From b6264e4a00ee7f6e196f78a15c81b6bbfc2f705c Mon Sep 17 00:00:00 2001
From: Alexander Mai <amai@users.sf.net>
Date: Sat, 6 Jun 2015 13:11:32 +0200
Subject: [PATCH] #6759 segmentation fault (invalid code) in
 Tokenizer::simplifyTokenList2. #6760 segmentation fault (invalid code) in
 Tokenizer::simplifyTypedef. Fix crashes

---
 lib/tokenize.cpp     | 10 +++++++++-
 test/testgarbage.cpp | 10 ++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
index 91dc93bb7..7a8935eeb 100644
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@@ -922,6 +922,10 @@ void Tokenizer::simplifyTypedef()
                 }
                 tok = specEnd->next();
             }
+            if (!tok)   {
+                syntaxError(specEnd);
+                return;
+            }
             if (tok->str() == ")")
                 tok = tok->next();
         }
@@ -1219,7 +1223,7 @@ void Tokenizer::simplifyTypedef()
                     bool inSizeof = false;
 
                     // check for derived class: class A : some_typedef {
-                    bool isDerived = Token::Match(tok2->previous(), "public|protected|private %type% {|,");
+                    const bool isDerived = Token::Match(tok2->previous(), "public|protected|private %type% {|,");
 
                     // check for cast: (some_typedef) A or static_cast<some_typedef>(A)
                     // todo: check for more complicated casts like: (const some_typedef *)A
@@ -3687,6 +3691,10 @@ bool Tokenizer::simplifyTokenList2()
             if (tok->next()->varId()) {
                 if (pod.find(tok->next()->varId()) == pod.end()) {
                     tok = tok->tokAt(5);
+                    if (!tok) {
+                        syntaxError(tok);
+                        return false;
+                    }
                     continue;
                 }
             }
diff --git a/test/testgarbage.cpp b/test/testgarbage.cpp
index fb52822c1..03535e955 100644
--- a/test/testgarbage.cpp
+++ b/test/testgarbage.cpp
@@ -118,6 +118,8 @@ private:
         TEST_CASE(garbageCode77);
         TEST_CASE(garbageCode78);
         TEST_CASE(garbageCode79);
+        TEST_CASE(garbageCode80);
+        TEST_CASE(garbageCode81);
 
         TEST_CASE(garbageValueFlow);
         TEST_CASE(garbageSymbolDatabase);
@@ -655,6 +657,14 @@ private:
         ASSERT_THROW(checkCode("{ } { } typedef void ( func_type ) ( ) ; func_type & ( )"), InternalError);
     }
 
+    void garbageCode80() { // #6759
+        ASSERT_THROW(checkCode("( ) { ; ( ) ; ( * ) [ ] ; [ ] = ( ( ) ( ) h ) ! ( ( ) ) } { ; } { } head heads [ ] = ; = & heads [ 2 ]"), InternalError);
+    }
+
+    void garbageCode81() { // #6760
+        ASSERT_THROW(checkCode("{ } [ ] { ( ) } { } typedef void ( *fptr1 ) ( ) const"), InternalError);
+    }
+
     void garbageValueFlow() {
         // #6089
         const char* code = "{} int foo(struct, x1, struct x2, x3, int, x5, x6, x7)\n"