From 9e87bb15f3ba2c109ead8f0d519a515d98204137 Mon Sep 17 00:00:00 2001 From: chrchr-github Date: Sat, 10 Jan 2026 14:52:17 +0100 Subject: [PATCH 1/3] Fix #13693 fuzzing crash (null-pointer-use) in findEscapeStatement() --- lib/tokenize.cpp | 12 +++++++++++- .../crash-493bda132c00d17406b5e661e034867029a1fac1 | 1 + 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 test/cli/fuzz-crash_c/crash-493bda132c00d17406b5e661e034867029a1fac1 diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp index 952ba4b6c00..d4134bc3492 100644 --- a/lib/tokenize.cpp +++ b/lib/tokenize.cpp @@ -108,7 +108,7 @@ static bool isClassStructUnionEnumStart(const Token * tok) if (!Token::Match(tok->previous(), "class|struct|union|enum|%name%|>|>> {")) return false; const Token * tok2 = tok->previous(); - while (tok2 && !Token::Match(tok2, "class|struct|union|enum|{|}|;")) + while (tok2 && !Token::Match(tok2, "class|struct|union|enum|{|}|)|;|>|>>")) tok2 = tok2->previous(); return Token::Match(tok2, "class|struct|union|enum"); } @@ -8776,6 +8776,16 @@ void Tokenizer::findGarbageCode() const else if (tok->isKeyword() && nonGlobalKeywords.count(tok->str()) && !Token::Match(tok->tokAt(-2), "operator %str%")) syntaxError(tok, "keyword '" + tok->str() + "' is not allowed in global scope"); } + for (const Token *tok = tokens(); tok; tok = tok->next()) { + if (tok->str() == "{" && isClassStructUnionEnumStart(tok)) { + for (const Token* tok2 = tok->next(); tok2 != tok->link(); tok2 = tok2->next()) { + if (tok2->str() == "{") + tok2 = tok2->link(); + else if (tok2->isKeyword() && nonGlobalKeywords.count(tok2->str()) && !Token::Match(tok2->tokAt(-2), "operator %str%")) + syntaxError(tok2, "keyword '" + tok2->str() + "' is not allowed in class/struct/union scope"); + } + } + } // case keyword must be inside switch for (const Token *tok = tokens(); tok; tok = tok->next()) { diff --git a/test/cli/fuzz-crash_c/crash-493bda132c00d17406b5e661e034867029a1fac1 b/test/cli/fuzz-crash_c/crash-493bda132c00d17406b5e661e034867029a1fac1 new file mode 100644 index 00000000000..1cff3b66c8d --- /dev/null +++ b/test/cli/fuzz-crash_c/crash-493bda132c00d17406b5e661e034867029a1fac1 @@ -0,0 +1 @@ +v(){union{a i;for(i=0;!i;);};} \ No newline at end of file From 0e1f16d80b9ea11f26264c89f1e313346773f885 Mon Sep 17 00:00:00 2001 From: chrchr-github Date: Sun, 11 Jan 2026 20:02:55 +0100 Subject: [PATCH 2/3] Add test for #14152 --- .../fuzz-crash/crash-9054eec11c4eb2cccf3ae02cdc3469fae5f8d9ae | 1 + 1 file changed, 1 insertion(+) create mode 100644 test/cli/fuzz-crash/crash-9054eec11c4eb2cccf3ae02cdc3469fae5f8d9ae diff --git a/test/cli/fuzz-crash/crash-9054eec11c4eb2cccf3ae02cdc3469fae5f8d9ae b/test/cli/fuzz-crash/crash-9054eec11c4eb2cccf3ae02cdc3469fae5f8d9ae new file mode 100644 index 00000000000..5a088af4bda --- /dev/null +++ b/test/cli/fuzz-crash/crash-9054eec11c4eb2cccf3ae02cdc3469fae5f8d9ae @@ -0,0 +1 @@ +(c*8s){} \ No newline at end of file From 460a65a80ee7b6e2518b9b46e41a0414b924f8a2 Mon Sep 17 00:00:00 2001 From: chrchr-github <78114321+chrchr-github@users.noreply.github.com> Date: Mon, 12 Jan 2026 09:23:59 +0100 Subject: [PATCH 3/3] Fix message [skip ci] --- lib/tokenize.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp index d4134bc3492..84d59ad8836 100644 --- a/lib/tokenize.cpp +++ b/lib/tokenize.cpp @@ -8782,7 +8782,7 @@ void Tokenizer::findGarbageCode() const if (tok2->str() == "{") tok2 = tok2->link(); else if (tok2->isKeyword() && nonGlobalKeywords.count(tok2->str()) && !Token::Match(tok2->tokAt(-2), "operator %str%")) - syntaxError(tok2, "keyword '" + tok2->str() + "' is not allowed in class/struct/union scope"); + syntaxError(tok2, "keyword '" + tok2->str() + "' is not allowed in class/struct/union/enum scope"); } } }