From a91edcfef03150eba2370c367aa39cf1c7a9a76a Mon Sep 17 00:00:00 2001
From: chrchr-github <78114321+chrchr-github@users.noreply.github.com>
Date: Thu, 2 May 2024 21:56:12 +0200
Subject: [PATCH] Fix #12689, #12690 fuzzing crashes (#6370)

---
 Makefile                                             |  2 +-
 lib/tokenize.cpp                                     | 12 ++++++++++++
 oss-fuzz/Makefile                                    |  2 +-
 .../crash-faa56134676fb5d021ad69c8ac526d65debcfdb1   |  1 +
 .../timeout-98121de84d1c09fdfd3697cdedcdd69bf6abc15d |  1 +
 test/testgarbage.cpp                                 |  1 -
 test/testsimplifytypedef.cpp                         |  2 +-
 7 files changed, 17 insertions(+), 4 deletions(-)
 create mode 100644 test/cli/fuzz-crash/crash-faa56134676fb5d021ad69c8ac526d65debcfdb1
 create mode 100644 test/cli/fuzz-timeout/timeout-98121de84d1c09fdfd3697cdedcdd69bf6abc15d

diff --git a/Makefile b/Makefile
index 6dc456220e3..861d4ec2fe9 100644
--- a/Makefile
+++ b/Makefile
@@ -463,7 +463,7 @@ validateRules:
 $(libcppdir)/valueflow.o: lib/valueflow.cpp lib/addoninfo.h lib/analyzer.h lib/astutils.h lib/calculate.h lib/check.h lib/checkuninitvar.h lib/color.h lib/config.h lib/errorlogger.h lib/errortypes.h lib/findtoken.h lib/forwardanalyzer.h lib/infer.h lib/library.h lib/mathlib.h lib/path.h lib/platform.h lib/programmemory.h lib/reverseanalyzer.h lib/settings.h lib/smallvector.h lib/sourcelocation.h lib/standards.h lib/suppressions.h lib/symboldatabase.h lib/templatesimplifier.h lib/timer.h lib/token.h lib/tokenize.h lib/tokenlist.h lib/utils.h lib/valueflow.h lib/valueptr.h lib/vfvalue.h
 	$(CXX) ${INCLUDE_FOR_LIB} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ $(libcppdir)/valueflow.cpp
 
-$(libcppdir)/tokenize.o: lib/tokenize.cpp externals/simplecpp/simplecpp.h lib/addoninfo.h lib/color.h lib/config.h lib/errorlogger.h lib/errortypes.h lib/library.h lib/mathlib.h lib/path.h lib/platform.h lib/preprocessor.h lib/settings.h lib/sourcelocation.h lib/standards.h lib/summaries.h lib/suppressions.h lib/symboldatabase.h lib/templatesimplifier.h lib/timer.h lib/token.h lib/tokenize.h lib/tokenlist.h lib/utils.h lib/valueflow.h lib/vfvalue.h
+$(libcppdir)/tokenize.o: lib/tokenize.cpp externals/simplecpp/simplecpp.h lib/addoninfo.h lib/astutils.h lib/color.h lib/config.h lib/errorlogger.h lib/errortypes.h lib/library.h lib/mathlib.h lib/path.h lib/platform.h lib/preprocessor.h lib/settings.h lib/smallvector.h lib/sourcelocation.h lib/standards.h lib/summaries.h lib/suppressions.h lib/symboldatabase.h lib/templatesimplifier.h lib/timer.h lib/token.h lib/tokenize.h lib/tokenlist.h lib/utils.h lib/valueflow.h lib/vfvalue.h
 	$(CXX) ${INCLUDE_FOR_LIB} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ $(libcppdir)/tokenize.cpp
 
 $(libcppdir)/symboldatabase.o: lib/symboldatabase.cpp lib/addoninfo.h lib/astutils.h lib/color.h lib/config.h lib/errorlogger.h lib/errortypes.h lib/keywords.h lib/library.h lib/mathlib.h lib/path.h lib/platform.h lib/settings.h lib/smallvector.h lib/sourcelocation.h lib/standards.h lib/suppressions.h lib/symboldatabase.h lib/templatesimplifier.h lib/token.h lib/tokenize.h lib/tokenlist.h lib/utils.h lib/valueflow.h lib/vfvalue.h
diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
index c54bc1ef688..432d43f4463 100644
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@@ -19,6 +19,7 @@
 //---------------------------------------------------------------------------
 #include "tokenize.h"
 
+#include "astutils.h"
 #include "errorlogger.h"
 #include "errortypes.h"
 #include "library.h"
@@ -8721,8 +8722,19 @@ void Tokenizer::findGarbageCode() const
                 }
             }
         }
+
         if ((!isCPP() || !Token::simpleMatch(tok->previous(), "operator")) && Token::Match(tok, "[,;] ,"))
             syntaxError(tok);
+        if (tok->str() == "typedef") {
+            for (const Token* tok2 = tok->next(); tok2 && tok2->str() != ";"; tok2 = tok2->next()) {
+                if (isUnevaluated(tok2)) {
+                    tok2 = tok2->linkAt(1);
+                    continue;
+                }
+                if (!tok2->next() || tok2->isControlFlowKeyword() || Token::Match(tok2, "typedef|static|."))
+                    syntaxError(tok);
+            }
+        }
     }
 
     // ternary operator without :
diff --git a/oss-fuzz/Makefile b/oss-fuzz/Makefile
index 44718ef91bf..28d750ef287 100644
--- a/oss-fuzz/Makefile
+++ b/oss-fuzz/Makefile
@@ -142,7 +142,7 @@ tinyxml2.o: ../externals/tinyxml2/tinyxml2.cpp ../externals/tinyxml2/tinyxml2.h
 $(libcppdir)/valueflow.o: ../lib/valueflow.cpp ../lib/addoninfo.h ../lib/analyzer.h ../lib/astutils.h ../lib/calculate.h ../lib/check.h ../lib/checkuninitvar.h ../lib/color.h ../lib/config.h ../lib/errorlogger.h ../lib/errortypes.h ../lib/findtoken.h ../lib/forwardanalyzer.h ../lib/infer.h ../lib/library.h ../lib/mathlib.h ../lib/path.h ../lib/platform.h ../lib/programmemory.h ../lib/reverseanalyzer.h ../lib/settings.h ../lib/smallvector.h ../lib/sourcelocation.h ../lib/standards.h ../lib/suppressions.h ../lib/symboldatabase.h ../lib/templatesimplifier.h ../lib/timer.h ../lib/token.h ../lib/tokenize.h ../lib/tokenlist.h ../lib/utils.h ../lib/valueflow.h ../lib/valueptr.h ../lib/vfvalue.h
 	$(CXX) ${LIB_FUZZING_ENGINE} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ $(libcppdir)/valueflow.cpp
 
-$(libcppdir)/tokenize.o: ../lib/tokenize.cpp ../externals/simplecpp/simplecpp.h ../lib/addoninfo.h ../lib/color.h ../lib/config.h ../lib/errorlogger.h ../lib/errortypes.h ../lib/library.h ../lib/mathlib.h ../lib/path.h ../lib/platform.h ../lib/preprocessor.h ../lib/settings.h ../lib/sourcelocation.h ../lib/standards.h ../lib/summaries.h ../lib/suppressions.h ../lib/symboldatabase.h ../lib/templatesimplifier.h ../lib/timer.h ../lib/token.h ../lib/tokenize.h ../lib/tokenlist.h ../lib/utils.h ../lib/valueflow.h ../lib/vfvalue.h
+$(libcppdir)/tokenize.o: ../lib/tokenize.cpp ../externals/simplecpp/simplecpp.h ../lib/addoninfo.h ../lib/astutils.h ../lib/color.h ../lib/config.h ../lib/errorlogger.h ../lib/errortypes.h ../lib/library.h ../lib/mathlib.h ../lib/path.h ../lib/platform.h ../lib/preprocessor.h ../lib/settings.h ../lib/smallvector.h ../lib/sourcelocation.h ../lib/standards.h ../lib/summaries.h ../lib/suppressions.h ../lib/symboldatabase.h ../lib/templatesimplifier.h ../lib/timer.h ../lib/token.h ../lib/tokenize.h ../lib/tokenlist.h ../lib/utils.h ../lib/valueflow.h ../lib/vfvalue.h
 	$(CXX) ${LIB_FUZZING_ENGINE} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ $(libcppdir)/tokenize.cpp
 
 $(libcppdir)/symboldatabase.o: ../lib/symboldatabase.cpp ../lib/addoninfo.h ../lib/astutils.h ../lib/color.h ../lib/config.h ../lib/errorlogger.h ../lib/errortypes.h ../lib/keywords.h ../lib/library.h ../lib/mathlib.h ../lib/path.h ../lib/platform.h ../lib/settings.h ../lib/smallvector.h ../lib/sourcelocation.h ../lib/standards.h ../lib/suppressions.h ../lib/symboldatabase.h ../lib/templatesimplifier.h ../lib/token.h ../lib/tokenize.h ../lib/tokenlist.h ../lib/utils.h ../lib/valueflow.h ../lib/vfvalue.h
diff --git a/test/cli/fuzz-crash/crash-faa56134676fb5d021ad69c8ac526d65debcfdb1 b/test/cli/fuzz-crash/crash-faa56134676fb5d021ad69c8ac526d65debcfdb1
new file mode 100644
index 00000000000..26613dccc82
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-faa56134676fb5d021ad69c8ac526d65debcfdb1
@@ -0,0 +1 @@
+{for(typedef U typedef{};);}
\ No newline at end of file
diff --git a/test/cli/fuzz-timeout/timeout-98121de84d1c09fdfd3697cdedcdd69bf6abc15d b/test/cli/fuzz-timeout/timeout-98121de84d1c09fdfd3697cdedcdd69bf6abc15d
new file mode 100644
index 00000000000..aad51f01fe5
--- /dev/null
+++ b/test/cli/fuzz-timeout/timeout-98121de84d1c09fdfd3697cdedcdd69bf6abc15d
@@ -0,0 +1 @@
+typedef static i i,n.i
\ No newline at end of file
diff --git a/test/testgarbage.cpp b/test/testgarbage.cpp
index 15c42f46964..1850d594345 100644
--- a/test/testgarbage.cpp
+++ b/test/testgarbage.cpp
@@ -767,7 +767,6 @@ class TestGarbage : public TestFixture {
 
     void garbageCode74() { // #6751
         ASSERT_THROW_INTERNAL(checkCode("_lenraw(const char* digits) { } typedef decltype(sizeof(0)) { } operator"), SYNTAX);
-        ignore_errout(); // we do not care about the output
     }
 
     void garbageCode76() { // #6754
diff --git a/test/testsimplifytypedef.cpp b/test/testsimplifytypedef.cpp
index 44abd19da3c..37496dfe339 100644
--- a/test/testsimplifytypedef.cpp
+++ b/test/testsimplifytypedef.cpp
@@ -2516,7 +2516,7 @@ class TestSimplifyTypedef : public TestFixture {
 
     void simplifyTypedef106() { // ticket #3619 (segmentation fault)
         const char code[] = "typedef void f ();\ntypedef { f }";
-        ASSERT_THROW_INTERNAL_EQUALS(tok(code), INTERNAL, "Internal error. AST cyclic dependency.");
+        ASSERT_THROW_INTERNAL(tok(code), SYNTAX);
     }
 
     void simplifyTypedef107() { // ticket #3963 (bad code => segmentation fault)