From c8c088f9aa91e257b5399d86c15a92a0f36326e6 Mon Sep 17 00:00:00 2001 From: chrchr-github Date: Fri, 9 Jan 2026 20:41:58 +0100 Subject: [PATCH] Fix #13501 fuzzing crash (heap-use-after-free) in Tokenizer::simplifyNamespaceAliases() --- lib/tokenize.cpp | 6 ++++-- .../crash-fb09b3314f55a502c8dd27f3f114122c71dd207e | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 test/cli/fuzz-crash/crash-fb09b3314f55a502c8dd27f3f114122c71dd207e diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp index 952ba4b6c00..27e0f5cd0aa 100644 --- a/lib/tokenize.cpp +++ b/lib/tokenize.cpp @@ -8991,8 +8991,8 @@ void Tokenizer::findGarbageCode() const } } } - if (cpp && tok->str() == "namespace" && tok->tokAt(-1)) { - if (!Token::Match(tok->tokAt(-1), ";|{|}|using|inline")) { + if (cpp && tok->str() == "namespace") { + if (tok->tokAt(-1) && !Token::Match(tok->tokAt(-1), ";|{|}|using|inline")) { if (tok->tokAt(-1)->isUpperCaseName()) unknownMacroError(tok->tokAt(-1)); else if (tok->linkAt(-1) && tok->linkAt(-1)->tokAt(-1) && tok->linkAt(-1)->tokAt(-1)->isUpperCaseName()) @@ -9000,6 +9000,8 @@ void Tokenizer::findGarbageCode() const else syntaxError(tok); } + if (!tok->next() || (Token::Match(tok->next(), "%name% =") && !Token::Match(tok->tokAt(3), "::|%name%"))) + syntaxError(tok); } if (cpp && tok->str() == "using" && !Token::Match(tok->next(), "::|%name%")) syntaxError(tok); diff --git a/test/cli/fuzz-crash/crash-fb09b3314f55a502c8dd27f3f114122c71dd207e b/test/cli/fuzz-crash/crash-fb09b3314f55a502c8dd27f3f114122c71dd207e new file mode 100644 index 00000000000..3a017fdb2e0 --- /dev/null +++ b/test/cli/fuzz-crash/crash-fb09b3314f55a502c8dd27f3f114122c71dd207e @@ -0,0 +1 @@ +;namespace b=i;;namespace b={}