#6749 segmentation fault (invalid code) in Tokenizer::copyTokens. #6750 segmentation fault (invalid code) in Tokenizer::simplifyTypedef.

2015-06-03 10:39:19 +02:00 · 2015-06-03 10:39:19 +02:00 · ed5a4127e8
parent d36c84553f
commit ed5a4127e8
2 changed files with 30 additions and 8 deletions
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@ -1349,11 +1349,18 @@ void Tokenizer::simplifyTypedef()
                            tok2 = tok2->next();
                            Token::createMutualLinks(tok2, tok3);
                        }
-
+                        if (!tok2) {
+                            syntaxError(nullptr);
+                            return;
+                        }
                        tok2 = copyTokens(tok2, argStart, argEnd);
-
-                        if (inTemplate)
+                        if (inTemplate) {
+                            if (!tok2) {
+                                syntaxError(nullptr);
+                                return;
+                            }
                            tok2 = tok2->next();
+                        }

                        if (specStart) {
                            Token *spec = specStart;
@ -1372,7 +1379,7 @@ void Tokenizer::simplifyTypedef()
                        tok2->insertToken("*");
                        tok2 = tok2->next();

-                        Token * tok4 = 0;
+                        Token * tok4 = nullptr;
                        if (functionPtrRetFuncPtr) {
                            tok2->insertToken("(");
                            tok2 = tok2->next();
@ -1486,7 +1493,10 @@ void Tokenizer::simplifyTypedef()
                                    tok2 = tok2->tokAt(2);
                                else
                                    tok2 = tok2->tokAt(3);
-
+                                if (!tok2) {
+                                    syntaxError(nullptr);
+                                    return;
+                                }
                                tok2->insertToken(")");
                                tok2 = tok2->next();
                                Token::createMutualLinks(tok2, tok3);
@ -1498,8 +1508,10 @@ void Tokenizer::simplifyTypedef()
                            }

                            tok2 = copyTokens(tok2, arrayStart, arrayEnd);
-                            if (!tok2->next())
+                            if (!tok2->next()) {
                                syntaxError(tok2);
+                                return;
+                            }
                            tok2 = tok2->next();

                            if (tok2->str() == "=") {
@ -1520,8 +1532,8 @@ void Tokenizer::simplifyTypedef()
            if (tok->str() == ";")
                done = true;
            else if (tok->str() == ",") {
-                arrayStart = 0;
-                arrayEnd = 0;
+                arrayStart = nullptr;
+                arrayEnd = nullptr;
                tokOffset = tok->next();
                pointers.clear();

--- a/test/testgarbage.cpp
+++ b/test/testgarbage.cpp
@ -110,6 +110,8 @@ private:
        TEST_CASE(garbageCode69);
        TEST_CASE(garbageCode70);
        TEST_CASE(garbageCode71);
+        TEST_CASE(garbageCode72);
+        TEST_CASE(garbageCode73);

        TEST_CASE(garbageValueFlow);
        TEST_CASE(garbageSymbolDatabase);
@ -615,6 +617,14 @@ private:
        ASSERT_THROW(checkCode("( ) { } typedef void noattr_t ( ) ; noattr_t __attribute__ ( )"), InternalError);
    }

+    void garbageCode72() { // #6749
+        ASSERT_THROW(checkCode("{ } { } typedef void voidfn(void); <voidfn&"), InternalError);
+    }
+
+    void garbageCode73() { // #6750
+        ASSERT_THROW(checkCode("typedef int IRT[2]; IRT&"), InternalError);
+    }
+
    void garbageValueFlow() {
        // #6089
        const char* code = "{} int foo(struct, x1, struct x2, x3, int, x5, x6, x7)\n"