Yun

Thanks for the suggestions. Just to clarify the context: I actually found this crash while fuzzing the harness. Since fuzzing drivers can sometimes produce false positives, I made sure to verify that this specific case is fully reproducible from the main entry point. I did use Claude to help structure and draft the PoC report for better readability ( comments are also polished by AI to improve my English writing ;). The main reason I haven't opened a PR yet is that I wanted to get the crash confirmed...

Thanks for the suggestions. Just to clarify the context: I actually found this crash while fuzzing the harness. Since fuzzing drivers can sometimes produce false positives, I made sure to verify that this specific case is fully reproducible from the main entry point. I did use Claude to help structure and draft the PoC report for better readability ( comments are also polished by AI to improve my English writing ;). The main reason I haven't opened a PR yet is that I wanted to get the crash confirmed...

Description Two unbounded recursive paths exist with no depth limit: Path 1 — Direct recursion via else if chains At lib/tokenize.cpp:6850-6852: if (tokEndNextNext->str() == "if") // do not change "else if ..." to "else { if ... }" tokEnd = simplifyAddBracesToCommand(tokEndNextNext); // ← direct self-recursion When simplifyAddBracesToCommand processes an if statement followed by else if, it recurses into itself for the next else if. For a chain of N else if clauses, this produces N stack frames....

Heap-buffer-overflow at pnm_fget_values