From 9e548affa42fb3884c6d109eeb550dfebe4946c9 Mon Sep 17 00:00:00 2001
From: chrchr-github <78114321+chrchr-github@users.noreply.github.com>
Date: Thu, 20 Jun 2024 10:43:04 +0200
Subject: [PATCH] Fix #12851 fuzzing crash in Tokenizer::simplifyTypedef()
 (#6535)

---
 lib/tokenize.cpp                                          | 8 +++++++-
 .../crash-44b5d1f53328660cbcb6e90793eae2ff8ffc4893        | 1 +
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 test/cli/fuzz-crash/crash-44b5d1f53328660cbcb6e90793eae2ff8ffc4893

diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
index 8278cc29dd3..5f9ee4809a7 100644
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@@ -860,6 +860,10 @@ namespace {
                     Token::createMutualLinks(tok3->next(), after->previous());
                 }
             }
+            if (!after) {
+                mReplaceFailed = true;
+                return;
+            }
 
             bool useAfterVarRange = true;
             if (Token::simpleMatch(mRangeAfterVar.first, "[")) {
@@ -1124,7 +1128,9 @@ void Tokenizer::simplifyTypedef()
     {
         // remove typedefs
         for (auto &t: typedefs) {
-            if (!t.second.replaceFailed()) {
+            if (t.second.replaceFailed()) {
+                syntaxError(t.second.getTypedefToken());
+            } else {
                 const Token* const typedefToken = t.second.getTypedefToken();
                 TypedefInfo typedefInfo;
                 typedefInfo.name = t.second.name();
diff --git a/test/cli/fuzz-crash/crash-44b5d1f53328660cbcb6e90793eae2ff8ffc4893 b/test/cli/fuzz-crash/crash-44b5d1f53328660cbcb6e90793eae2ff8ffc4893
new file mode 100644
index 00000000000..c45497a8601
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-44b5d1f53328660cbcb6e90793eae2ff8ffc4893
@@ -0,0 +1 @@
+typedef q r[];r A
\ No newline at end of file