fixed fuzzing crash in simplecpp::Macro::expandToken() (#345)

firewave · web-flow · commit c5c02ff331c4 · 2024-02-27T15:58:33.000+01:00
diff --git a/simplecpp.cpp b/simplecpp.cpp
@@ -1984,7 +1984,7 @@ namespace simplecpp {
                             if (paren == 0)
                               return tok->next->next;
                             tok = tok->next;
-                            if (parametertokens.front()->next->str() != ")" && parametertokens.size() > args.size())
+                            if (parametertokens.size() > args.size() && parametertokens.front()->next->str() != ")")
                               tok = expandToken(output, loc, tok, macros, expandedmacros, parametertokens)->previous;
                         }
                     }
diff --git a/test.cpp b/test.cpp
@@ -2714,6 +2714,15 @@ static void token()
     ASSERT_TOKEN("+22", false, true, false);
 }
 
+static void fuzz_crash()
+{
+    {
+        const char code[] = "#define n __VA_OPT__(u\n"
+                            "n\n";
+        (void)preprocess(code, simplecpp::DUI()); // do not crash
+    }
+}
+
 int main(int argc, char **argv)
 {
     TEST_CASE(backslash);
@@ -2940,5 +2949,7 @@ int main(int argc, char **argv)
 
     TEST_CASE(token);
 
+    TEST_CASE(fuzz_crash);
+
     return numberOfFailedAssertions > 0 ? EXIT_FAILURE : EXIT_SUCCESS;
 }

Original file line number	Diff line number	Diff line change
`@@ -1984,7 +1984,7 @@ namespace simplecpp {`
`1984`	`1984`	`if (paren == 0)`
`1985`	`1985`	`return tok->next->next;`
`1986`	`1986`	`tok = tok->next;`
`1987`		`- if (parametertokens.front()->next->str() != ")" && parametertokens.size() > args.size())`
	`1987`	`+ if (parametertokens.size() > args.size() && parametertokens.front()->next->str() != ")")`
`1988`	`1988`	`tok = expandToken(output, loc, tok, macros, expandedmacros, parametertokens)->previous;`
`1989`	`1989`	`}`
`1990`	`1990`	`}`