Fix #12851 fuzzing crash in Tokenizer::simplifyTypedef() (#6535)

Author: chrchr-github

lib/tokenize.cpp

@@ -860,6 +860,10 @@ namespace {
                     Token::createMutualLinks(tok3->next(), after->previous());
                 }
             }
+            if (!after) {
+                mReplaceFailed = true;
+                return;
+            }
 
             bool useAfterVarRange = true;
             if (Token::simpleMatch(mRangeAfterVar.first, "[")) {
@@ -1124,7 +1128,9 @@ void Tokenizer::simplifyTypedef()
     {
         // remove typedefs
         for (auto &t: typedefs) {
-            if (!t.second.replaceFailed()) {
+            if (t.second.replaceFailed()) {
+                syntaxError(t.second.getTypedefToken());
+            } else {
                 const Token* const typedefToken = t.second.getTypedefToken();
                 TypedefInfo typedefInfo;
                 typedefInfo.name = t.second.name();

test/cli/fuzz-crash/crash-44b5d1f53328660cbcb6e90793eae2ff8ffc4893

@@ -0,0 +1 @@
+typedef q r[];r A