Fix #12851 fuzzing crash in Tokenizer::simplifyTypedef() (#6535)

danmar · Jun 20, 2024 · 9e548af · 9e548af
1 parent 3410d1b
commit 9e548af
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
@@ -860,6 +860,10 @@ namespace {
                     Token::createMutualLinks(tok3->next(), after->previous());
                 }
             }
+            if (!after) {
+                mReplaceFailed = true;
+                return;
+            }
 
             bool useAfterVarRange = true;
             if (Token::simpleMatch(mRangeAfterVar.first, "[")) {
@@ -1124,7 +1128,9 @@ void Tokenizer::simplifyTypedef()
     {
         // remove typedefs
         for (auto &t: typedefs) {
-            if (!t.second.replaceFailed()) {
+            if (t.second.replaceFailed()) {
+                syntaxError(t.second.getTypedefToken());
+            } else {
                 const Token* const typedefToken = t.second.getTypedefToken();
                 TypedefInfo typedefInfo;
                 typedefInfo.name = t.second.name();

diff --git a/test/cli/fuzz-crash/crash-44b5d1f53328660cbcb6e90793eae2ff8ffc4893 b/test/cli/fuzz-crash/crash-44b5d1f53328660cbcb6e90793eae2ff8ffc4893
@@ -0,0 +1 @@
+typedef q r[];r A