Fix #13501 fuzzing crash (heap-use-after-free) in Tokenizer::simplifyNamespaceAliases() (danmar#8101)

chrchr-github · web-flow · web-flow · commit 19640019b704 · 2026-01-10T12:33:00.000+01:00
Co-authored-by: chrchr-github &lt;noreply@github.com&gt;
diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
@@ -9003,15 +9003,17 @@ void Tokenizer::findGarbageCode() const
                 }
             }
         }
-        if (cpp && tok->str() == "namespace" && tok->tokAt(-1)) {
-            if (!Token::Match(tok->tokAt(-1), ";|{|}|using|inline")) {
+        if (cpp && tok->str() == "namespace") {
+            if (tok->tokAt(-1) && !Token::Match(tok->tokAt(-1), ";|{|}|using|inline")) {
                 if (tok->tokAt(-1)->isUpperCaseName())
                     unknownMacroError(tok->tokAt(-1));
                 else if (tok->linkAt(-1) && tok->linkAt(-1)->tokAt(-1) && tok->linkAt(-1)->tokAt(-1)->isUpperCaseName())
                     unknownMacroError(tok->linkAt(-1)->tokAt(-1));
                 else
                     syntaxError(tok);
             }
+            if (!tok->next() || (Token::Match(tok->next(), "%name% =") && !Token::Match(tok->tokAt(3), "::|%name%")))
+                syntaxError(tok);
         }
         if (cpp && tok->str() == "using" && !Token::Match(tok->next(), "::|%name%"))
             syntaxError(tok);
diff --git a/test/cli/fuzz-crash/crash-fb09b3314f55a502c8dd27f3f114122c71dd207e b/test/cli/fuzz-crash/crash-fb09b3314f55a502c8dd27f3f114122c71dd207e
@@ -0,0 +1 @@
+;namespace b=i;;namespace b={}

Original file line number	Diff line number	Diff line change
`@@ -9003,15 +9003,17 @@ void Tokenizer::findGarbageCode() const`
`9003`	`9003`	`}`
`9004`	`9004`	`}`
`9005`	`9005`	`}`
`9006`		`- if (cpp && tok->str() == "namespace" && tok->tokAt(-1)) {`
`9007`		`- if (!Token::Match(tok->tokAt(-1), ";\|{\|}\|using\|inline")) {`
	`9006`	`+ if (cpp && tok->str() == "namespace") {`
	`9007`	`+ if (tok->tokAt(-1) && !Token::Match(tok->tokAt(-1), ";\|{\|}\|using\|inline")) {`
`9008`	`9008`	`if (tok->tokAt(-1)->isUpperCaseName())`
`9009`	`9009`	`unknownMacroError(tok->tokAt(-1));`
`9010`	`9010`	`else if (tok->linkAt(-1) && tok->linkAt(-1)->tokAt(-1) && tok->linkAt(-1)->tokAt(-1)->isUpperCaseName())`
`9011`	`9011`	`unknownMacroError(tok->linkAt(-1)->tokAt(-1));`
`9012`	`9012`	`else`
`9013`	`9013`	`syntaxError(tok);`
`9014`	`9014`	`}`
	`9015`	`+ if (!tok->next() \|\| (Token::Match(tok->next(), "%name% =") && !Token::Match(tok->tokAt(3), "::\|%name%")))`
	`9016`	`+ syntaxError(tok);`
`9015`	`9017`	`}`
`9016`	`9018`	`if (cpp && tok->str() == "using" && !Token::Match(tok->next(), "::\|%name%"))`
`9017`	`9019`	`syntaxError(tok);`