Fix #14432: fuzzing crash (null-pointer-use) in Tokenizer::setVarIdPass1() (danmar#8161)

ludviggunne · web-flow · commit 803fdfed4a3e · 2026-01-29T10:41:48.000+01:00
diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
@@ -4871,6 +4871,8 @@ void Tokenizer::setVarIdPass1()
                                               mTemplateSimplifier->getUsedVariables(),
                                               variableMap.map(true),
                                               mTemplateVarIdUsage);
+                        if (!tok3->next())
+                            syntaxError(tok3);
                     }
                 }
 
diff --git a/test/cli/fuzz-crash/crash-1c67200986f8cd9788ccf3dbb764d49cb67819b1 b/test/cli/fuzz-crash/crash-1c67200986f8cd9788ccf3dbb764d49cb67819b1
@@ -0,0 +1 @@
+e U U,i
diff --git a/test/testgarbage.cpp b/test/testgarbage.cpp
@@ -258,6 +258,7 @@ class TestGarbage : public TestFixture {
         TEST_CASE(garbageCode227);
         TEST_CASE(garbageCode228);
         TEST_CASE(garbageCode229);
+        TEST_CASE(garbageCode230);
 
         TEST_CASE(garbageCodeFuzzerClientMode1); // test cases created with the fuzzer client, mode 1
 
@@ -1771,6 +1772,9 @@ class TestGarbage : public TestFixture {
         ASSERT_THROW_INTERNAL(checkCode("void f() {} [[maybe_unused]]"), SYNTAX);
         ASSERT_THROW_INTERNAL(checkCode("void f() {} [[unused]]"), SYNTAX);
     }
+    void garbageCode230() { // #14432
+        ASSERT_THROW_INTERNAL(checkCode("e U U,i"), SYNTAX);
+    }
 
 
     void syntaxErrorFirstToken() {

Original file line number	Diff line number	Diff line change
`@@ -4871,6 +4871,8 @@ void Tokenizer::setVarIdPass1()`
`4871`	`4871`	`mTemplateSimplifier->getUsedVariables(),`
`4872`	`4872`	`variableMap.map(true),`
`4873`	`4873`	`mTemplateVarIdUsage);`
	`4874`	`+ if (!tok3->next())`
	`4875`	`+ syntaxError(tok3);`
`4874`	`4876`	`}`
`4875`	`4877`	`}`
`4876`	`4878`