Fix #13095 nullptr dereference in simplifyUsing() (danmar#7264)

chrchr-github · web-flow · commit cd2e4e8e97ec · 2025-01-30T10:23:39.000+01:00
diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
@@ -2872,7 +2872,7 @@ static bool scopesMatch(const std::string &scope1, const std::string &scope2, co
     return false;
 }
 
-static unsigned int tokDistance(const Token* tok1, const Token* tok2) {
+static unsigned int tokDistance(const Token* tok1, const Token* tok2) { // TODO: use index()
     unsigned int dist = 0;
     const Token* tok = tok1;
     while (tok != tok2) {
@@ -2882,6 +2882,12 @@ static unsigned int tokDistance(const Token* tok1, const Token* tok2) {
     return dist;
 }
 
+static const Token* skipConstVolatileBackwards(const Token* tok) {
+    while (Token::Match(tok, "const|volatile"))
+        tok = tok->previous();
+    return tok;
+}
+
 bool Tokenizer::simplifyUsing()
 {
     if (!isCPP() || mSettings.standards.cpp < Standards::CPP11)
@@ -3343,7 +3349,7 @@ bool Tokenizer::simplifyUsing()
                     }
 
                     // Is this a "T(...)" expression where T is a pointer type?
-                    if (Token::Match(tok1, "%name% [({]") && !pointers.empty() && !Token::simpleMatch(tok1->tokAt(-1), ".")) {
+                    if (Token::Match(tok1, "%name% [({]") && !pointers.empty() && !Token::simpleMatch(skipConstVolatileBackwards(tok1->tokAt(-1)), ".")) {
                         tok1->tokAt(1)->str("(");
                         tok1->linkAt(1)->str(")");
                         if (tok1->linkAt(1) == tok1->tokAt(2)) { // T() or T{}
diff --git a/test/testsimplifyusing.cpp b/test/testsimplifyusing.cpp
@@ -822,6 +822,14 @@ class TestSimplifyUsing : public TestFixture {
         TODO_ASSERT_EQUALS("",
                            "[test.cpp:6]: (debug) auto token with no type.\n"
                            "", errout_str());
+
+        const char code3[] = "using V = int*;\n"
+                             "auto g() -> const volatile V { return {}; }\n";
+        const char expected3[] = "auto g ( ) . const volatile int * { return { } ; }";
+        ASSERT_EQUALS(expected3, tok(code3));
+        TODO_ASSERT_EQUALS("",
+                           "[test.cpp:2]: (debug) auto token with no type.\n"
+                           "", errout_str());
     }
 
     void simplifyUsing33() { // #13090
