Fix #13694, #13704, #13708, #14356 fuzzing crashes (#8076)

chrchr-github · web-flow · web-flow · commit be71c2ef7527 · 2026-01-05T08:26:49.000+01:00
Co-authored-by: chrchr-github &lt;noreply@github.com&gt;
diff --git a/lib/templatesimplifier.cpp b/lib/templatesimplifier.cpp
@@ -690,6 +690,8 @@ bool TemplateSimplifier::getTemplateDeclarations()
             else if (Token::Match(tok2, "{|=|;")) {
                 const int namepos = getTemplateNamePosition(parmEnd);
                 if (namepos > 0) {
+                    if (!tok->scopeInfo())
+                        syntaxError(tok);
                     TokenAndName decl(tok, tok->scopeInfo()->name, parmEnd->tokAt(namepos), parmEnd);
                     if (decl.isForwardDeclaration()) {
                         // Declaration => add to mTemplateForwardDeclarations
diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
@@ -8936,6 +8936,8 @@ void Tokenizer::findGarbageCode() const
             syntaxError(tok);
         if (Token::Match(tok, "& %comp%|&&|%oror%|&|%or%") && tok->strAt(1) != ">")
             syntaxError(tok);
+        if (Token::Match(tok, "%comp%|&&|%oror%|&|%or% }") && tok->str() != ">")
+            syntaxError(tok);
         if (Token::Match(tok, "^ %op%") && !Token::Match(tok->next(), "[>*+-!~]"))
             syntaxError(tok);
         if (Token::Match(tok, ": [)]=]"))
@@ -8944,6 +8946,8 @@ void Tokenizer::findGarbageCode() const
             syntaxError(tok);
         if (Token::Match(tok, "typedef [,;:]"))
             syntaxError(tok);
+        if (Token::Match(tok, "? %assign%"))
+            syntaxError(tok);
         if (Token::Match(tok, "!|~ %comp%") &&
             !(cpp && tok->strAt(1) == ">" && Token::simpleMatch(tok->tokAt(-1), "operator")))
             syntaxError(tok);
diff --git a/lib/tokenlist.cpp b/lib/tokenlist.cpp
@@ -295,6 +295,8 @@ void TokenList::insertTokens(Token *dest, const Token *src, nonneg int n)
     std::stack<Token *> link;
 
     while (n > 0) {
+        if (!src)
+            throw InternalError(dest, std::string(__func__) + ": invalid source range", InternalError::INTERNAL);
         dest->insertToken(src->str(), src->originalName());
         dest = dest->next();
 
diff --git a/test/cli/fuzz-crash/crash-9eb2c9e545b361a17d74ccd4e8c933ca65542b12 b/test/cli/fuzz-crash/crash-9eb2c9e545b361a17d74ccd4e8c933ca65542b12
@@ -0,0 +1 @@
+{template<>i}template<>fact2(){fact2<3>()}
diff --git a/test/cli/fuzz-crash/crash-a03d001b1336e191debffcde652ce5fb63d0a7d6 b/test/cli/fuzz-crash/crash-a03d001b1336e191debffcde652ce5fb63d0a7d6
@@ -0,0 +1 @@
+(c[?=3:4])p
diff --git a/test/cli/fuzz-crash/crash-c36b9a5f7fce91031cb578ef591f90d48d95a7f4 b/test/cli/fuzz-crash/crash-c36b9a5f7fce91031cb578ef591f90d48d95a7f4
@@ -0,0 +1 @@
+c<a<s>s=t,{;{}}>l
diff --git a/test/cli/fuzz-crash_c/crash-24c217c96d177b8dff4028bce639756d6a8c6088 b/test/cli/fuzz-crash_c/crash-24c217c96d177b8dff4028bce639756d6a8c6088
@@ -0,0 +1 @@
+f(S=n){n*,n&&}
diff --git a/test/cli/fuzz_test.py b/test/cli/fuzz_test.py
@@ -11,9 +11,9 @@ def test_fuzz_crash():
 
     fuzz_crash_dir = os.path.join(__script_dir, 'fuzz-crash')
     for f in os.listdir(fuzz_crash_dir):
-        ret, stdout, _ = cppcheck(['-q', '--language=c++', '--enable=all', '--inconclusive', f], cwd=fuzz_crash_dir)
+        ret, stdout, stderr = cppcheck(['-q', '--language=c++', '--enable=all', '--inconclusive', f], cwd=fuzz_crash_dir)
         if ret != 0:
-            failures[f] = stdout
+            failures[f] = stdout + stderr
 
     assert failures == {}
 
@@ -26,9 +26,9 @@ def test_fuzz_crash_c():
     if not os.path.exists(fuzz_crash_dir):
         return
     for f in os.listdir(fuzz_crash_dir):
-        ret, stdout, _ = cppcheck(['-q', '--language=c', '--enable=all', '--inconclusive', f], cwd=fuzz_crash_dir)
+        ret, stdout, stderr = cppcheck(['-q', '--language=c', '--enable=all', '--inconclusive', f], cwd=fuzz_crash_dir)
         if ret != 0:
-            failures[f] = stdout
+            failures[f] = stdout + stderr
 
     assert failures == {}
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+{template<>i}template<>fact2(){fact2<3>()}`