Fix #13501 fuzzing crash (heap-use-after-free) in Tokenizer::simplifyNamespaceAliases()

web-flow · web-flow · commit c8c088f9aa91 · 2026-01-09T20:41:58.000+01:00
diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
@@ -8991,15 +8991,17 @@ void Tokenizer::findGarbageCode() const
                 }
             }
         }
-        if (cpp && tok->str() == "namespace" && tok->tokAt(-1)) {
-            if (!Token::Match(tok->tokAt(-1), ";|{|}|using|inline")) {
+        if (cpp && tok->str() == "namespace") {
+            if (tok->tokAt(-1) && !Token::Match(tok->tokAt(-1), ";|{|}|using|inline")) {
                 if (tok->tokAt(-1)->isUpperCaseName())
                     unknownMacroError(tok->tokAt(-1));
                 else if (tok->linkAt(-1) && tok->linkAt(-1)->tokAt(-1) && tok->linkAt(-1)->tokAt(-1)->isUpperCaseName())
                     unknownMacroError(tok->linkAt(-1)->tokAt(-1));
                 else
                     syntaxError(tok);
             }
+            if (!tok->next() || (Token::Match(tok->next(), "%name% =") && !Token::Match(tok->tokAt(3), "::|%name%")))
+                syntaxError(tok);
         }
         if (cpp && tok->str() == "using" && !Token::Match(tok->next(), "::|%name%"))
             syntaxError(tok);
diff --git a/test/cli/fuzz-crash/crash-fb09b3314f55a502c8dd27f3f114122c71dd207e b/test/cli/fuzz-crash/crash-fb09b3314f55a502c8dd27f3f114122c71dd207e
@@ -0,0 +1 @@
+;namespace b=i;;namespace b={}

Original file line number	Diff line number	Diff line change
`@@ -8991,15 +8991,17 @@ void Tokenizer::findGarbageCode() const`
`8991`	`8991`	`}`
`8992`	`8992`	`}`
`8993`	`8993`	`}`
`8994`		`- if (cpp && tok->str() == "namespace" && tok->tokAt(-1)) {`
`8995`		`- if (!Token::Match(tok->tokAt(-1), ";\|{\|}\|using\|inline")) {`
	`8994`	`+ if (cpp && tok->str() == "namespace") {`
	`8995`	`+ if (tok->tokAt(-1) && !Token::Match(tok->tokAt(-1), ";\|{\|}\|using\|inline")) {`
`8996`	`8996`	`if (tok->tokAt(-1)->isUpperCaseName())`
`8997`	`8997`	`unknownMacroError(tok->tokAt(-1));`
`8998`	`8998`	`else if (tok->linkAt(-1) && tok->linkAt(-1)->tokAt(-1) && tok->linkAt(-1)->tokAt(-1)->isUpperCaseName())`
`8999`	`8999`	`unknownMacroError(tok->linkAt(-1)->tokAt(-1));`
`9000`	`9000`	`else`
`9001`	`9001`	`syntaxError(tok);`
`9002`	`9002`	`}`
	`9003`	`+ if (!tok->next() \|\| (Token::Match(tok->next(), "%name% =") && !Token::Match(tok->tokAt(3), "::\|%name%")))`
	`9004`	`+ syntaxError(tok);`
`9003`	`9005`	`}`
`9004`	`9006`	`if (cpp && tok->str() == "using" && !Token::Match(tok->next(), "::\|%name%"))`
`9005`	`9007`	`syntaxError(tok);`