From 342170fcd364b584c381f53b405c89ae3ca5e3e8 Mon Sep 17 00:00:00 2001
From: bunnei <bunneidev@gmail.com>
Date: Sun, 16 May 2021 00:54:15 -0700
Subject: [PATCH] common: tree: Avoid a crash on nullptr dereference.

---
 src/common/tree.h | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/common/tree.h b/src/common/tree.h
index 9d2d0df4e7..18faa4a48e 100644
--- a/src/common/tree.h
+++ b/src/common/tree.h
@@ -43,6 +43,8 @@
  * The maximum height of a red-black tree is 2lg (n+1).
  */
 
+#include "common/assert.h"
+
 namespace Common {
 template <typename T>
 class RBHead {
@@ -325,6 +327,10 @@ void RB_REMOVE_COLOR(RBHead<Node>* head, Node* parent, Node* elm) {
     while ((elm == nullptr || RB_IS_BLACK(elm)) && elm != head->Root() && parent != nullptr) {
         if (RB_LEFT(parent) == elm) {
             tmp = RB_RIGHT(parent);
+            if (!tmp) {
+                ASSERT_MSG(false, "tmp is invalid!");
+                break;
+            }
             if (RB_IS_RED(tmp)) {
                 RB_SET_BLACKRED(tmp, parent);
                 RB_ROTATE_LEFT(head, parent, tmp);
@@ -366,6 +372,11 @@ void RB_REMOVE_COLOR(RBHead<Node>* head, Node* parent, Node* elm) {
                 tmp = RB_LEFT(parent);
             }
 
+            if (!tmp) {
+                ASSERT_MSG(false, "tmp is invalid!");
+                break;
+            }
+
             if ((RB_LEFT(tmp) == nullptr || RB_IS_BLACK(RB_LEFT(tmp))) &&
                 (RB_RIGHT(tmp) == nullptr || RB_IS_BLACK(RB_RIGHT(tmp)))) {
                 RB_SET_COLOR(tmp, EntryColor::Red);