From af921984a766871c265a2eff1c6889675e062ce6 Mon Sep 17 00:00:00 2001
From: Alex Beregszaszi <alex@rtfs.hu>
Date: Fri, 21 Sep 2018 21:46:54 +0100
Subject: [PATCH] Do not crash on invalid indexed access

---
 libsolidity/analysis/TypeChecker.cpp | 34 +++++++++++++++++-----------
 libsolidity/analysis/TypeChecker.h   |  2 +-
 2 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/libsolidity/analysis/TypeChecker.cpp b/libsolidity/analysis/TypeChecker.cpp
index 3d119c8274c9..7facde666be5 100644
--- a/libsolidity/analysis/TypeChecker.cpp
+++ b/libsolidity/analysis/TypeChecker.cpp
@@ -2280,15 +2280,17 @@ bool TypeChecker::visit(IndexAccess const& _access)
 			resultType = make_shared<TypeType>(make_shared<ArrayType>(DataLocation::Memory, typeType.actualType()));
 		else
 		{
-			expectType(*index, IntegerType(256));
-			if (auto length = dynamic_cast<RationalNumberType const*>(type(*index).get()))
-				resultType = make_shared<TypeType>(make_shared<ArrayType>(
-					DataLocation::Memory,
-					typeType.actualType(),
-					length->literalValue(nullptr)
-				));
-			else
+			if (!expectType(*index, IntegerType(256)))
 				m_errorReporter.fatalTypeError(index->location(), "Integer constant expected.");
+
+			auto length = dynamic_cast<RationalNumberType const*>(type(*index).get());
+			solAssert(length, "");
+
+			resultType = make_shared<TypeType>(make_shared<ArrayType>(
+				DataLocation::Memory,
+				typeType.actualType(),
+				length->literalValue(nullptr)
+			));
 		}
 		break;
 	}
@@ -2299,10 +2301,14 @@ bool TypeChecker::visit(IndexAccess const& _access)
 			m_errorReporter.typeError(_access.location(), "Index expression cannot be omitted.");
 		else
 		{
-			expectType(*index, IntegerType(256));
-			if (auto integerType = dynamic_cast<RationalNumberType const*>(type(*index).get()))
-				if (bytesType.numBytes() <= integerType->literalValue(nullptr))
-					m_errorReporter.typeError(_access.location(), "Out of bounds array access.");
+			if (!expectType(*index, IntegerType(256)))
+				m_errorReporter.fatalTypeError(_access.location(), "Integer constant expected.");
+
+			auto integerType = dynamic_cast<RationalNumberType const*>(type(*index).get());
+			solAssert(integerType, "");
+
+			if (bytesType.numBytes() <= integerType->literalValue(nullptr))
+				m_errorReporter.typeError(_access.location(), "Out of bounds array access.");
 		}
 		resultType = make_shared<FixedBytesType>(1);
 		isLValue = false; // @todo this heavily depends on how it is embedded
@@ -2470,7 +2476,7 @@ Declaration const& TypeChecker::dereference(UserDefinedTypeName const& _typeName
 	return *_typeName.annotation().referencedDeclaration;
 }
 
-void TypeChecker::expectType(Expression const& _expression, Type const& _expectedType)
+bool TypeChecker::expectType(Expression const& _expression, Type const& _expectedType)
 {
 	_expression.accept(*this);
 	if (!type(_expression)->isImplicitlyConvertibleTo(_expectedType))
@@ -2499,7 +2505,9 @@ void TypeChecker::expectType(Expression const& _expression, Type const& _expecte
 				_expectedType.toString() +
 				"."
 			);
+		return false;
 	}
+	return true;
 }
 
 void TypeChecker::requireLValue(Expression const& _expression)
diff --git a/libsolidity/analysis/TypeChecker.h b/libsolidity/analysis/TypeChecker.h
index 8d25a88ea96b..6ea99ca20bfc 100644
--- a/libsolidity/analysis/TypeChecker.h
+++ b/libsolidity/analysis/TypeChecker.h
@@ -143,7 +143,7 @@ class TypeChecker: private ASTConstVisitor
 
 	/// Runs type checks on @a _expression to infer its type and then checks that it is implicitly
 	/// convertible to @a _expectedType.
-	void expectType(Expression const& _expression, Type const& _expectedType);
+	bool expectType(Expression const& _expression, Type const& _expectedType);
 	/// Runs type checks on @a _expression to infer its type and then checks that it is an LValue.
 	void requireLValue(Expression const& _expression);