fix #14077: fuzzing crash (assert) in Token::update_property_info() (danmar#7808)

ludviggunne · web-flow · commit 2047c308688c · 2025-10-08T19:38:30.000+02:00
diff --git a/lib/token.cpp b/lib/token.cpp
@@ -153,7 +153,7 @@ void Token::update_property_info()
             if ((MathLib::isInt(mStr) || MathLib::isFloat(mStr)) && mStr.find('_') == std::string::npos)
                 tokType(eNumber);
             else
-                tokType(eName); // assume it is a user defined literal
+                tokType(eLiteral); // assume it is a user defined literal
         } else if (mStr == "=" || mStr == "<<=" || mStr == ">>=" ||
                    (mStr.size() == 2U && mStr[1] == '=' && std::strchr("+-*/%&^|", mStr[0])))
             tokType(eAssignmentOp);
diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
@@ -8869,6 +8869,7 @@ void Tokenizer::findGarbageCode() const
             !Token::simpleMatch(tok->previous(), ".") &&
             !Token::simpleMatch(tok->next(), ".") &&
             !Token::Match(tok->previous(), "{|, . %name% =|.|[|{") &&
+            !(tok->previous() && tok->previous()->isLiteral()) &&
             !Token::Match(tok->previous(), ", . %name%")) {
             if (!Token::Match(tok->previous(), "%name%|)|]|>|}"))
                 syntaxError(tok, tok->strAt(-1) + " " + tok->str() + " " + tok->strAt(1));
@@ -9877,7 +9878,7 @@ void Tokenizer::simplifyAsm()
             Token *endasm = tok->next();
             const Token *firstSemiColon = nullptr;
             int comment = 0;
-            while (Token::Match(endasm, "%num%|%name%|,|:|;") || (endasm && endasm->linenr() == comment)) {
+            while (Token::Match(endasm, "%num%|%name%|,|:|;") || (endasm && (endasm->isLiteral() || endasm->linenr() == comment))) {
                 if (Token::Match(endasm, "_asm|__asm|__endasm"))
                     break;
                 if (endasm->str() == ";") {
diff --git a/test/cli/fuzz-crash/crash-039028704ca27187fc3228e9fa01ca30a8434e7a b/test/cli/fuzz-crash/crash-039028704ca27187fc3228e9fa01ca30a8434e7a
@@ -0,0 +1 @@
+_ 1p;
diff --git a/test/testsymboldatabase.cpp b/test/testsymboldatabase.cpp
@@ -624,6 +624,8 @@ class TestSymbolDatabase : public TestFixture {
         TEST_CASE(smartPointerLookupCtor); // #13719);
 
         TEST_CASE(stdintFunction);
+
+        TEST_CASE(userDefinedLiteral);
     }
 
     void array() {
@@ -11327,6 +11329,14 @@ class TestSymbolDatabase : public TestFixture {
         ASSERT_EQUALS(tok->next()->valueType()->sign, ValueType::Sign::UNSIGNED);
         ASSERT_EQUALS(tok->next()->valueType()->type, ValueType::Type::INT);
     }
+
+    void userDefinedLiteral() {
+        GET_SYMBOL_DB("_ 1p;");
+        const Token *x = Token::findsimplematch(tokenizer.tokens(), "1p");
+        ASSERT(x);
+        ASSERT(!x->varId());
+        ASSERT(!x->variable());
+    }
 };
 
 REGISTER_TEST(TestSymbolDatabase)
diff --git a/test/testtoken.cpp b/test/testtoken.cpp
@@ -1303,7 +1303,7 @@ class TestToken : public TestFixture {
         assert_tok("0.0", Token::Type::eNumber);
         assert_tok("0x0.3p10", Token::Type::eNumber);
         assert_tok("0z", Token::Type::eNumber); // TODO: not a valid number
-        assert_tok("0_km", Token::Type::eName); // user literal
+        assert_tok("0_km", Token::Type::eLiteral); // user literal
         assert_tok("=", Token::Type::eAssignmentOp);
         assert_tok("<<=", Token::Type::eAssignmentOp);
         assert_tok(">>=", Token::Type::eAssignmentOp);
