Skip to content

Commit

Permalink
Fix #12790-93 fuzzing crashes (danmar#6460)
Browse files Browse the repository at this point in the history
  • Loading branch information
@chrchr-github
chrchr-github authored May 31, 2024
1 parent 448b951 commit 22477ef
Show file tree
Hide file tree
Showing 6 changed files with 18 additions and 10 deletions.
2 changes: 2 additions & 0 deletions lib/templatesimplifier.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -833,6 +833,8 @@ void TemplateSimplifier::getTemplateInstantiations()
} else if (Token::Match(tok->previous(), "(|{|}|;|=|>|<<|:|.|*|&|return|<|,|!|[ %name% ::|<|(") ||
Token::Match(tok->previous(), "%type% %name% ::|<") ||
Token::Match(tok->tokAt(-2), "[,:] private|protected|public %name% ::|<")) {
if (!tok->scopeInfo())
syntaxError(tok);
std::string scopeName = tok->scopeInfo()->name;
std::string qualification;
Token * qualificationTok = tok;
Expand Down
22 changes: 12 additions & 10 deletions lib/tokenize.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8708,7 +8708,8 @@ void Tokenizer::findGarbageCode() const
syntaxError(tok);
if (Token::Match(tok, "typedef [,;:]"))
syntaxError(tok);
if (Token::Match(tok, "! %comp%"))
if (Token::Match(tok, "!|~ %comp%") &&
!(isCPP() && tok->strAt(1) == ">" && Token::simpleMatch(tok->tokAt(-1), "operator")))
syntaxError(tok);
if (Token::Match(tok, "] %name%") && (!isCPP() || !(tok->tokAt(-1) && Token::simpleMatch(tok->tokAt(-2), "delete [")))) {
if (tok->next()->isUpperCaseName())
Expand Down Expand Up @@ -8784,24 +8785,25 @@ void Tokenizer::findGarbageCode() const
for (const Token *tok = tokens(); tok; tok = tok->next()) {
if (Token::simpleMatch(tok, "< >") && !(Token::Match(tok->tokAt(-1), "%name%") || (tok->tokAt(-1) && Token::Match(tok->tokAt(-2), "operator %op%"))))
syntaxError(tok);
if (Token::simpleMatch(tok, ": template") && !Token::Match(tok->tokAt(-1), "public|private|protected"))
syntaxError(tok);
if (!Token::simpleMatch(tok, "template <"))
continue;
if (!tok->tokAt(2) || tok->tokAt(2)->isLiteral())
syntaxError(tok);
if (tok->previous() && !Token::Match(tok->previous(), ":|;|{|}|)|>|\"C++\"")) {
if (tok->previous() && !Token::Match(tok->previous(), ":|,|;|{|}|)|<|>|\"C++\"")) {
if (tok->previous()->isUpperCaseName())
unknownMacroError(tok->previous());
else
syntaxError(tok);
}
const Token * const tok1 = tok;
tok = tok->next()->findClosingBracket();
if (!tok)
syntaxError(tok1);
if (!Token::Match(tok, ">|>> ::|...| %name%") &&
!Token::Match(tok, ">|>> [ [ %name%") &&
!Token::Match(tok, "> >|*"))
syntaxError(tok->next() ? tok->next() : tok1);
const Token * const tok1 = tok->next()->findClosingBracket();
if (!tok1)
syntaxError(tok);
if (!Token::Match(tok1, ">|>> ::|...| %name%") &&
!Token::Match(tok1, ">|>> [ [ %name%") &&
!Token::Match(tok1, "> >|*"))
syntaxError(tok1->next() ? tok1->next() : tok);
}
}

Expand Down
1 change: 1 addition & 0 deletions test/cli/fuzz-crash/crash-0fc87af032255dddcea3248798a6e19ab49b231a
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{template<~>tu<0>}tu=c<F
1 change: 1 addition & 0 deletions test/cli/fuzz-crash/crash-34c8d34fd4607de810d8d5bec881b40d37533181
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
t<e<:template<>e=c>n
1 change: 1 addition & 0 deletions test/cli/fuzz-timeout/oom-756ab636471bffa2430290f58776f1f6d8754ab1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
template< <>t=t<>>d
1 change: 1 addition & 0 deletions test/cli/fuzz-timeout/oom-e19261c78d73cf172308f6c33df68642dfd7b679
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
template<~>tu<2>tu=<tu<0&tu<0&n

0 comments on commit 22477ef

Please sign in to comment.