From d49fd82a0ad60a717e38e84b3f398dc182de90a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliver=20St=C3=B6neberg?=
 <firewave@users.noreply.github.com>
Date: Tue, 12 Mar 2024 00:49:29 +0100
Subject: [PATCH] fixed fuzzing crashes (#6089)

---
 lib/checksizeof.cpp                                           | 3 ++-
 lib/tokenize.cpp                                              | 4 +++-
 lib/tokenlist.cpp                                             | 2 +-
 .../fuzz-crash/crash-7bac85061edab7fdce2889f02ea3a044242a3920 | 1 +
 .../fuzz-crash/crash-82986578453ec2056069c70846571775b10dfbcb | 1 +
 .../fuzz-crash/crash-e000709d155e9c993795748ba31fddacbd5a86ac | 1 +
 .../fuzz-crash/crash-f4ec019b9a1f357d036a9bc3c2cb6fb10a0c3ded | 1 +
 7 files changed, 10 insertions(+), 3 deletions(-)
 create mode 100644 test/cli/fuzz-crash/crash-7bac85061edab7fdce2889f02ea3a044242a3920
 create mode 100644 test/cli/fuzz-crash/crash-82986578453ec2056069c70846571775b10dfbcb
 create mode 100644 test/cli/fuzz-crash/crash-e000709d155e9c993795748ba31fddacbd5a86ac
 create mode 100644 test/cli/fuzz-crash/crash-f4ec019b9a1f357d036a9bc3c2cb6fb10a0c3ded

diff --git a/lib/checksizeof.cpp b/lib/checksizeof.cpp
index 848b8946cbe..2a3cbaaad56 100644
--- a/lib/checksizeof.cpp
+++ b/lib/checksizeof.cpp
@@ -236,7 +236,8 @@ void CheckSizeof::checkSizeofForPointerSize()
                 continue;
 
             // Now check for the sizeof usage: Does the level of pointer indirection match?
-            if (tokSize->linkAt(1)->strAt(-1) == "*") {
+            const Token * const tokLink = tokSize->linkAt(1);
+            if (tokLink && tokLink->strAt(-1) == "*") {
                 if (variable && variable->valueType() && variable->valueType()->pointer == 1 && variable->valueType()->type != ValueType::VOID)
                     sizeofForPointerError(variable, variable->str());
                 else if (variable2 && variable2->valueType() && variable2->valueType()->pointer == 1 && variable2->valueType()->type != ValueType::VOID)
diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
index 56d1bcd5728..6a8d07e2d66 100644
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@@ -1940,7 +1940,7 @@ void Tokenizer::simplifyTypedefCpp()
 
                     // start substituting at the typedef name by replacing it with the type
                     Token* replStart = tok2; // track first replaced token
-                    for (Token* tok3 = typeStart; tok3->str() != ";"; tok3 = tok3->next())
+                    for (Token* tok3 = typeStart; tok3 && (tok3->str() != ";"); tok3 = tok3->next())
                         tok3->isSimplifiedTypedef(true);
                     if (isPointerTypeCall) {
                         tok2->deleteThis();
@@ -10537,6 +10537,8 @@ void Tokenizer::simplifyNamespaceAliases()
 
             int endScope = scope;
             Token * tokLast = tokNameEnd->next();
+            if (!tokLast)
+                return;
             Token * tokNext = tokLast->next();
             Token * tok2 = tokNext;
 
diff --git a/lib/tokenlist.cpp b/lib/tokenlist.cpp
index 6cd58a78573..d8048af2ee3 100644
--- a/lib/tokenlist.cpp
+++ b/lib/tokenlist.cpp
@@ -1582,7 +1582,7 @@ static Token * createAstAtToken(Token *tok)
             AST_state state1(cpp);
             compileExpression(tok2, state1);
             if (Token::Match(init1, "( !!{")) {
-                for (Token *tok3 = init1; tok3 != tok3->link(); tok3 = tok3->next()) {
+                for (Token *tok3 = init1; tok3 && tok3 != tok3->link(); tok3 = tok3->next()) {
                     if (tok3->astParent()) {
                         while (tok3->astParent())
                             tok3 = tok3->astParent();
diff --git a/test/cli/fuzz-crash/crash-7bac85061edab7fdce2889f02ea3a044242a3920 b/test/cli/fuzz-crash/crash-7bac85061edab7fdce2889f02ea3a044242a3920
new file mode 100644
index 00000000000..d9de20d6e55
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-7bac85061edab7fdce2889f02ea3a044242a3920
@@ -0,0 +1 @@
+a,typedef U typedef,U,i
\ No newline at end of file
diff --git a/test/cli/fuzz-crash/crash-82986578453ec2056069c70846571775b10dfbcb b/test/cli/fuzz-crash/crash-82986578453ec2056069c70846571775b10dfbcb
new file mode 100644
index 00000000000..d658e27570f
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-82986578453ec2056069c70846571775b10dfbcb
@@ -0,0 +1 @@
+namespace d=S
\ No newline at end of file
diff --git a/test/cli/fuzz-crash/crash-e000709d155e9c993795748ba31fddacbd5a86ac b/test/cli/fuzz-crash/crash-e000709d155e9c993795748ba31fddacbd5a86ac
new file mode 100644
index 00000000000..6f94840a159
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-e000709d155e9c993795748ba31fddacbd5a86ac
@@ -0,0 +1 @@
+{for(()s)}
\ No newline at end of file
diff --git a/test/cli/fuzz-crash/crash-f4ec019b9a1f357d036a9bc3c2cb6fb10a0c3ded b/test/cli/fuzz-crash/crash-f4ec019b9a1f357d036a9bc3c2cb6fb10a0c3ded
new file mode 100644
index 00000000000..7f948841a94
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-f4ec019b9a1f357d036a9bc3c2cb6fb10a0c3ded
@@ -0,0 +1 @@
+o k(){t*data;{memcpy(data,,sizeof\)}}
\ No newline at end of file