Fixed three unique crashs on garbage code (cppcheck-opensource#6613).

PKEuS · PKEuS · commit 0d37c4df04a2 · 2015-04-01T12:43:24.000+02:00
Removed redundant copy of string in templatesimplifier.cpp
diff --git a/lib/templatesimplifier.cpp b/lib/templatesimplifier.cpp
@@ -264,7 +264,7 @@ unsigned int TemplateSimplifier::templateParameters(const Token *tok)
             tok = tok->next();
         while (Token::Match(tok, "%name% ::")) {
             tok = tok->tokAt(2);
-            if (tok->str() == "*") // Ticket #5759: Class member pointer as a template argument; skip '*'
+            if (tok && tok->str() == "*") // Ticket #5759: Class member pointer as a template argument; skip '*'
                 tok = tok->next();
         }
         if (!tok)
@@ -1231,18 +1231,18 @@ bool TemplateSimplifier::simplifyTemplateInstantiations(
 
         // New type..
         std::vector<const Token *> typesUsedInTemplateInstantiation;
-        std::string typeForNewNameStr;
+        std::string typeForNewName;
         std::string templateMatchPattern(name + " < ");
         unsigned int indentlevel = 0;
         for (const Token *tok3 = tok2->tokAt(2); tok3 && (indentlevel > 0 || tok3->str() != ">"); tok3 = tok3->next()) {
             // #2648 - unhandled parentheses => bail out
             // #2721 - unhandled [ => bail out
             if (Token::Match(tok3, "(|[")) {
-                typeForNewNameStr.clear();
+                typeForNewName.clear();
                 break;
             }
             if (!tok3->next()) {
-                typeForNewNameStr.clear();
+                typeForNewName.clear();
                 break;
             }
             if (Token::Match(tok3->tokAt(-2), "[<,] %name% <") && templateParameters(tok3) > 0)
@@ -1259,16 +1259,15 @@ bool TemplateSimplifier::simplifyTemplateInstantiations(
             // add additional type information
             if (!constconst && tok3->str() != "class") {
                 if (tok3->isUnsigned())
-                    typeForNewNameStr += "unsigned";
+                    typeForNewName += "unsigned";
                 else if (tok3->isSigned())
-                    typeForNewNameStr += "signed";
+                    typeForNewName += "signed";
                 if (tok3->isLong())
-                    typeForNewNameStr += "long";
-                typeForNewNameStr += tok3->str();
+                    typeForNewName += "long";
+                typeForNewName += tok3->str();
             }
         }
         templateMatchPattern += ">";
-        const std::string typeForNewName(typeForNewNameStr);
 
         if (typeForNewName.empty() || typeParametersInDeclaration.size() != typesUsedInTemplateInstantiation.size()) {
             if (_settings->debugwarnings && errorlogger) {
diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
@@ -2601,9 +2601,10 @@ void Tokenizer::setVarId()
         } else if (!executableScope.top() && tok->str() == "(" && isFunctionHead(tok, ";")) {
             scopeInfo.push(variableId);
         } else if (!executableScope.top() && tok->str() == ")" && isFunctionHead(tok, ";")) {
+            if (scopeInfo.empty())
+                cppcheckError(tok);
             variableId.swap(scopeInfo.top());
             scopeInfo.pop();
-
         } else if (tok->str() == "{") {
             // parse anonymous unions as part of the current scope
             if (!(tok->strAt(-1) == "union" && Token::simpleMatch(tok->link(), "} ;"))) {
diff --git a/lib/tokenlist.cpp b/lib/tokenlist.cpp
@@ -298,16 +298,16 @@ bool TokenList::createTokens(std::istream &code, const std::string& file0)
 
         if (ch == '.' &&
             !CurrentToken.empty() &&
-            std::isdigit(CurrentToken[0])) {
+            std::isdigit((unsigned char)CurrentToken[0])) {
             // Don't separate doubles "5.4"
         } else if (std::strchr("+-", ch) &&
                    CurrentToken.length() > 0 &&
-                   std::isdigit(CurrentToken[0]) &&
+                   std::isdigit((unsigned char)CurrentToken[0]) &&
                    (CurrentToken[CurrentToken.length()-1] == 'e' ||
                     CurrentToken[CurrentToken.length()-1] == 'E') &&
                    !MathLib::isHex(CurrentToken)) {
             // Don't separate doubles "4.2e+10"
-        } else if (CurrentToken.empty() && ch == '.' && std::isdigit(code.peek())) {
+        } else if (CurrentToken.empty() && ch == '.' && std::isdigit((unsigned char)code.peek())) {
             // tokenize .125 into 0.125
             CurrentToken = "0";
         } else if (std::strchr("+-*/%&|^?!=<>[](){};:,.~\n ", ch)) {
diff --git a/test/testgarbage.cpp b/test/testgarbage.cpp
@@ -71,6 +71,7 @@ class TestGarbage : public TestFixture {
         TEST_CASE(garbageCode30); // #5867
         TEST_CASE(garbageCode31); // #6539
         TEST_CASE(garbageCode32); // #6135
+        TEST_CASE(garbageCode33); // #6613
 
         TEST_CASE(garbageValueFlow);
         TEST_CASE(garbageSymbolDatabase);
@@ -401,6 +402,14 @@ class TestGarbage : public TestFixture {
         checkCode(" ( * const ( size_t ) ; foo )");
     }
 
+    void garbageCode33() { // #6613
+        ASSERT_THROW(checkCode("main(()B{});"), InternalError);
+
+        checkCode("f::y:y : <x::");
+
+        checkCode("\xe2u.");
+    }
+
     void garbageValueFlow() {
         // #6089
         const char* code = "{} int foo(struct, x1, struct x2, x3, int, x5, x6, x7)\n"
