#7236 segmentation fault (invalid code) in ValueFlow::setValues. #7237 segmentation fault (invalid code) in Tokenizer::setVarIdClassDeclaration

2015-12-26 23:51:10 +01:00 · 2015-12-26 23:51:10 +01:00 · e9635fd393
parent 081f443b2a
commit e9635fd393
4 changed files with 22 additions and 6 deletions
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@ -2618,6 +2618,8 @@ void Tokenizer::setVarIdClassDeclaration(Token * const startToken,
            if (indentlevel > 0 || initList) {
                if (Token::Match(tok->previous(), "::|.") && tok->strAt(-2) != "this" && !Token::simpleMatch(tok->tokAt(-5), "( * this ) ."))
                    continue;
+                if (!tok->next())
+                    syntaxError(nullptr); // #7237 invalid code
                if (tok->next()->str() == "::") {
                    if (tok->str() == className)
                        tok = tok->tokAt(2);
--- a/lib/tokenlist.cpp
+++ b/lib/tokenlist.cpp
@ -981,8 +981,8 @@ static Token * createAstAtToken(Token *tok, bool cpp)
        compileExpression(tok2, state2);

        Token * const semicolon2 = tok2;
-		if (!semicolon2)
-			return nullptr; // invalid code #7235
+        if (!semicolon2)
+            return nullptr; // invalid code #7235
        tok2 = tok2->next();
        AST_state state3(cpp);
        compileExpression(tok2, state3);
--- a/lib/valueflow.cpp
+++ b/lib/valueflow.cpp
@ -1384,6 +1384,8 @@ static bool valueFlowForward(Token * const               startToken,
            tok2 = tok2->next();
        }

+        if (!tok2) // invalid code #7236
+            return false;
        if (tok2->varId() == varid) {
            // bailout: assignment
            if (Token::Match(tok2->previous(), "!!* %name% %op%") && tok2->next()->isAssignmentOp()) {
--- a/test/testgarbage.cpp
+++ b/test/testgarbage.cpp
@ -212,8 +212,10 @@ private:
        TEST_CASE(garbageCode161); // #7200
        TEST_CASE(garbageCode162); // #7208
        TEST_CASE(garbageCode163); // #7228
-		TEST_CASE(garbageCode164); // #7234
-		TEST_CASE(garbageCode165); // #7235
+        TEST_CASE(garbageCode164); // #7234
+        TEST_CASE(garbageCode165); // #7235
+        TEST_CASE(garbageCode166); // #7236
+        TEST_CASE(garbageCode167); // #7237
        TEST_CASE(garbageValueFlow);
        TEST_CASE(garbageSymbolDatabase);
        TEST_CASE(garbageAST);
@ -1401,15 +1403,25 @@ private:
        ASSERT_THROW(checkCode("typedef s f[](){typedef d h(;f)}", false), InternalError);
    }

-	void garbageCode164() {
+    void garbageCode164() {
        //7234
        ASSERT_THROW(checkCode("class d{k p;}(){d::d():B<()}", false), InternalError);
    }

-	void garbageCode165() {
+    void garbageCode165() {
        //7235
        checkCode("for(;..)", false);
    }
+
+    void garbageCode166() {
+        //7236
+        checkCode("d a(){f s=0()8[]s?():0}*()?:0", false);
+    }
+
+    void garbageCode167() {
+        //7237
+        checkCode("class D00i000{:D00i000::}i", false);
+    }
 };

 REGISTER_TEST(TestGarbage)