From 18dd4ee6c94522a3435a772ec400456b81cab207 Mon Sep 17 00:00:00 2001
From: chrchr-github <noreply@github.com>
Date: Fri, 9 Jan 2026 22:44:29 +0100
Subject: [PATCH 1/2]  Fix #13705 fuzzing crash (null-pointer-use) in
 getEnumType()

---
 lib/tokenize.cpp                                                | 2 ++
 .../fuzz-crash/crash-cd91802f0554ab425b82191389c9db2be0d50040   | 1 +
 2 files changed, 3 insertions(+)
 create mode 100644 test/cli/fuzz-crash/crash-cd91802f0554ab425b82191389c9db2be0d50040

diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
index 952ba4b6c00..334a9d412ca 100644
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@@ -8944,6 +8944,8 @@ void Tokenizer::findGarbageCode() const
             syntaxError(tok);
         if (Token::Match(tok, "!|~ %comp%") &&
             !(cpp && tok->strAt(1) == ">" && Token::simpleMatch(tok->tokAt(-1), "operator")))
+            syntaxError(tok);        
+        if (Token::Match(tok, "%comp% {") && (!cpp || tok->str() != ">"))
             syntaxError(tok);
         if (Token::Match(tok, "] %name%") && (!cpp || !(tok->tokAt(1)->isKeyword() || (tok->tokAt(-1) && Token::simpleMatch(tok->tokAt(-2), "delete ["))))) {
             if (tok->next()->isUpperCaseName())
diff --git a/test/cli/fuzz-crash/crash-cd91802f0554ab425b82191389c9db2be0d50040 b/test/cli/fuzz-crash/crash-cd91802f0554ab425b82191389c9db2be0d50040
new file mode 100644
index 00000000000..b2a885a35d3
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-cd91802f0554ab425b82191389c9db2be0d50040
@@ -0,0 +1 @@
+{f F<{enum{E=1};}>}
\ No newline at end of file

From 2e0446f8ec844111de98f43a56e54efd50b4b1db Mon Sep 17 00:00:00 2001
From: chrchr-github <noreply@github.com>
Date: Fri, 9 Jan 2026 23:02:56 +0100
Subject: [PATCH 2/2] Format

---
 lib/tokenize.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
index 334a9d412ca..faf21fe2fd9 100644
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@@ -8944,7 +8944,7 @@ void Tokenizer::findGarbageCode() const
             syntaxError(tok);
         if (Token::Match(tok, "!|~ %comp%") &&
             !(cpp && tok->strAt(1) == ">" && Token::simpleMatch(tok->tokAt(-1), "operator")))
-            syntaxError(tok);        
+            syntaxError(tok);
         if (Token::Match(tok, "%comp% {") && (!cpp || tok->str() != ">"))
             syntaxError(tok);
         if (Token::Match(tok, "] %name%") && (!cpp || !(tok->tokAt(1)->isKeyword() || (tok->tokAt(-1) && Token::simpleMatch(tok->tokAt(-2), "delete ["))))) {