Fix heap-use-after-free in Tokenizer::simplifyUsing()

GilmarSantosJr · GilmarSantosJr · commit e15927d747a8 · 2026-06-29T17:30:02.000-03:00
diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
@@ -3015,7 +3015,6 @@ bool Tokenizer::simplifyUsing()
                 Token::Match(tok->linkAt(2), "] ] = ::| %name%")))))
             continue;
 
-        const std::string& name = tok->strAt(1);
         const Token *nameToken = tok->next();
         std::string scope = currentScope->fullName;
         Token *usingStart = tok;
@@ -3064,7 +3063,7 @@ bool Tokenizer::simplifyUsing()
             if (!hasName) {
                 std::string newName;
                 if (structEnd->strAt(2) == ";")
-                    newName = name;
+                    newName = nameToken->str();
                 else
                     newName = "Unnamed" + std::to_string(mUnnamedCount++);
                 TokenList::copyTokens(structEnd->next(), tok, start);
@@ -3211,7 +3210,7 @@ bool Tokenizer::simplifyUsing()
             if (!isTypedefInfoAdded && Token::Match(tok1, "%name% (")) {
                 isTypedefInfoAdded = true;
                 TypedefInfo usingInfo;
-                usingInfo.name = name;
+                usingInfo.name = nameToken->str();
                 usingInfo.filename = list.file(nameToken);
                 usingInfo.lineNumber = nameToken->linenr();
                 usingInfo.column = nameToken->column();
diff --git a/test/testsimplifyusing.cpp b/test/testsimplifyusing.cpp
@@ -77,6 +77,7 @@ class TestSimplifyUsing : public TestFixture {
         TEST_CASE(simplifyUsing37);
         TEST_CASE(simplifyUsing38);
         TEST_CASE(simplifyUsing39);
+        TEST_CASE(simplifyUsing40);
 
         TEST_CASE(simplifyUsing8970);
         TEST_CASE(simplifyUsing8971);
@@ -939,6 +940,12 @@ class TestSimplifyUsing : public TestFixture {
         ASSERT_EQUALS("", errout_str());
     }
 
+    void simplifyUsing40() {
+        const char code[] = "using C = struct C { C() {} };";
+        const char expected[] = "struct C { C ( ) { } } ;";
+        ASSERT_EQUALS(expected, tok(code));
+    }
+
     void simplifyUsing8970() {
         const char code[] = "using V = std::vector<int>;\n"
                             "struct A {\n"
