From ed5a4127e80e5af1db5645d6c6c796baeefb1fe8 Mon Sep 17 00:00:00 2001 From: amai2012 Date: Wed, 3 Jun 2015 10:39:19 +0200 Subject: [PATCH] #6749 segmentation fault (invalid code) in Tokenizer::copyTokens. #6750 segmentation fault (invalid code) in Tokenizer::simplifyTypedef. --- lib/tokenize.cpp | 28 ++++++++++++++++++++-------- test/testgarbage.cpp | 10 ++++++++++ 2 files changed, 30 insertions(+), 8 deletions(-) diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp index 8d25fe2b3..be1756918 100644 --- a/lib/tokenize.cpp +++ b/lib/tokenize.cpp @@ -1349,11 +1349,18 @@ void Tokenizer::simplifyTypedef() tok2 = tok2->next(); Token::createMutualLinks(tok2, tok3); } - + if (!tok2) { + syntaxError(nullptr); + return; + } tok2 = copyTokens(tok2, argStart, argEnd); - - if (inTemplate) + if (inTemplate) { + if (!tok2) { + syntaxError(nullptr); + return; + } tok2 = tok2->next(); + } if (specStart) { Token *spec = specStart; @@ -1372,7 +1379,7 @@ void Tokenizer::simplifyTypedef() tok2->insertToken("*"); tok2 = tok2->next(); - Token * tok4 = 0; + Token * tok4 = nullptr; if (functionPtrRetFuncPtr) { tok2->insertToken("("); tok2 = tok2->next(); @@ -1486,7 +1493,10 @@ void Tokenizer::simplifyTypedef() tok2 = tok2->tokAt(2); else tok2 = tok2->tokAt(3); - + if (!tok2) { + syntaxError(nullptr); + return; + } tok2->insertToken(")"); tok2 = tok2->next(); Token::createMutualLinks(tok2, tok3); @@ -1498,8 +1508,10 @@ void Tokenizer::simplifyTypedef() } tok2 = copyTokens(tok2, arrayStart, arrayEnd); - if (!tok2->next()) + if (!tok2->next()) { syntaxError(tok2); + return; + } tok2 = tok2->next(); if (tok2->str() == "=") { @@ -1520,8 +1532,8 @@ void Tokenizer::simplifyTypedef() if (tok->str() == ";") done = true; else if (tok->str() == ",") { - arrayStart = 0; - arrayEnd = 0; + arrayStart = nullptr; + arrayEnd = nullptr; tokOffset = tok->next(); pointers.clear(); diff --git a/test/testgarbage.cpp b/test/testgarbage.cpp index dd1c354c5..eeb0b77c4 100644 --- a/test/testgarbage.cpp +++ b/test/testgarbage.cpp @@ -110,6 +110,8 @@ private: TEST_CASE(garbageCode69); TEST_CASE(garbageCode70); TEST_CASE(garbageCode71); + TEST_CASE(garbageCode72); + TEST_CASE(garbageCode73); TEST_CASE(garbageValueFlow); TEST_CASE(garbageSymbolDatabase); @@ -615,6 +617,14 @@ private: ASSERT_THROW(checkCode("( ) { } typedef void noattr_t ( ) ; noattr_t __attribute__ ( )"), InternalError); } + void garbageCode72() { // #6749 + ASSERT_THROW(checkCode("{ } { } typedef void voidfn(void);