From 9fab9b94ca2e3f79dd9f0b93a7efe46ea9ddb3aa Mon Sep 17 00:00:00 2001
From: chrchr-github <78114321+chrchr-github@users.noreply.github.com>
Date: Wed, 24 Apr 2024 10:46:48 +0200
Subject: [PATCH] Fix #12643-46 fuzzing crashes (#6336)

---
 lib/tokenize.cpp                                            | 6 ++++++
 .../crash-28733cc31fd7f5d636beeaa3fa2bc30779fc6487          | 1 +
 .../crash-3275671bf6888060270f902458ff36c711718e22          | 1 +
 .../crash-58e1517a74e314553e8eef249268cec29493235b          | 1 +
 .../crash-a431ec7f7379fc460eaa6284627091ded6c0d696          | 1 +
 test/testgarbage.cpp                                        | 6 +++---
 6 files changed, 13 insertions(+), 3 deletions(-)
 create mode 100644 test/cli/fuzz-crash/crash-28733cc31fd7f5d636beeaa3fa2bc30779fc6487
 create mode 100644 test/cli/fuzz-crash/crash-3275671bf6888060270f902458ff36c711718e22
 create mode 100644 test/cli/fuzz-crash/crash-58e1517a74e314553e8eef249268cec29493235b
 create mode 100644 test/cli/fuzz-crash/crash-a431ec7f7379fc460eaa6284627091ded6c0d696

diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
index e050508b5fc..5b63400d226 100644
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@@ -8690,6 +8690,12 @@ void Tokenizer::findGarbageCode() const
             syntaxError(tok);
         if (Token::Match(tok, "^ %op%") && !Token::Match(tok->next(), "[>*+-!~]"))
             syntaxError(tok);
+        if (Token::Match(tok, ": [)]=]"))
+            syntaxError(tok);
+        if (Token::Match(tok, "typedef [,;]"))
+            syntaxError(tok);
+        if (Token::Match(tok, "! %comp%"))
+            syntaxError(tok);
 
         if (tok->link() && Token::Match(tok, "[([]") && (!tok->tokAt(-1) || !tok->tokAt(-1)->isControlFlowKeyword())) {
             const Token* const end = tok->link();
diff --git a/test/cli/fuzz-crash/crash-28733cc31fd7f5d636beeaa3fa2bc30779fc6487 b/test/cli/fuzz-crash/crash-28733cc31fd7f5d636beeaa3fa2bc30779fc6487
new file mode 100644
index 00000000000..adf0f71ff8f
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-28733cc31fd7f5d636beeaa3fa2bc30779fc6487
@@ -0,0 +1 @@
+assert({:=4;})
\ No newline at end of file
diff --git a/test/cli/fuzz-crash/crash-3275671bf6888060270f902458ff36c711718e22 b/test/cli/fuzz-crash/crash-3275671bf6888060270f902458ff36c711718e22
new file mode 100644
index 00000000000..c4057bba583
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-3275671bf6888060270f902458ff36c711718e22
@@ -0,0 +1 @@
+v o(ia){$ i;for(i:)a=[]0;}
\ No newline at end of file
diff --git a/test/cli/fuzz-crash/crash-58e1517a74e314553e8eef249268cec29493235b b/test/cli/fuzz-crash/crash-58e1517a74e314553e8eef249268cec29493235b
new file mode 100644
index 00000000000..935f807a15f
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-58e1517a74e314553e8eef249268cec29493235b
@@ -0,0 +1 @@
+n a(){!!=!!?:b}
\ No newline at end of file
diff --git a/test/cli/fuzz-crash/crash-a431ec7f7379fc460eaa6284627091ded6c0d696 b/test/cli/fuzz-crash/crash-a431ec7f7379fc460eaa6284627091ded6c0d696
new file mode 100644
index 00000000000..ee0a7d32082
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-a431ec7f7379fc460eaa6284627091ded6c0d696
@@ -0,0 +1 @@
+{for(typedef,typedef;);}
\ No newline at end of file
diff --git a/test/testgarbage.cpp b/test/testgarbage.cpp
index a87452324e6..ca8e981fd1c 100644
--- a/test/testgarbage.cpp
+++ b/test/testgarbage.cpp
@@ -862,7 +862,7 @@ class TestGarbage : public TestFixture {
         ASSERT_THROW_INTERNAL_EQUALS(checkCode("{ xs :: i(:) ! ! x/5 ! !\n"
                                                "i, :: a :: b integer, } foo2(x) :: j(:)\n"
                                                "b type(*), d(:), a x :: end d(..), foo end\n"
-                                               "foo4 b d(..), a a x type(*), b foo2 b"), INTERNAL, "Internal error. AST cyclic dependency.");
+                                               "foo4 b d(..), a a x type(*), b foo2 b"), SYNTAX, "syntax error");
     }
 
     void garbageCode100() { // #6840
@@ -987,7 +987,7 @@ class TestGarbage : public TestFixture {
     }
 
     void garbageCode125() {
-        ASSERT_THROW_INTERNAL(checkCode("{ T struct B : T valueA_AA ; } T : [ T > ( ) { B } template < T > struct A < > : ] { ( ) { return valueA_AC struct { : } } b A < int > AC ( ) a_aa.M ; ( ) ( ) }"), UNKNOWN_MACRO);
+        ASSERT_THROW_INTERNAL(checkCode("{ T struct B : T valueA_AA ; } T : [ T > ( ) { B } template < T > struct A < > : ] { ( ) { return valueA_AC struct { : } } b A < int > AC ( ) a_aa.M ; ( ) ( ) }"), SYNTAX);
         ASSERT_THROW_INTERNAL(checkCode("template < Types > struct S :{ ( S < ) S >} { ( ) { } } ( ) { return S < void > ( ) }"),
                               SYNTAX);
     }
@@ -1661,7 +1661,7 @@ class TestGarbage : public TestFixture {
 
     void garbageCode206() {
         ASSERT_EQUALS("[test.cpp:1] syntax error: operator", getSyntaxError("void foo() { for (auto operator new : int); }"));
-        ASSERT_EQUALS("[test.cpp:1] syntax error: operator", getSyntaxError("void foo() { for (a operator== :) }"));
+        ASSERT_EQUALS("[test.cpp:1] syntax error", getSyntaxError("void foo() { for (a operator== :) }"));
     }
 
     void garbageCode207() { // #8750