From 51fb56c454636938352688fdb1f78117128f7901 Mon Sep 17 00:00:00 2001
From: chrchr-github <78114321+chrchr-github@users.noreply.github.com>
Date: Sun, 26 May 2024 23:28:22 +0200
Subject: [PATCH] Fix #12767-70 fuzzing crashes (#6441)
---
cfg/qt.cfg | 4 ++++
lib/tokenize.cpp | 22 ++++++++++++++++---
...h-19269c327fd82c6db8f9f2b0c47c645a721ff55a | 1 +
...h-49338578888313fd087eb219d248c9aaf4ea9d0b | 1 +
...h-81a29a4459dee76d10e452690f3e52fa0172852f | 1 +
...-adb20a108c3686d79bc9bd0e4025445e3a35fa49} | 0
...m-0c8e70d5adb08986635b786737dbb5e6ac098f22 | 1 +
test/testsimplifytokens.cpp | 4 +---
test/testtokenize.cpp | 2 +-
9 files changed, 29 insertions(+), 7 deletions(-)
create mode 100644 test/cli/fuzz-crash/crash-19269c327fd82c6db8f9f2b0c47c645a721ff55a
create mode 100644 test/cli/fuzz-crash/crash-49338578888313fd087eb219d248c9aaf4ea9d0b
create mode 100644 test/cli/fuzz-crash/crash-81a29a4459dee76d10e452690f3e52fa0172852f
rename test/cli/fuzz-crash/{crash-adb20a108c3686d79bc9bd0e4025445e3a35fa49.crdownload => crash-adb20a108c3686d79bc9bd0e4025445e3a35fa49} (100%)
create mode 100644 test/cli/fuzz-timeout/oom-0c8e70d5adb08986635b786737dbb5e6ac098f22
diff --git a/cfg/qt.cfg b/cfg/qt.cfg
index 8d599ed5d3d..42c7ca41bbe 100644
--- a/cfg/qt.cfg
+++ b/cfg/qt.cfg
@@ -5355,6 +5355,8 @@
+
+
@@ -5363,6 +5365,8 @@
+
+
diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
index ec018d12c9e..17c768795c5 100644
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@@ -8706,7 +8706,7 @@ void Tokenizer::findGarbageCode() const
syntaxError(tok);
if (Token::Match(tok, ": [)]=]"))
syntaxError(tok);
- if (Token::Match(tok, "typedef [,;]"))
+ if (Token::Match(tok, "typedef [,;:]"))
syntaxError(tok);
if (Token::Match(tok, "! %comp%"))
syntaxError(tok);
@@ -8747,6 +8747,16 @@ void Tokenizer::findGarbageCode() const
syntaxError(tok);
}
}
+ if (isCPP() && tok->str() == "namespace" && tok->tokAt(-1)) {
+ if (!Token::Match(tok->tokAt(-1), ";|{|}|using|inline")) {
+ if (tok->tokAt(-1)->isUpperCaseName())
+ unknownMacroError(tok->tokAt(-1));
+ else if (tok->linkAt(-1) && tok->linkAt(-1)->tokAt(-1) && tok->linkAt(-1)->tokAt(-1)->isUpperCaseName())
+ unknownMacroError(tok->linkAt(-1)->tokAt(-1));
+ else
+ syntaxError(tok);
+ }
+ }
}
// ternary operator without :
@@ -8772,10 +8782,16 @@ void Tokenizer::findGarbageCode() const
// Garbage templates..
if (isCPP()) {
for (const Token *tok = tokens(); tok; tok = tok->next()) {
- if (Token::simpleMatch(tok, "< >") && !(Token::Match(tok->tokAt(-1), "%name%") || (tok->tokAt(-1) && Token::Match(tok->tokAt(-2), "operator %op%"))))
- syntaxError(tok);
+ if (Token::simpleMatch(tok, "< >")) {
+ if (!(Token::Match(tok->tokAt(-1), "%name%") || (tok->tokAt(-1) && Token::Match(tok->tokAt(-2), "operator %op%"))))
+ syntaxError(tok);
+ if (!tok->tokAt(-1) || tok->tokAt(-1)->isLiteral())
+ syntaxError(tok);
+ }
if (!Token::simpleMatch(tok, "template <"))
continue;
+ if (!tok->tokAt(2) || tok->tokAt(2)->isLiteral())
+ syntaxError(tok);
if (tok->previous() && !Token::Match(tok->previous(), ":|;|{|}|)|>|\"C++\"")) {
if (tok->previous()->isUpperCaseName())
unknownMacroError(tok->previous());
diff --git a/test/cli/fuzz-crash/crash-19269c327fd82c6db8f9f2b0c47c645a721ff55a b/test/cli/fuzz-crash/crash-19269c327fd82c6db8f9f2b0c47c645a721ff55a
new file mode 100644
index 00000000000..ac4c5f2b1de
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-19269c327fd82c6db8f9f2b0c47c645a721ff55a
@@ -0,0 +1 @@
+n eu<#F A<>;template<#m<>eu=i
\ No newline at end of file
diff --git a/test/cli/fuzz-crash/crash-49338578888313fd087eb219d248c9aaf4ea9d0b b/test/cli/fuzz-crash/crash-49338578888313fd087eb219d248c9aaf4ea9d0b
new file mode 100644
index 00000000000..484bdfe4ca3
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-49338578888313fd087eb219d248c9aaf4ea9d0b
@@ -0,0 +1 @@
+;namespace d=S;r namespace d=X
\ No newline at end of file
diff --git a/test/cli/fuzz-crash/crash-81a29a4459dee76d10e452690f3e52fa0172852f b/test/cli/fuzz-crash/crash-81a29a4459dee76d10e452690f3e52fa0172852f
new file mode 100644
index 00000000000..5579544ce3e
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-81a29a4459dee76d10e452690f3e52fa0172852f
@@ -0,0 +1 @@
+{s for(typedef:;){}}
\ No newline at end of file
diff --git a/test/cli/fuzz-crash/crash-adb20a108c3686d79bc9bd0e4025445e3a35fa49.crdownload b/test/cli/fuzz-crash/crash-adb20a108c3686d79bc9bd0e4025445e3a35fa49
similarity index 100%
rename from test/cli/fuzz-crash/crash-adb20a108c3686d79bc9bd0e4025445e3a35fa49.crdownload
rename to test/cli/fuzz-crash/crash-adb20a108c3686d79bc9bd0e4025445e3a35fa49
diff --git a/test/cli/fuzz-timeout/oom-0c8e70d5adb08986635b786737dbb5e6ac098f22 b/test/cli/fuzz-timeout/oom-0c8e70d5adb08986635b786737dbb5e6ac098f22
new file mode 100644
index 00000000000..54d37965b04
--- /dev/null
+++ b/test/cli/fuzz-timeout/oom-0c8e70d5adb08986635b786737dbb5e6ac098f22
@@ -0,0 +1 @@
+template<8<>e=e<>>f
\ No newline at end of file
diff --git a/test/testsimplifytokens.cpp b/test/testsimplifytokens.cpp
index b034e617a9e..533b01d585a 100644
--- a/test/testsimplifytokens.cpp
+++ b/test/testsimplifytokens.cpp
@@ -586,9 +586,7 @@ class TestSimplifyTokens : public TestFixture {
{
const char code[] = "void f(int namespace) { }";
- const char expected[] = "void f ( int namespace ) { }";
-
- ASSERT_EQUALS(expected, tok(code));
+ ASSERT_THROW_INTERNAL(tok(code), SYNTAX);
}
}
diff --git a/test/testtokenize.cpp b/test/testtokenize.cpp
index b718b0e7a90..d530d416692 100644
--- a/test/testtokenize.cpp
+++ b/test/testtokenize.cpp
@@ -5463,7 +5463,7 @@ class TestTokenizer : public TestFixture {
// remove some unhandled macros in the global scope.
ASSERT_EQUALS("void f ( ) { }", tokenizeAndStringify("void f() NOTHROW { }"));
ASSERT_EQUALS("struct Foo { } ;", tokenizeAndStringify("struct __declspec(dllexport) Foo {};"));
- ASSERT_EQUALS("namespace { int a ; }", tokenizeAndStringify("ABA() namespace { int a ; }"));
+ ASSERT_THROW_INTERNAL(tokenizeAndStringify("ABA() namespace { int a ; }"), UNKNOWN_MACRO);
// #3750
ASSERT_THROW_INTERNAL(tokenizeAndStringify("; AB(foo*) foo::foo() { }"), UNKNOWN_MACRO);