fixed fuzzing crashes (#6089)

danmar · Mar 11, 2024 · d49fd82 · d49fd82
1 parent ed64e97
commit d49fd82
Show file tree

Hide file tree

Showing 7 changed files with 10 additions and 3 deletions.
diff --git a/lib/checksizeof.cpp b/lib/checksizeof.cpp
@@ -236,7 +236,8 @@ void CheckSizeof::checkSizeofForPointerSize()
                 continue;
 
             // Now check for the sizeof usage: Does the level of pointer indirection match?
-            if (tokSize->linkAt(1)->strAt(-1) == "*") {
+            const Token * const tokLink = tokSize->linkAt(1);
+            if (tokLink && tokLink->strAt(-1) == "*") {
                 if (variable && variable->valueType() && variable->valueType()->pointer == 1 && variable->valueType()->type != ValueType::VOID)
                     sizeofForPointerError(variable, variable->str());
                 else if (variable2 && variable2->valueType() && variable2->valueType()->pointer == 1 && variable2->valueType()->type != ValueType::VOID)

diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
@@ -1940,7 +1940,7 @@ void Tokenizer::simplifyTypedefCpp()
 
                     // start substituting at the typedef name by replacing it with the type
                     Token* replStart = tok2; // track first replaced token
-                    for (Token* tok3 = typeStart; tok3->str() != ";"; tok3 = tok3->next())
+                    for (Token* tok3 = typeStart; tok3 && (tok3->str() != ";"); tok3 = tok3->next())
                         tok3->isSimplifiedTypedef(true);
                     if (isPointerTypeCall) {
                         tok2->deleteThis();
@@ -10537,6 +10537,8 @@ void Tokenizer::simplifyNamespaceAliases()
 
             int endScope = scope;
             Token * tokLast = tokNameEnd->next();
+            if (!tokLast)
+                return;
             Token * tokNext = tokLast->next();
             Token * tok2 = tokNext;
 

diff --git a/lib/tokenlist.cpp b/lib/tokenlist.cpp
@@ -1582,7 +1582,7 @@ static Token * createAstAtToken(Token *tok)
             AST_state state1(cpp);
             compileExpression(tok2, state1);
             if (Token::Match(init1, "( !!{")) {
-                for (Token *tok3 = init1; tok3 != tok3->link(); tok3 = tok3->next()) {
+                for (Token *tok3 = init1; tok3 && tok3 != tok3->link(); tok3 = tok3->next()) {
                     if (tok3->astParent()) {
                         while (tok3->astParent())
                             tok3 = tok3->astParent();

diff --git a/test/cli/fuzz-crash/crash-7bac85061edab7fdce2889f02ea3a044242a3920 b/test/cli/fuzz-crash/crash-7bac85061edab7fdce2889f02ea3a044242a3920
@@ -0,0 +1 @@
+a,typedef U typedef,U,i
diff --git a/test/cli/fuzz-crash/crash-82986578453ec2056069c70846571775b10dfbcb b/test/cli/fuzz-crash/crash-82986578453ec2056069c70846571775b10dfbcb
@@ -0,0 +1 @@
+namespace d=S
diff --git a/test/cli/fuzz-crash/crash-e000709d155e9c993795748ba31fddacbd5a86ac b/test/cli/fuzz-crash/crash-e000709d155e9c993795748ba31fddacbd5a86ac
@@ -0,0 +1 @@
+{for(()s)}
diff --git a/test/cli/fuzz-crash/crash-f4ec019b9a1f357d036a9bc3c2cb6fb10a0c3ded b/test/cli/fuzz-crash/crash-f4ec019b9a1f357d036a9bc3c2cb6fb10a0c3ded
@@ -0,0 +1 @@
+o k(){t*data;{memcpy(data,,sizeof\)}}