From 2236887078c0da1a564e0a9ed726feffa97ba7a8 Mon Sep 17 00:00:00 2001
From: rillig <rillig@NetBSD.org>
Date: Sun, 20 Jun 2021 11:42:25 +0000
Subject: [PATCH] lint: fix crash on semantically wrong code in ({...})

Found by afl.
---
 .../xlint/lint1/d_gcc_compound_statements1.c  | 14 ++++++++++++-
 .../lint1/d_gcc_compound_statements1.exp      |  1 +
 usr.bin/xlint/lint1/cgram.y                   | 21 ++++++++++++-------
 3 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/tests/usr.bin/xlint/lint1/d_gcc_compound_statements1.c b/tests/usr.bin/xlint/lint1/d_gcc_compound_statements1.c
index 3d97368a72d3..04ce986dd064 100644
--- a/tests/usr.bin/xlint/lint1/d_gcc_compound_statements1.c
+++ b/tests/usr.bin/xlint/lint1/d_gcc_compound_statements1.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: d_gcc_compound_statements1.c,v 1.5 2021/06/19 15:51:11 rillig Exp $	*/
+/*	$NetBSD: d_gcc_compound_statements1.c,v 1.6 2021/06/20 11:42:26 rillig Exp $	*/
 # 3 "d_gcc_compound_statements1.c"
 
 /* GCC compound statement with expression */
@@ -22,3 +22,15 @@ foo(unsigned long z)
 int c = ({
     return 3;		/* expect: return outside function */
 });			/* expect: cannot initialize 'int' from 'void' */
+
+void
+function(void)
+{
+	/*
+	 * Before cgram.y 1.229 from 2021-06-20, lint crashed due to the
+	 * syntax error, which made an expression NULL.
+	 */
+	({
+		0->e;	/* expect: type 'int' does not have member 'e' */
+	});
+}
diff --git a/tests/usr.bin/xlint/lint1/d_gcc_compound_statements1.exp b/tests/usr.bin/xlint/lint1/d_gcc_compound_statements1.exp
index 79e8e4bdc6b3..693d15ec0bf9 100644
--- a/tests/usr.bin/xlint/lint1/d_gcc_compound_statements1.exp
+++ b/tests/usr.bin/xlint/lint1/d_gcc_compound_statements1.exp
@@ -1,2 +1,3 @@
 d_gcc_compound_statements1.c(23): error: syntax error 'return outside function' [249]
 d_gcc_compound_statements1.c(24): error: cannot initialize 'int' from 'void' [185]
+d_gcc_compound_statements1.c(34): error: type 'int' does not have member 'e' [101]
diff --git a/usr.bin/xlint/lint1/cgram.y b/usr.bin/xlint/lint1/cgram.y
index fca6c4f8e41c..9fbeb4453ca7 100644
--- a/usr.bin/xlint/lint1/cgram.y
+++ b/usr.bin/xlint/lint1/cgram.y
@@ -1,5 +1,5 @@
 %{
-/* $NetBSD: cgram.y,v 1.228 2021/06/19 19:49:15 rillig Exp $ */
+/* $NetBSD: cgram.y,v 1.229 2021/06/20 11:42:25 rillig Exp $ */
 
 /*
  * Copyright (c) 1996 Christopher G. Demetriou.  All Rights Reserved.
@@ -35,7 +35,7 @@
 
 #include <sys/cdefs.h>
 #if defined(__RCSID) && !defined(lint)
-__RCSID("$NetBSD: cgram.y,v 1.228 2021/06/19 19:49:15 rillig Exp $");
+__RCSID("$NetBSD: cgram.y,v 1.229 2021/06/20 11:42:25 rillig Exp $");
 #endif
 
 #include <limits.h>
@@ -2028,12 +2028,17 @@ gcc_statement_expr_item:
 		$$->tn_type = gettyp(VOID);
 	  }
 	| expr T_SEMI {
-		/* XXX: We should really do that only on the last name */
-		if ($1->tn_op == NAME)
-			$1->tn_sym->s_used = true;
-		$$ = $1;
-		expr($1, false, false, false, false);
-		seen_fallthrough = false;
+		if ($1 == NULL) {	/* in case of syntax errors */
+			$$ = expr_zalloc_tnode();
+			$$->tn_type = gettyp(VOID);
+		} else {
+			/* XXX: do that only on the last name */
+			if ($1->tn_op == NAME)
+				$1->tn_sym->s_used = true;
+			$$ = $1;
+			expr($1, false, false, false, false);
+			seen_fallthrough = false;
+		}
 	}
 	;