Fix #12565, #12566 Fuzzing crash/timeout (cppcheck-opensource#6222)

chrchr-github · web-flow · commit d19af9bc2466 · 2024-04-05T10:04:23.000+02:00
diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
@@ -8613,9 +8613,11 @@ void Tokenizer::findGarbageCode() const
             syntaxError(tok);
         if (Token::Match(tok, "%assign% typename|class %assign%"))
             syntaxError(tok);
+        if (Token::Match(tok, "%assign% [;)}]") && (!isCPP() || !Token::Match(tok->previous(), "operator %assign% ;")))
+            syntaxError(tok);
         if (Token::Match(tok, "%cop%|=|,|[ %or%|%oror%|/|%"))
             syntaxError(tok);
-        if (Token::Match(tok, ";|(|[ %comp%"))
+        if (Token::Match(tok, "[;([{] %comp%|&&|%oror%|%or%|%|/"))
             syntaxError(tok);
         if (Token::Match(tok, "%cop%|= ]") && !(isCPP() && Token::Match(tok->previous(), "%type%|[|,|%num% &|=|> ]")))
             syntaxError(tok);
diff --git a/test/cli/fuzz-crash/crash-20efd8856e04ca1fced9daa93837ae3384bb5e62 b/test/cli/fuzz-crash/crash-20efd8856e04ca1fced9daa93837ae3384bb5e62
@@ -0,0 +1 @@
+assert({:=;})
diff --git a/test/cli/fuzz-timeout/timeout-9598595ae3c480b58773e85cd4e4d52b1dc37038 b/test/cli/fuzz-timeout/timeout-9598595ae3c480b58773e85cd4e4d52b1dc37038
@@ -0,0 +1 @@
+i f(n*a){n b=0;*a=b;%*a=b;--------------------b}
diff --git a/test/testgarbage.cpp b/test/testgarbage.cpp
@@ -1636,7 +1636,7 @@ class TestGarbage : public TestFixture {
     }
 
     void garbageCode203() { // #8972
-        checkCode("{ > () {} }");
+        ASSERT_THROW(checkCode("{ > () {} }"), InternalError);
         checkCode("template <> a > ::b();");
     }
 
diff --git a/test/testtoken.cpp b/test/testtoken.cpp
@@ -743,20 +743,20 @@ class TestToken : public TestFixture {
         ASSERT_EQUALS(true, Token::Match(negative.front(), "%bool%"));
     }
 
-    void matchOr() {
+    void matchOr() const {
         const SimpleTokenList bitwiseOr(";|;");
         // cppcheck-suppress simplePatternError - this is intentional
         ASSERT_EQUALS(true,  Token::Match(bitwiseOr.front(), "; %or%"));
         ASSERT_EQUALS(true,  Token::Match(bitwiseOr.front(), "; %op%"));
         // cppcheck-suppress simplePatternError - this is intentional
         ASSERT_EQUALS(false, Token::Match(bitwiseOr.front(), "; %oror%"));
 
-        const SimpleTokenizer bitwiseOrAssignment(*this, ";|=;");
+        const SimpleTokenList bitwiseOrAssignment(";|=;");
         // cppcheck-suppress simplePatternError - this is intentional
-        ASSERT_EQUALS(false,  Token::Match(bitwiseOrAssignment.tokens(), "; %or%"));
-        ASSERT_EQUALS(true,  Token::Match(bitwiseOrAssignment.tokens(), "; %op%"));
+        ASSERT_EQUALS(false,  Token::Match(bitwiseOrAssignment.front(), "; %or%"));
+        ASSERT_EQUALS(true,  Token::Match(bitwiseOrAssignment.front(), "; %op%"));
         // cppcheck-suppress simplePatternError - this is intentional
-        ASSERT_EQUALS(false, Token::Match(bitwiseOrAssignment.tokens(), "; %oror%"));
+        ASSERT_EQUALS(false, Token::Match(bitwiseOrAssignment.front(), "; %oror%"));
 
         const SimpleTokenList logicalOr(";||;");
         // cppcheck-suppress simplePatternError - this is intentional
diff --git a/test/testtokenize.cpp b/test/testtokenize.cpp
@@ -7539,7 +7539,7 @@ class TestTokenizer : public TestFixture {
     void noCrash1() {
         ASSERT_NO_THROW(tokenizeAndStringify(
                             "struct A {\n"
-                            "  A( const std::string &name = " " );\n"
+                            "  A( const std::string &name = \" \" );\n"
                             "};\n"
                             "A::A( const std::string &name ) { return; }\n"));
     }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+i f(na){n b=0;a=b;%*a=b;--------------------b}`
Original file line number	Diff line number	Diff line change
`@@ -1636,7 +1636,7 @@ class TestGarbage : public TestFixture {`
`1636`	`1636`	`}`
`1637`	`1637`
`1638`	`1638`	`void garbageCode203() { // #8972`
`1639`		`- checkCode("{ > () {} }");`
	`1639`	`+ ASSERT_THROW(checkCode("{ > () {} }"), InternalError);`
`1640`	`1640`	`checkCode("template <> a > ::b();");`
`1641`	`1641`	`}`
`1642`	`1642`
Original file line number	Diff line number	Diff line change
`@@ -7539,7 +7539,7 @@ class TestTokenizer : public TestFixture {`
`7539`	`7539`	`void noCrash1() {`
`7540`	`7540`	`ASSERT_NO_THROW(tokenizeAndStringify(`
`7541`	`7541`	`"struct A {\n"`
`7542`		`- " A( const std::string &name = " " );\n"`
	`7542`	`+ " A( const std::string &name = \" \" );\n"`
`7543`	`7543`	`"};\n"`
`7544`	`7544`	`"A::A( const std::string &name ) { return; }\n"));`
`7545`	`7545`	`}`