Fix #12510 fuzzing crash in SymbolDatabase::setValueTypeInTokenList()

danmar · Mar 20, 2024 · 07acbe9 · 07acbe9
1 parent e2081e8
commit 07acbe9
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 3 deletions.
diff --git a/lib/symboldatabase.cpp b/lib/symboldatabase.cpp
@@ -2558,11 +2558,11 @@ Function::Function(const Token *tok,
     }
 
     // class constructor/destructor
-    else if (((tokenDef->str() == scope->className) ||
+    else if (scope->isClassOrStructOrUnion() &&
+             ((tokenDef->str() == scope->className) ||
               (tokenDef->str().substr(0, scope->className.size()) == scope->className &&
                tokenDef->str().size() > scope->className.size() + 1 &&
-               tokenDef->str()[scope->className.size() + 1] == '<')) &&
-             scope->type != Scope::ScopeType::eNamespace) {
+               tokenDef->str()[scope->className.size() + 1] == '<'))) {
         // destructor
         if (tokenDef->previous()->str() == "~")
             type = Function::eDestructor;

diff --git a/test/cli/fuzz-crash/crash-69570c88fc79e9a66ce2f2c729b455eaa237f3d2 b/test/cli/fuzz-crash/crash-69570c88fc79e9a66ce2f2c729b455eaa237f3d2
@@ -0,0 +1 @@
+o oo(){extern oo();}
diff --git a/test/testsymboldatabase.cpp b/test/testsymboldatabase.cpp
@@ -2239,6 +2239,12 @@ class TestSymbolDatabase : public TestFixture {
             ASSERT(db && ctor && ctor->type == Function::eMoveConstructor);
             ASSERT(ctor && ctor->retDef == nullptr);
         }
+        {
+            GET_SYMBOL_DB("void f() { extern void f(); }");
+            ASSERT(db && db->scopeList.size() == 2);
+            const Function* f = findFunctionByName("f", &db->scopeList.back());
+            ASSERT(f && f->type == Function::eFunction);
+        }
     }
 
     void functionDeclarationTemplate() {