Fix #13693 fuzzing crash (null-pointer-use) in findEscapeStatement() (danmar#8106)

Co-authored-by: chrchr-github <noreply@github.com>

Author: chrchr-github

lib/tokenize.cpp

@@ -108,7 +108,7 @@ static bool isClassStructUnionEnumStart(const Token * tok)
     if (!Token::Match(tok->previous(), "class|struct|union|enum|%name%|>|>> {"))
         return false;
     const Token * tok2 = tok->previous();
-    while (tok2 && !Token::Match(tok2, "class|struct|union|enum|{|}|;"))
+    while (tok2 && !Token::Match(tok2, "class|struct|union|enum|{|}|)|;|>|>>"))
         tok2 = tok2->previous();
     return Token::Match(tok2, "class|struct|union|enum");
 }
@@ -8782,6 +8782,16 @@ void Tokenizer::findGarbageCode() const
         else if (tok->isKeyword() && nonGlobalKeywords.count(tok->str()) && !Token::Match(tok->tokAt(-2), "operator %str%"))
             syntaxError(tok, "keyword '" + tok->str() + "' is not allowed in global scope");
     }
+    for (const Token *tok = tokens(); tok; tok = tok->next()) {
+        if (tok->str() == "{" && isClassStructUnionEnumStart(tok)) {
+            for (const Token* tok2 = tok->next(); tok2 != tok->link(); tok2 = tok2->next()) {
+                if (tok2->str() == "{")
+                    tok2 = tok2->link();
+                else if (tok2->isKeyword() && nonGlobalKeywords.count(tok2->str()) && !Token::Match(tok2->tokAt(-2), "operator %str%"))
+                    syntaxError(tok2, "keyword '" + tok2->str() + "' is not allowed in class/struct/union/enum scope");
+            }
+        }
+    }
 
     // case keyword must be inside switch
     for (const Token *tok = tokens(); tok; tok = tok->next()) {

test/cli/fuzz-crash/crash-9054eec11c4eb2cccf3ae02cdc3469fae5f8d9ae

@@ -0,0 +1 @@
+(c*8s){}

test/cli/fuzz-crash_c/crash-493bda132c00d17406b5e661e034867029a1fac1

@@ -0,0 +1 @@
+v(){union{a i;for(i=0;!i;);};}