From 99da497f081c835ec69b35c497903f9feb749f7c Mon Sep 17 00:00:00 2001
From: firewave <firewave@users.noreply.github.com>
Date: Thu, 22 Feb 2024 01:04:00 +0100
Subject: [PATCH 1/4] fixed fuzzing crash

==77069==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x5818456d58e8 bp 0x7ffefda33930 sp 0x7ffefda32ec0 T0)
==77069==The signal is caused by a READ memory access.
==77069==Hint: address points to the zero page.
    #0 0x5818456d58e8 in _M_data /sbin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/basic_string.h:223:28
    #1 0x5818456d58e8 in c_str /sbin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/basic_string.h:2584:16
    #2 0x5818456d58e8 in operator==<2U> /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/matchcompiler.h:57:29
    #3 0x5818456d58e8 in operator!=<2U> /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/matchcompiler.h:63:17
    #4 0x5818456d58e8 in Tokenizer::simplifyTypedefCpp() /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/tokenize.cpp:9257:63
    #5 0x5818456b6a4e in Tokenizer::simplifyTypedef() /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/tokenize.cpp:8440:5
    #6 0x581845728947 in Tokenizer::simplifyTokenList1(char const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/tokenize.cpp:12966:9
    #7 0x581845721160 in Tokenizer::simplifyTokens1(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/tokenize.cpp:10670:14
    #8 0x5818460d580d in CppCheck::checkFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/cppcheck.cpp:907:32
    #9 0x5818460e19f1 in CppCheck::check(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/cppcheck.cpp:561:12
    #10 0x58184655ea64 in LLVMFuzzerTestOneInput /home/user/CLionProjects/cppcheck-rider/oss-fuzz/main.cpp:47:18
    #11 0x5818452261e8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x6831e8) (BuildId: e178119f6c3ed0061522391da23885513ce32cf8)
    #12 0x5818452268e6 in fuzzer::Fuzzer::MinimizeCrashLoop(std::vector<unsigned char, std::allocator<unsigned char>> const&) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x6838e6) (BuildId: e178119f6c3ed0061522391da23885513ce32cf8)
    #13 0x5818451fcb0b in fuzzer::MinimizeCrashInputInternalStep(fuzzer::Fuzzer*, fuzzer::InputCorpus*) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x659b0b) (BuildId: e178119f6c3ed0061522391da23885513ce32cf8)
    #14 0x581845209218 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x666218) (BuildId: e178119f6c3ed0061522391da23885513ce32cf8)
    #15 0x58184518ef77 in main (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5ebf77) (BuildId: e178119f6c3ed0061522391da23885513ce32cf8)
    #16 0x7cd168c43ccf  (/usr/lib/libc.so.6+0x29ccf) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    #17 0x7cd168c43d89 in __libc_start_main (/usr/lib/libc.so.6+0x29d89) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    #18 0x5818451f3004 in _start (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x650004) (BuildId: e178119f6c3ed0061522391da23885513ce32cf8)
---
 lib/tokenize.cpp                                                | 2 +-
 .../fuzz-crash/crash-7bac85061edab7fdce2889f02ea3a044242a3920   | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 test/cli/fuzz-crash/crash-7bac85061edab7fdce2889f02ea3a044242a3920

diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
index 56d1bcd5728..aa2cc861f1f 100644
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@@ -1940,7 +1940,7 @@ void Tokenizer::simplifyTypedefCpp()
 
                     // start substituting at the typedef name by replacing it with the type
                     Token* replStart = tok2; // track first replaced token
-                    for (Token* tok3 = typeStart; tok3->str() != ";"; tok3 = tok3->next())
+                    for (Token* tok3 = typeStart; tok3 && (tok3->str() != ";"); tok3 = tok3->next())
                         tok3->isSimplifiedTypedef(true);
                     if (isPointerTypeCall) {
                         tok2->deleteThis();
diff --git a/test/cli/fuzz-crash/crash-7bac85061edab7fdce2889f02ea3a044242a3920 b/test/cli/fuzz-crash/crash-7bac85061edab7fdce2889f02ea3a044242a3920
new file mode 100644
index 00000000000..d9de20d6e55
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-7bac85061edab7fdce2889f02ea3a044242a3920
@@ -0,0 +1 @@
+a,typedef U typedef,U,i
\ No newline at end of file

From e991723b8ab022d0e9937de7d7e6cab82fbc8334 Mon Sep 17 00:00:00 2001
From: firewave <firewave@users.noreply.github.com>
Date: Thu, 22 Feb 2024 15:07:33 +0100
Subject: [PATCH 2/4] fixed fuzzing crash

==149528==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x5d6ad25b3594 bp 0x7fffe27af570 sp 0x7fffe27af460 T0)
==149528==The signal is caused by a READ memory access.
==149528==Hint: address points to the zero page.
    #0 0x5d6ad25b3594 in next /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:831:16
    #1 0x5d6ad25b3594 in Tokenizer::simplifyNamespaceAliases() /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/tokenize.cpp:17826:40
    #2 0x5d6ad24f6ac2 in Tokenizer::simplifyTokenList1(char const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/tokenize.cpp:12822:5
    #3 0x5d6ad24f1190 in Tokenizer::simplifyTokens1(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/tokenize.cpp:10670:14
    #4 0x5d6ad2ea58cd in CppCheck::checkFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/cppcheck.cpp:907:32
    #5 0x5d6ad2eb1ab1 in CppCheck::check(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/cppcheck.cpp:561:12
    #6 0x5d6ad332eb24 in LLVMFuzzerTestOneInput /home/user/CLionProjects/cppcheck-rider/oss-fuzz/main.cpp:47:18
    #7 0x5d6ad1ff61e8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x6831e8) (BuildId: ccbc3e894f14691449044410c9da42fa3a09557b)
    #8 0x5d6ad1ff68e6 in fuzzer::Fuzzer::MinimizeCrashLoop(std::vector<unsigned char, std::allocator<unsigned char>> const&) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x6838e6) (BuildId: ccbc3e894f14691449044410c9da42fa3a09557b)
    #9 0x5d6ad1fccb0b in fuzzer::MinimizeCrashInputInternalStep(fuzzer::Fuzzer*, fuzzer::InputCorpus*) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x659b0b) (BuildId: ccbc3e894f14691449044410c9da42fa3a09557b)
    #10 0x5d6ad1fd9218 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x666218) (BuildId: ccbc3e894f14691449044410c9da42fa3a09557b)
    #11 0x5d6ad1f5ef77 in main (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5ebf77) (BuildId: ccbc3e894f14691449044410c9da42fa3a09557b)
    #12 0x7bb3d5955ccf  (/usr/lib/libc.so.6+0x29ccf) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    #13 0x7bb3d5955d89 in __libc_start_main (/usr/lib/libc.so.6+0x29d89) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    #14 0x5d6ad1fc3004 in _start (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x650004) (BuildId: ccbc3e894f14691449044410c9da42fa3a09557b)
---
 lib/tokenize.cpp                                                | 2 ++
 .../fuzz-crash/crash-82986578453ec2056069c70846571775b10dfbcb   | 1 +
 2 files changed, 3 insertions(+)
 create mode 100644 test/cli/fuzz-crash/crash-82986578453ec2056069c70846571775b10dfbcb

diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
index aa2cc861f1f..6a8d07e2d66 100644
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@@ -10537,6 +10537,8 @@ void Tokenizer::simplifyNamespaceAliases()
 
             int endScope = scope;
             Token * tokLast = tokNameEnd->next();
+            if (!tokLast)
+                return;
             Token * tokNext = tokLast->next();
             Token * tok2 = tokNext;
 
diff --git a/test/cli/fuzz-crash/crash-82986578453ec2056069c70846571775b10dfbcb b/test/cli/fuzz-crash/crash-82986578453ec2056069c70846571775b10dfbcb
new file mode 100644
index 00000000000..d658e27570f
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-82986578453ec2056069c70846571775b10dfbcb
@@ -0,0 +1 @@
+namespace d=S
\ No newline at end of file

From 9819dea1f67e5f1daa7b7f39b2c114268cc05566 Mon Sep 17 00:00:00 2001
From: firewave <firewave@users.noreply.github.com>
Date: Wed, 6 Mar 2024 15:09:23 +0100
Subject: [PATCH 3/4] fixed fuzzing crash

/home/user/CLionProjects/cppcheck-rider/lib/checksizeof.cpp:239:37: runtime error: member call on null pointer of type 'Token'
    #0 0x637fa171b539 in CheckSizeof::checkSizeofForPointerSize() /home/user/CLionProjects/cppcheck-rider/lib/checksizeof.cpp:239:37
    #1 0x637fa1727816 in CheckSizeof::runChecks(Tokenizer const&, ErrorLogger*) /home/user/CLionProjects/cppcheck-rider/lib/checksizeof.h:61:21
    #2 0x637fa197f5bd in CppCheck::checkNormalTokens(Tokenizer const&) /home/user/CLionProjects/cppcheck-rider/lib/cppcheck.cpp:1122:20
    #3 0x637fa1998334 in CppCheck::checkFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/lib/cppcheck.cpp:955:17
    #4 0x637fa1985a87 in CppCheck::check(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/lib/cppcheck.cpp:556:12
    #5 0x637fa0a83f2b in SingleExecutor::check() /home/user/CLionProjects/cppcheck-rider/cli/singleexecutor.cpp:53:29
    #6 0x637fa09be8dc in CppCheckExecutor::check_internal(Settings const&) const /home/user/CLionProjects/cppcheck-rider/cli/cppcheckexecutor.cpp:277:32
    #7 0x637fa09bd73d in CppCheckExecutor::check_wrapper(Settings const&) /home/user/CLionProjects/cppcheck-rider/cli/cppcheckexecutor.cpp:216:12
    #8 0x637fa09bc67a in CppCheckExecutor::check(int, char const* const*) /home/user/CLionProjects/cppcheck-rider/cli/cppcheckexecutor.cpp:202:21
    #9 0x637fa20cd247 in main /home/user/CLionProjects/cppcheck-rider/cli/main.cpp:91:21
    #10 0x7c50f5c0dccf  (/usr/lib/libc.so.6+0x29ccf) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    #11 0x7c50f5c0dd89 in __libc_start_main (/usr/lib/libc.so.6+0x29d89) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    #12 0x637fa07f79f4 in _start (/home/user/CLionProjects/cppcheck-rider/cmake-build-debug-clang-asan-ubsan/bin/cppcheck+0xf6c9f4) (BuildId: 780ff4c602598cd16715ae4e639db79b0c18f29d)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/user/CLionProjects/cppcheck-rider/lib/checksizeof.cpp:239:37 in
---
 lib/checksizeof.cpp                                            | 3 ++-
 .../fuzz-crash/crash-f4ec019b9a1f357d036a9bc3c2cb6fb10a0c3ded  | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 test/cli/fuzz-crash/crash-f4ec019b9a1f357d036a9bc3c2cb6fb10a0c3ded

diff --git a/lib/checksizeof.cpp b/lib/checksizeof.cpp
index 848b8946cbe..2a3cbaaad56 100644
--- a/lib/checksizeof.cpp
+++ b/lib/checksizeof.cpp
@@ -236,7 +236,8 @@ void CheckSizeof::checkSizeofForPointerSize()
                 continue;
 
             // Now check for the sizeof usage: Does the level of pointer indirection match?
-            if (tokSize->linkAt(1)->strAt(-1) == "*") {
+            const Token * const tokLink = tokSize->linkAt(1);
+            if (tokLink && tokLink->strAt(-1) == "*") {
                 if (variable && variable->valueType() && variable->valueType()->pointer == 1 && variable->valueType()->type != ValueType::VOID)
                     sizeofForPointerError(variable, variable->str());
                 else if (variable2 && variable2->valueType() && variable2->valueType()->pointer == 1 && variable2->valueType()->type != ValueType::VOID)
diff --git a/test/cli/fuzz-crash/crash-f4ec019b9a1f357d036a9bc3c2cb6fb10a0c3ded b/test/cli/fuzz-crash/crash-f4ec019b9a1f357d036a9bc3c2cb6fb10a0c3ded
new file mode 100644
index 00000000000..7f948841a94
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-f4ec019b9a1f357d036a9bc3c2cb6fb10a0c3ded
@@ -0,0 +1 @@
+o k(){t*data;{memcpy(data,,sizeof\)}}
\ No newline at end of file

From 6933e5329df7f5fe99fae2c6e9b11b77bb07c8c7 Mon Sep 17 00:00:00 2001
From: firewave <firewave@users.noreply.github.com>
Date: Wed, 6 Mar 2024 15:37:39 +0100
Subject: [PATCH 4/4] fixed fuzzing crash

/home/user/CLionProjects/cppcheck-rider/lib/tokenlist.cpp:1584:57: runtime error: member call on null pointer of type 'Token'
    #0 0x567b09ca144a in createAstAtToken(Token*, bool) /home/user/CLionProjects/cppcheck-rider/lib/tokenlist.cpp:1584:57
    #1 0x567b09c9f318 in TokenList::createAst() const /home/user/CLionProjects/cppcheck-rider/lib/tokenlist.cpp:1757:15
    #2 0x567b08bffc19 in Tokenizer::simplifyTokens1(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/lib/tokenize.cpp:3380:14
    #3 0x567b096e08ea in CppCheck::checkFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/lib/cppcheck.cpp:925:32
    #4 0x567b096cfbb7 in CppCheck::check(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/lib/cppcheck.cpp:556:12
    #5 0x567b087cdf2b in SingleExecutor::check() /home/user/CLionProjects/cppcheck-rider/cli/singleexecutor.cpp:53:29
    #6 0x567b087088dc in CppCheckExecutor::check_internal(Settings const&) const /home/user/CLionProjects/cppcheck-rider/cli/cppcheckexecutor.cpp:277:32
    #7 0x567b0870773d in CppCheckExecutor::check_wrapper(Settings const&) /home/user/CLionProjects/cppcheck-rider/cli/cppcheckexecutor.cpp:216:12
    #8 0x567b0870667a in CppCheckExecutor::check(int, char const* const*) /home/user/CLionProjects/cppcheck-rider/cli/cppcheckexecutor.cpp:202:21
    #9 0x567b09e173a7 in main /home/user/CLionProjects/cppcheck-rider/cli/main.cpp:91:21
    #10 0x7a285fb55ccf  (/usr/lib/libc.so.6+0x29ccf) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    #11 0x7a285fb55d89 in __libc_start_main (/usr/lib/libc.so.6+0x29d89) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    #12 0x567b085419f4 in _start (/home/user/CLionProjects/cppcheck-rider/cmake-build-debug-clang-asan-ubsan/bin/cppcheck+0xf6d9f4) (BuildId: 0c5083349039fc85dc8c8bb587f97bea024306ef)
---
 lib/tokenlist.cpp                                               | 2 +-
 .../fuzz-crash/crash-e000709d155e9c993795748ba31fddacbd5a86ac   | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 test/cli/fuzz-crash/crash-e000709d155e9c993795748ba31fddacbd5a86ac

diff --git a/lib/tokenlist.cpp b/lib/tokenlist.cpp
index 6cd58a78573..d8048af2ee3 100644
--- a/lib/tokenlist.cpp
+++ b/lib/tokenlist.cpp
@@ -1582,7 +1582,7 @@ static Token * createAstAtToken(Token *tok)
             AST_state state1(cpp);
             compileExpression(tok2, state1);
             if (Token::Match(init1, "( !!{")) {
-                for (Token *tok3 = init1; tok3 != tok3->link(); tok3 = tok3->next()) {
+                for (Token *tok3 = init1; tok3 && tok3 != tok3->link(); tok3 = tok3->next()) {
                     if (tok3->astParent()) {
                         while (tok3->astParent())
                             tok3 = tok3->astParent();
diff --git a/test/cli/fuzz-crash/crash-e000709d155e9c993795748ba31fddacbd5a86ac b/test/cli/fuzz-crash/crash-e000709d155e9c993795748ba31fddacbd5a86ac
new file mode 100644
index 00000000000..6f94840a159
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-e000709d155e9c993795748ba31fddacbd5a86ac
@@ -0,0 +1 @@
+{for(()s)}
\ No newline at end of file