        const char* code = "{} int foo(struct, x1, struct x2, x3, int, x5, x6, x7)\n"