From b8a240cfe9126e08c64ba5898237456f24496864 Mon Sep 17 00:00:00 2001
From: chrchr-github <noreply@github.com>
Date: Fri, 9 Jan 2026 20:56:53 +0100
Subject: [PATCH] Fix  #13706 fuzzing crash (assert) in
 TemplateSimplifier::TokenAndName::TokenAndName()

---
 lib/templatesimplifier.cpp                                   | 5 ++---
 .../crash-5ac13e244448ff767f6596c220edb9ef7b61fa6d           | 1 +
 2 files changed, 3 insertions(+), 3 deletions(-)
 create mode 100644 test/cli/fuzz-crash/crash-5ac13e244448ff767f6596c220edb9ef7b61fa6d

diff --git a/lib/templatesimplifier.cpp b/lib/templatesimplifier.cpp
index 1f90593560f..3e47625ad53 100644
--- a/lib/templatesimplifier.cpp
+++ b/lib/templatesimplifier.cpp
@@ -219,9 +219,8 @@ TemplateSimplifier::TokenAndName::TokenAndName(Token *token, std::string scope,
     }
 
     // make sure at most only one family flag is set
-    assert(isClass() ? !(isFunction() || isVariable()) : true);
-    assert(isFunction() ? !(isClass() || isVariable()) : true);
-    assert(isVariable() ? !(isClass() || isFunction()) : true);
+    if (isClass() + isFunction() + isVariable() > 1)
+        syntaxError(token);
 
     if (mToken)
         mToken->templateSimplifierPointer(this);
diff --git a/test/cli/fuzz-crash/crash-5ac13e244448ff767f6596c220edb9ef7b61fa6d b/test/cli/fuzz-crash/crash-5ac13e244448ff767f6596c220edb9ef7b61fa6d
new file mode 100644
index 00000000000..7bbc08cfd6d
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-5ac13e244448ff767f6596c220edb9ef7b61fa6d
@@ -0,0 +1 @@
+template<>struct t<>();