Fix #12790-93 fuzzing crashes (#6460)

Author: chrchr-github

lib/templatesimplifier.cpp

@@ -833,6 +833,8 @@ void TemplateSimplifier::getTemplateInstantiations()
         } else if (Token::Match(tok->previous(), "(|{|}|;|=|>|<<|:|.|*|&|return|<|,|!|[ %name% ::|<|(") ||
                    Token::Match(tok->previous(), "%type% %name% ::|<") ||
                    Token::Match(tok->tokAt(-2), "[,:] private|protected|public %name% ::|<")) {
+            if (!tok->scopeInfo())
+                syntaxError(tok);
             std::string scopeName = tok->scopeInfo()->name;
             std::string qualification;
             Token * qualificationTok = tok;

lib/tokenize.cpp

@@ -8708,7 +8708,8 @@ void Tokenizer::findGarbageCode() const
             syntaxError(tok);
         if (Token::Match(tok, "typedef [,;:]"))
             syntaxError(tok);
-        if (Token::Match(tok, "! %comp%"))
+        if (Token::Match(tok, "!|~ %comp%") &&
+            !(isCPP() && tok->strAt(1) == ">" && Token::simpleMatch(tok->tokAt(-1), "operator")))
             syntaxError(tok);
         if (Token::Match(tok, "] %name%") && (!isCPP() || !(tok->tokAt(-1) && Token::simpleMatch(tok->tokAt(-2), "delete [")))) {
             if (tok->next()->isUpperCaseName())
@@ -8784,24 +8785,25 @@ void Tokenizer::findGarbageCode() const
         for (const Token *tok = tokens(); tok; tok = tok->next()) {
             if (Token::simpleMatch(tok, "< >") && !(Token::Match(tok->tokAt(-1), "%name%") || (tok->tokAt(-1) && Token::Match(tok->tokAt(-2), "operator %op%"))))
                 syntaxError(tok);
+            if (Token::simpleMatch(tok, ": template") && !Token::Match(tok->tokAt(-1), "public|private|protected"))
+                syntaxError(tok);
             if (!Token::simpleMatch(tok, "template <"))
                 continue;
             if (!tok->tokAt(2) || tok->tokAt(2)->isLiteral())
                 syntaxError(tok);
-            if (tok->previous() && !Token::Match(tok->previous(), ":|;|{|}|)|>|\"C++\"")) {
+            if (tok->previous() && !Token::Match(tok->previous(), ":|,|;|{|}|)|<|>|\"C++\"")) {
                 if (tok->previous()->isUpperCaseName())
                     unknownMacroError(tok->previous());
                 else
                     syntaxError(tok);
             }
-            const Token * const tok1 = tok;
-            tok = tok->next()->findClosingBracket();
-            if (!tok)
-                syntaxError(tok1);
-            if (!Token::Match(tok, ">|>> ::|...| %name%") &&
-                !Token::Match(tok, ">|>> [ [ %name%") &&
-                !Token::Match(tok, "> >|*"))
-                syntaxError(tok->next() ? tok->next() : tok1);
+            const Token * const tok1 = tok->next()->findClosingBracket();
+            if (!tok1)
+                syntaxError(tok);
+            if (!Token::Match(tok1, ">|>> ::|...| %name%") &&
+                !Token::Match(tok1, ">|>> [ [ %name%") &&
+                !Token::Match(tok1, "> >|*"))
+                syntaxError(tok1->next() ? tok1->next() : tok);
         }
     }
 

test/cli/fuzz-crash/crash-0fc87af032255dddcea3248798a6e19ab49b231a

@@ -0,0 +1 @@
+{template<~>tu<0>}tu=c<F

test/cli/fuzz-crash/crash-34c8d34fd4607de810d8d5bec881b40d37533181

@@ -0,0 +1 @@
+t<e<:template<>e=c>n

test/cli/fuzz-timeout/oom-756ab636471bffa2430290f58776f1f6d8754ab1

@@ -0,0 +1 @@
+template< <>t=t<>>d

test/cli/fuzz-timeout/oom-e19261c78d73cf172308f6c33df68642dfd7b679

@@ -0,0 +1 @@
+template<~>tu<2>tu=<tu<0&tu<0&n