From e25c512ad3a70fdc3921e11c8b4db30fca4613a4 Mon Sep 17 00:00:00 2001 From: chrchr-github <78114321+chrchr-github@users.noreply.github.com> Date: Fri, 22 Mar 2024 00:25:29 +0100 Subject: [PATCH] Fix #12511 fuzzing crash (stack overflow) in getLibraryContainer() (#6165) --- lib/valueflow.cpp | 2 ++ .../fuzz-crash/crash-43fe82a87d6a7f34f000cbbc90b63ad1a58e3dcd | 1 + test/testvalueflow.cpp | 3 +++ 3 files changed, 6 insertions(+) create mode 100644 test/cli/fuzz-crash/crash-43fe82a87d6a7f34f000cbbc90b63ad1a58e3dcd diff --git a/lib/valueflow.cpp b/lib/valueflow.cpp index e7f9709a33d..aa194ea1727 100644 --- a/lib/valueflow.cpp +++ b/lib/valueflow.cpp @@ -4972,6 +4972,8 @@ static void valueFlowLifetime(TokenList &tokenlist, ErrorLogger *errorLogger, co } // address of else if (tok->isUnaryOp("&")) { + if (Token::simpleMatch(tok->astParent(), "*")) + continue; for (const ValueFlow::LifetimeToken& lt : ValueFlow::getLifetimeTokens(tok->astOperand1())) { if (!settings.certainty.isEnabled(Certainty::inconclusive) && lt.inconclusive) continue; diff --git a/test/cli/fuzz-crash/crash-43fe82a87d6a7f34f000cbbc90b63ad1a58e3dcd b/test/cli/fuzz-crash/crash-43fe82a87d6a7f34f000cbbc90b63ad1a58e3dcd new file mode 100644 index 00000000000..ac43489b2c0 --- /dev/null +++ b/test/cli/fuzz-crash/crash-43fe82a87d6a7f34f000cbbc90b63ad1a58e3dcd @@ -0,0 +1 @@ +d o(){t&a=*&a} \ No newline at end of file diff --git a/test/testvalueflow.cpp b/test/testvalueflow.cpp index 61f99fe52cd..9d014ef279e 100644 --- a/test/testvalueflow.cpp +++ b/test/testvalueflow.cpp @@ -7434,6 +7434,9 @@ class TestValueFlow : public TestFixture { " if (*q > 0 && *q < 100) {}\n" "}\n"; valueOfTok(code, "&&"); + + code = "void f() { int& a = *&a; }\n"; // #12511 + valueOfTok(code, "="); } void valueFlowHang() {