Fix #14877: heap-use-after-free in Tokenizer::simplifyUsing()

GilmarSantosJr · GilmarSantosJr · commit 231b47d1841f · 2026-06-30T08:25:33.000-03:00
diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
@@ -3015,7 +3015,6 @@ bool Tokenizer::simplifyUsing()
                 Token::Match(tok->linkAt(2), "] ] = ::| %name%")))))
             continue;
 
-        const std::string& name = tok->strAt(1);
         const Token *nameToken = tok->next();
         std::string scope = currentScope->fullName;
         Token *usingStart = tok;
@@ -3064,7 +3063,7 @@ bool Tokenizer::simplifyUsing()
             if (!hasName) {
                 std::string newName;
                 if (structEnd->strAt(2) == ";")
-                    newName = name;
+                    newName = nameToken->str();
                 else
                     newName = "Unnamed" + std::to_string(mUnnamedCount++);
                 TokenList::copyTokens(structEnd->next(), tok, start);
@@ -3211,7 +3210,7 @@ bool Tokenizer::simplifyUsing()
             if (!isTypedefInfoAdded && Token::Match(tok1, "%name% (")) {
                 isTypedefInfoAdded = true;
                 TypedefInfo usingInfo;
-                usingInfo.name = name;
+                usingInfo.name = nameToken->str();
                 usingInfo.filename = list.file(nameToken);
                 usingInfo.lineNumber = nameToken->linenr();
                 usingInfo.column = nameToken->column();
diff --git a/test/testsimplifyusing.cpp b/test/testsimplifyusing.cpp
@@ -98,6 +98,7 @@ class TestSimplifyUsing : public TestFixture {
         TEST_CASE(simplifyUsing10335);
         TEST_CASE(simplifyUsing10720);
         TEST_CASE(simplifyUsing13873); // function declaration
+        TEST_CASE(simplifyUsing14877);
 
         TEST_CASE(scopeInfo1);
         TEST_CASE(scopeInfo2);
@@ -1667,6 +1668,12 @@ class TestSimplifyUsing : public TestFixture {
         ASSERT_EQUALS("namespace NS1 { void * f ( ) ; }", tok(code3));
     }
 
+    void simplifyUsing14877() {
+        const char code[] = "using C = struct C { C() {} };";
+        const char expected[] = "struct C { C ( ) { } } ;";
+        ASSERT_EQUALS(expected, tok(code));
+    }
+
     void scopeInfo1() {
         const char code[] = "struct A {\n"
                             "    enum class Mode { UNKNOWN, ENABLED, NONE, };\n"
