From 22477ef823a9e347d3fd2e05f4ceec53eae5044e Mon Sep 17 00:00:00 2001
From: chrchr-github <78114321+chrchr-github@users.noreply.github.com>
Date: Fri, 31 May 2024 10:21:15 +0200
Subject: [PATCH] Fix #12790-93 fuzzing crashes (#6460)

---
 lib/templatesimplifier.cpp                    |  2 ++
 lib/tokenize.cpp                              | 22 ++++++++++---------
 ...h-0fc87af032255dddcea3248798a6e19ab49b231a |  1 +
 ...h-34c8d34fd4607de810d8d5bec881b40d37533181 |  1 +
 ...m-756ab636471bffa2430290f58776f1f6d8754ab1 |  1 +
 ...m-e19261c78d73cf172308f6c33df68642dfd7b679 |  1 +
 6 files changed, 18 insertions(+), 10 deletions(-)
 create mode 100644 test/cli/fuzz-crash/crash-0fc87af032255dddcea3248798a6e19ab49b231a
 create mode 100644 test/cli/fuzz-crash/crash-34c8d34fd4607de810d8d5bec881b40d37533181
 create mode 100644 test/cli/fuzz-timeout/oom-756ab636471bffa2430290f58776f1f6d8754ab1
 create mode 100644 test/cli/fuzz-timeout/oom-e19261c78d73cf172308f6c33df68642dfd7b679

diff --git a/lib/templatesimplifier.cpp b/lib/templatesimplifier.cpp
index c2785187449..fc6e7b585eb 100644
--- a/lib/templatesimplifier.cpp
+++ b/lib/templatesimplifier.cpp
@@ -833,6 +833,8 @@ void TemplateSimplifier::getTemplateInstantiations()
         } else if (Token::Match(tok->previous(), "(|{|}|;|=|>|<<|:|.|*|&|return|<|,|!|[ %name% ::|<|(") ||
                    Token::Match(tok->previous(), "%type% %name% ::|<") ||
                    Token::Match(tok->tokAt(-2), "[,:] private|protected|public %name% ::|<")) {
+            if (!tok->scopeInfo())
+                syntaxError(tok);
             std::string scopeName = tok->scopeInfo()->name;
             std::string qualification;
             Token * qualificationTok = tok;
diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
index 52d7cf54a06..5c54d057c90 100644
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@@ -8708,7 +8708,8 @@ void Tokenizer::findGarbageCode() const
             syntaxError(tok);
         if (Token::Match(tok, "typedef [,;:]"))
             syntaxError(tok);
-        if (Token::Match(tok, "! %comp%"))
+        if (Token::Match(tok, "!|~ %comp%") &&
+            !(isCPP() && tok->strAt(1) == ">" && Token::simpleMatch(tok->tokAt(-1), "operator")))
             syntaxError(tok);
         if (Token::Match(tok, "] %name%") && (!isCPP() || !(tok->tokAt(-1) && Token::simpleMatch(tok->tokAt(-2), "delete [")))) {
             if (tok->next()->isUpperCaseName())
@@ -8784,24 +8785,25 @@ void Tokenizer::findGarbageCode() const
         for (const Token *tok = tokens(); tok; tok = tok->next()) {
             if (Token::simpleMatch(tok, "< >") && !(Token::Match(tok->tokAt(-1), "%name%") || (tok->tokAt(-1) && Token::Match(tok->tokAt(-2), "operator %op%"))))
                 syntaxError(tok);
+            if (Token::simpleMatch(tok, ": template") && !Token::Match(tok->tokAt(-1), "public|private|protected"))
+                syntaxError(tok);
             if (!Token::simpleMatch(tok, "template <"))
                 continue;
             if (!tok->tokAt(2) || tok->tokAt(2)->isLiteral())
                 syntaxError(tok);
-            if (tok->previous() && !Token::Match(tok->previous(), ":|;|{|}|)|>|\"C++\"")) {
+            if (tok->previous() && !Token::Match(tok->previous(), ":|,|;|{|}|)|<|>|\"C++\"")) {
                 if (tok->previous()->isUpperCaseName())
                     unknownMacroError(tok->previous());
                 else
                     syntaxError(tok);
             }
-            const Token * const tok1 = tok;
-            tok = tok->next()->findClosingBracket();
-            if (!tok)
-                syntaxError(tok1);
-            if (!Token::Match(tok, ">|>> ::|...| %name%") &&
-                !Token::Match(tok, ">|>> [ [ %name%") &&
-                !Token::Match(tok, "> >|*"))
-                syntaxError(tok->next() ? tok->next() : tok1);
+            const Token * const tok1 = tok->next()->findClosingBracket();
+            if (!tok1)
+                syntaxError(tok);
+            if (!Token::Match(tok1, ">|>> ::|...| %name%") &&
+                !Token::Match(tok1, ">|>> [ [ %name%") &&
+                !Token::Match(tok1, "> >|*"))
+                syntaxError(tok1->next() ? tok1->next() : tok);
         }
     }
 
diff --git a/test/cli/fuzz-crash/crash-0fc87af032255dddcea3248798a6e19ab49b231a b/test/cli/fuzz-crash/crash-0fc87af032255dddcea3248798a6e19ab49b231a
new file mode 100644
index 00000000000..46f648c018c
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-0fc87af032255dddcea3248798a6e19ab49b231a
@@ -0,0 +1 @@
+{template<~>tu<0>}tu=c<F
\ No newline at end of file
diff --git a/test/cli/fuzz-crash/crash-34c8d34fd4607de810d8d5bec881b40d37533181 b/test/cli/fuzz-crash/crash-34c8d34fd4607de810d8d5bec881b40d37533181
new file mode 100644
index 00000000000..9c0ebaea86e
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-34c8d34fd4607de810d8d5bec881b40d37533181
@@ -0,0 +1 @@
+t<e<:template<>e=c>n
\ No newline at end of file
diff --git a/test/cli/fuzz-timeout/oom-756ab636471bffa2430290f58776f1f6d8754ab1 b/test/cli/fuzz-timeout/oom-756ab636471bffa2430290f58776f1f6d8754ab1
new file mode 100644
index 00000000000..a945de7b7c4
--- /dev/null
+++ b/test/cli/fuzz-timeout/oom-756ab636471bffa2430290f58776f1f6d8754ab1
@@ -0,0 +1 @@
+template< <>t=t<>>d
\ No newline at end of file
diff --git a/test/cli/fuzz-timeout/oom-e19261c78d73cf172308f6c33df68642dfd7b679 b/test/cli/fuzz-timeout/oom-e19261c78d73cf172308f6c33df68642dfd7b679
new file mode 100644
index 00000000000..f0d2b9c00b2
--- /dev/null
+++ b/test/cli/fuzz-timeout/oom-e19261c78d73cf172308f6c33df68642dfd7b679
@@ -0,0 +1 @@
+template<~>tu<2>tu=<tu<0&tu<0&n
\ No newline at end of file