Fix #12492 fuzzing crash (stack overflow) in CheckLeakAutoVar::checkT…

…okenInsideExpression() (#6123)
danmar · Mar 18, 2024 · dec193c · dec193c
1 parent 00c756a
commit dec193c
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 5 deletions.
diff --git a/lib/tokenlist.cpp b/lib/tokenlist.cpp
@@ -492,6 +492,9 @@ static bool iscast(const Token *tok, bool cpp)
     if (Token::simpleMatch(tok->link(), ") ( )"))
         return false;
 
+    if (Token::Match(tok->link(), ") %assign%|,|..."))
+        return false;
+
     if (tok->previous() && tok->previous()->isName() && tok->previous()->str() != "return" &&
         (!cpp || !Token::Match(tok->previous(), "delete|throw")))
         return false;
@@ -1817,9 +1820,13 @@ void TokenList::validateAst(bool print) const
             tok = tok->link();
             continue;
         }
-        if (tok->isCast() && tok->astOperand1() && tok->link()) { // skip casts (not part of the AST)
-            tok = tok->link();
-            continue;
+        if (tok->isCast()) {
+            if (!tok->astOperand2() && precedes(tok->astOperand1(), tok))
+                throw InternalError(tok, "AST broken: '" + tok->str() + "' has improper operand.", InternalError::AST);
+            if (tok->astOperand1() && tok->link()) { // skip casts (not part of the AST)
+                tok = tok->link();
+                continue;
+            }
         }
 
         if (findLambdaEndToken(tok)) { // skip lambda captures

diff --git a/test/cli/fuzz-crash/crash-d6609399a4398aed92f5ac9e53aa0554d9f8bbd6 b/test/cli/fuzz-crash/crash-d6609399a4398aed92f5ac9e53aa0554d9f8bbd6
@@ -0,0 +1 @@
+_(){w((char)=e)}
diff --git a/test/testsimplifytypedef.cpp b/test/testsimplifytypedef.cpp
@@ -214,6 +214,7 @@ class TestSimplifyTypedef : public TestFixture {
         TEST_CASE(simplifyTypedef147);
         TEST_CASE(simplifyTypedef148);
         TEST_CASE(simplifyTypedef149);
+        TEST_CASE(simplifyTypedef150);
 
         TEST_CASE(simplifyTypedefFunction1);
         TEST_CASE(simplifyTypedefFunction2); // ticket #1685
@@ -3513,6 +3514,26 @@ class TestSimplifyTypedef : public TestFixture {
         ASSERT_EQUALS("namespace N { enum E { } ; } void g ( int ) ; void f ( ) { g ( sizeof ( enum N :: E ) ) ; }", tok(code));
     }
 
+    void simplifyTypedef150() { // #12475
+        const char* code{}, *exp{};
+        code = "struct S {\n"
+               "    std::vector<int> const& h(int);\n"
+               "};\n"
+               "typedef std::vector<int> const& (S::* func_t)(int);\n"
+               "void g(func_t, int);\n"
+               "void f() {\n"
+               "    g(func_t(&S::h), 5);\n"
+               "}\n";
+        exp = "struct S { "
+              "const std :: vector < int > & h ( int ) ; "
+              "} ; "
+              "void g ( const std :: vector < int > & ( S :: * ) ( int ) , int ) ; "
+              "void f ( ) { "
+              "g ( const std :: vector < int > & ( S :: * ( & S :: h ) ) ( int ) , 5 ) ; " // TODO: don't generate invalid code
+              "}";
+        ASSERT_EQUALS(exp, tok(code));
+    }
+
     void simplifyTypedefFunction1() {
         {
             const char code[] = "typedef void (*my_func)();\n"

diff --git a/test/testtokenize.cpp b/test/testtokenize.cpp
@@ -6532,14 +6532,15 @@ class TestTokenizer : public TestFixture {
         ASSERT_EQUALS("constdelete=", testAst("int f() const = delete;"));
         ASSERT_EQUALS("", testAst("extern unsigned f(const char *);"));
         ASSERT_EQUALS("charformat*...,", testAst("extern void f(const char *format, ...);"));
-        ASSERT_EQUALS("int((void,", testAst("extern int for_each_commit_graft(int (*)(int*), void *);"));
+        ASSERT_EQUALS("int(int(void,", testAst("extern int for_each_commit_graft(int (*)(int*), void *);"));
         ASSERT_EQUALS("for;;(", testAst("for (;;) {}"));
         ASSERT_EQUALS("xsizeofvoid(=", testAst("x=sizeof(void*)"));
         ASSERT_EQUALS("abc{d{,{(=", testAst("a = b({ c{}, d{} });"));
         ASSERT_EQUALS("abc;(", testAst("a(b;c)"));
         ASSERT_EQUALS("x{( forbc;;(", testAst("x({ for(a;b;c){} });"));
         ASSERT_EQUALS("PT.(", testAst("P->~T();"));  // <- The "T" token::function() will be a destructor
         ASSERT_EQUALS("double&(4[", testAst("void f(double(&)[4]) {}"));
+        ASSERT_EQUALS("voidu*", testAst("int* g ( void* (f) (void*), void* u);")); // #12475
     }
 
     void asttemplate() { // uninstantiated templates will have <,>,etc..
@@ -6556,7 +6557,7 @@ class TestTokenizer : public TestFixture {
 
         ASSERT_EQUALS("xfts(=", testAst("; auto x = f(ts...);"));
 
-        ASSERT_EQUALS("da((new= ifd(", testAst("template <typename a, typename... b>\n" // #10199
+        ASSERT_EQUALS("dae(new= ifd(", testAst("template <typename a, typename... b>\n" // #10199
                                                "void c(b... e) {\n"
                                                "    a d = new a((e)...);\n"
                                                "    if (d) {}\n"