#6759 segmentation fault (invalid code) in Tokenizer::simplifyTokenList2. #6760 segmentation fault (invalid code) in Tokenizer::simplifyTypedef. Fix crashes

2015-06-06 13:11:32 +02:00 · 2015-06-06 13:11:32 +02:00 · b6264e4a00
parent eed0c0df14
commit b6264e4a00
2 changed files with 19 additions and 1 deletions
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@ -922,6 +922,10 @@ void Tokenizer::simplifyTypedef()
                }
                tok = specEnd->next();
            }
+            if (!tok)   {
+                syntaxError(specEnd);
+                return;
+            }
            if (tok->str() == ")")
                tok = tok->next();
        }
@ -1219,7 +1223,7 @@ void Tokenizer::simplifyTypedef()
                    bool inSizeof = false;

                    // check for derived class: class A : some_typedef {
-                    bool isDerived = Token::Match(tok2->previous(), "public|protected|private %type% {|,");
+                    const bool isDerived = Token::Match(tok2->previous(), "public|protected|private %type% {|,");

                    // check for cast: (some_typedef) A or static_cast<some_typedef>(A)
                    // todo: check for more complicated casts like: (const some_typedef *)A
@ -3687,6 +3691,10 @@ bool Tokenizer::simplifyTokenList2()
            if (tok->next()->varId()) {
                if (pod.find(tok->next()->varId()) == pod.end()) {
                    tok = tok->tokAt(5);
+                    if (!tok) {
+                        syntaxError(tok);
+                        return false;
+                    }
                    continue;
                }
            }
--- a/test/testgarbage.cpp
+++ b/test/testgarbage.cpp
@ -118,6 +118,8 @@ private:
        TEST_CASE(garbageCode77);
        TEST_CASE(garbageCode78);
        TEST_CASE(garbageCode79);
+        TEST_CASE(garbageCode80);
+        TEST_CASE(garbageCode81);

        TEST_CASE(garbageValueFlow);
        TEST_CASE(garbageSymbolDatabase);
@ -655,6 +657,14 @@ private:
        ASSERT_THROW(checkCode("{ } { } typedef void ( func_type ) ( ) ; func_type & ( )"), InternalError);
    }

+    void garbageCode80() { // #6759
+        ASSERT_THROW(checkCode("( ) { ; ( ) ; ( * ) [ ] ; [ ] = ( ( ) ( ) h ) ! ( ( ) ) } { ; } { } head heads [ ] = ; = & heads [ 2 ]"), InternalError);
+    }
+
+    void garbageCode81() { // #6760
+        ASSERT_THROW(checkCode("{ } [ ] { ( ) } { } typedef void ( *fptr1 ) ( ) const"), InternalError);
+    }
+
    void garbageValueFlow() {
        // #6089
        const char* code = "{} int foo(struct, x1, struct x2, x3, int, x5, x6, x7)\n"