From c047fae53b5a2ba5d74082ac68ef0b9f665896c6 Mon Sep 17 00:00:00 2001
From: Alexander Mai <amai@users.sf.net>
Date: Thu, 25 Jun 2015 07:47:40 +0200
Subject: [PATCH] #6790 segmentation fault (invalid code) in
 Tokenizer::simplifyTypedef. Fix null pointer access

---
 lib/tokenize.cpp     | 19 ++++++++++++++++---
 test/testgarbage.cpp |  5 +++++
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
index 3a5222112..efe4f5c7f 100644
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@@ -954,10 +954,16 @@ void Tokenizer::simplifyTypedef()
             typeName = tokOffset->tokAt(-2);
             argStart = tokOffset;
             argEnd = tokOffset->link();
-
+            if (!argEnd) {
+                syntaxError(arrayStart);
+                return;
+            }
             argFuncRetStart = argEnd->tokAt(2);
             argFuncRetEnd = argFuncRetStart->link();
-
+            if (!argFuncRetEnd) {
+                syntaxError(argFuncRetStart);
+                return;
+            }
             tok = argFuncRetEnd->next();
         }
 
@@ -990,7 +996,10 @@ void Tokenizer::simplifyTypedef()
             typeName = tokOffset->tokAt(-2);
             argStart = tokOffset;
             argEnd = tokOffset->link();
-
+            if (!argEnd) {
+                syntaxError(arrayStart);
+                return;
+            }
             argFuncRetStart = argEnd->tokAt(2);
             if (!argFuncRetStart) {
                 syntaxError(tokOffset);
@@ -1012,6 +1021,10 @@ void Tokenizer::simplifyTypedef()
             typeName = tokOffset;
             arrayStart = tokOffset->tokAt(2);
             arrayEnd = arrayStart->link();
+            if (!arrayEnd) {
+                syntaxError(arrayStart);
+                return;
+            }
             tok = arrayEnd->next();
         }
 
diff --git a/test/testgarbage.cpp b/test/testgarbage.cpp
index b540f7247..444286f94 100644
--- a/test/testgarbage.cpp
+++ b/test/testgarbage.cpp
@@ -129,6 +129,7 @@ private:
         TEST_CASE(garbageCode87);
         TEST_CASE(garbageCode88);
         TEST_CASE(garbageCode89);
+        TEST_CASE(garbageCode90);
 
         TEST_CASE(garbageValueFlow);
         TEST_CASE(garbageSymbolDatabase);
@@ -707,6 +708,10 @@ private:
         ASSERT_THROW(checkCode("{ { ( ) } P ( ) ^ { } { } { } ( ) } 0"), InternalError); // do not crash
     }
 
+    void garbageCode90() { // #6790
+        ASSERT_THROW(checkCode("{ } { } typedef int u_array [[ ] ; typedef u_array & u_array_ref] ( ) { } u_array_ref_gbl_obj0"), InternalError); // do not crash
+    }
+
     void garbageValueFlow() {
         // #6089
         const char* code = "{} int foo(struct, x1, struct x2, x3, int, x5, x6, x7)\n"