Fix #13494 fuzzing crash in getEnumType() (#7246)

chrchr-github · web-flow · commit 6b38f785076e · 2025-01-21T07:49:31.000+01:00
diff --git a/lib/symboldatabase.cpp b/lib/symboldatabase.cpp
@@ -7152,6 +7152,10 @@ static ValueType::Type getEnumType(const Scope* scope, const Platform& platform)
 {
     ValueType::Type type = ValueType::Type::INT;
     for (const Token* tok = scope->bodyStart; tok && tok != scope->bodyEnd; tok = tok->next()) {
+        if (const Token* lam = findLambdaEndToken(tok)) {
+            tok = lam;
+            continue;
+        }
         if (!tok->isAssignmentOp())
             continue;
         const Token* vTok = tok->astOperand2();
diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
@@ -8602,13 +8602,24 @@ void Tokenizer::findGarbageCode() const
             if (Token::Match(tok->next(), ": %num%| {"))
                 syntaxError(tok->tokAt(2), "Unexpected token '" + tok->strAt(2) + "'");
             if (const Token* start = SymbolDatabase::isEnumDefinition(tok)) {
+                int nEquals = 0;
                 for (const Token* tok2 = start->next(); tok2 && tok2 != start->link(); tok2 = tok2->next()) {
                     if (Token::simpleMatch(tok2, "sizeof (")) {
                         tok2 = tok2->linkAt(1);
                         continue;
                     }
+                    if (const Token* lam = findLambdaEndTokenWithoutAST(tok2)) {
+                        tok2 = lam;
+                        continue;
+                    }
                     if (tok2->str() == ";")
                         syntaxError(tok2);
+                    if (tok2->str() == "=")
+                        ++nEquals;
+                    else if (tok2->str() == ",")
+                        nEquals = 0;
+                    if (nEquals > 1)
+                        syntaxError(tok2);
                 }
             }
         }
diff --git a/lib/tokenlist.cpp b/lib/tokenlist.cpp
@@ -1443,6 +1443,8 @@ const Token* findLambdaEndTokenWithoutAST(const Token* tok) {
     tok = tok->link()->next();
     if (Token::simpleMatch(tok, "(") && tok->link())
         tok = tok->link()->next();
+    if (Token::simpleMatch(tok, "mutable"))
+        tok = tok->next();
     if (Token::simpleMatch(tok, ".")) { // trailing return type
         tok = tok->next();
         while (Token::Match(tok, "%type%|%name%|::|&|&&|*|<|(")) {
diff --git a/test/cli/fuzz-crash/crash-8b9b108955146efbdae71f7167251da89d1e18c4 b/test/cli/fuzz-crash/crash-8b9b108955146efbdae71f7167251da89d1e18c4
@@ -0,0 +1 @@
+{enum{A=s(u)0=s};}
diff --git a/test/testgarbage.cpp b/test/testgarbage.cpp
@@ -254,6 +254,7 @@ class TestGarbage : public TestFixture {
         TEST_CASE(garbageCode225);
         TEST_CASE(garbageCode226);
         TEST_CASE(garbageCode227);
+        TEST_CASE(garbageCode228);
 
         TEST_CASE(garbageCodeFuzzerClientMode1); // test cases created with the fuzzer client, mode 1
 
@@ -1761,6 +1762,9 @@ class TestGarbage : public TestFixture {
     void garbageCode227() { // #12615
         ASSERT_NO_THROW(checkCode("f(&S::operator=);"));
     }
+    void garbageCode228() {
+        ASSERT_NO_THROW(checkCode("void f() { enum { A = [=]() mutable { return 0; }() }; }"));
+    }
 
     void syntaxErrorFirstToken() {
         ASSERT_THROW_INTERNAL(checkCode("&operator(){[]};"), SYNTAX); // #7818
