[C++][Parquet] parquet-arrow-fuzz: Null-dereference READ in parquet::arrow::ListToSchemaField

[mapleFU]

Describe the bug, including details regarding any error messages, version, and platform.

Logs:

+----------------------------------------Release Build Stacktrace----------------------------------------+
--
  | Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-c6b636409de75d68d704704c5ce7823cd75db10d
  | Time ran: 0.06286072731018066
  |  
  | INFO: Running with entropic power schedule (0xFF, 100).
  | INFO: Seed: 1253766541
  | INFO: Loaded 1 modules   (696233 inline 8-bit counters): 696233 [0x573b99ea6210, 0x573b99f501b9),
  | INFO: Loaded 1 PC tables (696233 PCs): 696233 [0x573b99f501c0,0x573b9a9efc50),
  | /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz: Running 1 inputs 100 time(s) each.
  | Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-c6b636409de75d68d704704c5ce7823cd75db10d
  | AddressSanitizer:DEADLYSIGNAL
  | =================================================================
  | ==405==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x573b974bbe87 bp 0x7ffdde1a86c0 sp 0x7ffdde1a85a0 T0)
  | ==405==The signal is caused by a READ memory access.
  | ==405==Hint: address points to the zero page.
  | #0 0x573b974bbe87 in operator-> /usr/local/include/c++/v1/__memory/shared_ptr.h:724:12
  | #1 0x573b974bbe87 in parquet::arrow::(anonymous namespace)::ListToSchemaField(parquet::schema::GroupNode const&, parquet::internal::LevelInfo, parquet::arrow::(anonymous namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, parquet::arrow::SchemaField*) arrow/cpp/src/parquet/arrow/schema.cc:680:14
  | #2 0x573b974ae38a in GroupToSchemaField arrow/cpp/src/parquet/arrow/schema.cc:746:12
  | #3 0x573b974ae38a in parquet::arrow::(anonymous namespace)::NodeToSchemaField(parquet::schema::Node const&, parquet::internal::LevelInfo, parquet::arrow::(anonymous namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, parquet::arrow::SchemaField*) arrow/cpp/src/parquet/arrow/schema.cc:788:12
  | #4 0x573b974bda2e in parquet::arrow::(anonymous namespace)::GroupToStruct(parquet::schema::GroupNode const&, parquet::internal::LevelInfo, parquet::arrow::(anonymous namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, parquet::arrow::SchemaField*) arrow/cpp/src/parquet/arrow/schema.cc:535:5
  | #5 0x573b974af34e in GroupToSchemaField arrow/cpp/src/parquet/arrow/schema.cc:773:12
  | #6 0x573b974af34e in parquet::arrow::(anonymous namespace)::NodeToSchemaField(parquet::schema::Node const&, parquet::internal::LevelInfo, parquet::arrow::(anonymous namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, parquet::arrow::SchemaField*) arrow/cpp/src/parquet/arrow/schema.cc:788:12
  | #7 0x573b974ac31b in parquet::arrow::SchemaManifest::Make(parquet::SchemaDescriptor const*, std::__1::shared_ptr<arrow::KeyValueMetadata const> const&, parquet::ArrowReaderProperties const&, parquet::arrow::SchemaManifest*) arrow/cpp/src/parquet/arrow/schema.cc:1163:5
  | #8 0x573b9738199e in Init arrow/cpp/src/parquet/arrow/reader.cc:149:12
  | #9 0x573b9738199e in parquet::arrow::FileReader::Make(arrow::MemoryPool*, std::__1::unique_ptr<parquet::ParquetFileReader, std::__1::default_delete<parquet::ParquetFileReader>>, parquet::ArrowReaderProperties const&, std::__1::unique_ptr<parquet::arrow::FileReader, std::__1::default_delete<parquet::arrow::FileReader>>*) arrow/cpp/src/parquet/arrow/reader.cc:1334:52
  | #10 0x573b97386330 in Build arrow/cpp/src/parquet/arrow/reader.cc:1375:10
  | #11 0x573b97386330 in parquet::arrow::internal::FuzzReader(unsigned char const*, long) arrow/cpp/src/parquet/arrow/reader.cc:1426:5
  | #12 0x573b9737e841 in LLVMFuzzerTestOneInput arrow/cpp/src/parquet/arrow/fuzz.cc:22:17
  | #13 0x573b972332f0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
  | #14 0x573b9721e565 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
  | #15 0x573b97223fff in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
  | #16 0x573b9724f2a2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
  | #17 0x79a2ad7ab082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
  | #18 0x573b9721674d in _start
  |  
  | AddressSanitizer can not provide additional info.
  | SUMMARY: AddressSanitizer: SEGV (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13f7e87)
  | ==405==ABORTING
  |  
  |  
  | +----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+
  |  
  | ==405==The signal is caused by a READ memory access.
  | ==405==Hint: address points to the zero page.
  | #0 0x573b974bbe87  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13f7e87)
  | #1 0x573b974ae38a  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13ea38a)
  | #2 0x573b974bda2e  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13f9a2e)
  | #3 0x573b974af34e  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13eb34e)
  | #4 0x573b974ac31b  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13e831b)
  | #5 0x573b9738199e  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x12bd99e)
  | #6 0x573b97386330  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x12c2330)
  | #7 0x573b9737e841  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x12ba841)
  | #8 0x573b972332f0  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x116f2f0)
  | #9 0x573b9721e565  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x115a565)
  | #10 0x573b97223fff  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x115ffff)
  | #11 0x573b9724f2a2  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x118b2a2)
  | #12 0x79a2ad7ab082  (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
  | #13 0x573b9721674d  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x115274d)

+----------------------------------------Release Build Stacktrace----------------------------------------+
Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-c6b636409de75d68d704704c5ce7823cd75db10d
Time ran: 0.06286072731018066
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1253766541
INFO: Loaded 1 modules   (696233 inline 8-bit counters): 696233 [0x573b99ea6210, 0x573b99f501b9),
INFO: Loaded 1 PC tables (696233 PCs): 696233 [0x573b99f501c0,0x573b9a9efc50),
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz: Running 1 inputs 100 time(s) each.
Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-c6b636409de75d68d704704c5ce7823cd75db10d
AddressSanitizer:DEADLYSIGNAL
=================================================================
==405==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x573b974bbe87 bp 0x7ffdde1a86c0 sp 0x7ffdde1a85a0 T0)
==405==The signal is caused by a READ memory access.
==405==Hint: address points to the zero page.
    #0 0x573b974bbe87 in operator-> /usr/local/include/c++/v1/__memory/shared_ptr.h:724:12
    #1 0x573b974bbe87 in parquet::arrow::(anonymous namespace)::ListToSchemaField(parquet::schema::GroupNode const&, parquet::internal::LevelInfo, parquet::arrow::(anonymous namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, parquet::arrow::SchemaField*) [arrow/cpp/src/parquet/arrow/schema.cc:680](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/schema.cc#L680):14
    #2 0x573b974ae38a in GroupToSchemaField [arrow/cpp/src/parquet/arrow/schema.cc:746](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/schema.cc#L746):12
    #3 0x573b974ae38a in parquet::arrow::(anonymous namespace)::NodeToSchemaField(parquet::schema::Node const&, parquet::internal::LevelInfo, parquet::arrow::(anonymous namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, parquet::arrow::SchemaField*) [arrow/cpp/src/parquet/arrow/schema.cc:788](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/schema.cc#L788):12
    #4 0x573b974bda2e in parquet::arrow::(anonymous namespace)::GroupToStruct(parquet::schema::GroupNode const&, parquet::internal::LevelInfo, parquet::arrow::(anonymous namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, parquet::arrow::SchemaField*) [arrow/cpp/src/parquet/arrow/schema.cc:535](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/schema.cc#L535):5
    #5 0x573b974af34e in GroupToSchemaField [arrow/cpp/src/parquet/arrow/schema.cc:773](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/schema.cc#L773):12
    #6 0x573b974af34e in parquet::arrow::(anonymous namespace)::NodeToSchemaField(parquet::schema::Node const&, parquet::internal::LevelInfo, parquet::arrow::(anonymous namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, parquet::arrow::SchemaField*) [arrow/cpp/src/parquet/arrow/schema.cc:788](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/schema.cc#L788):12
    #7 0x573b974ac31b in parquet::arrow::SchemaManifest::Make(parquet::SchemaDescriptor const*, std::__1::shared_ptr<arrow::KeyValueMetadata const> const&, parquet::ArrowReaderProperties const&, parquet::arrow::SchemaManifest*) [arrow/cpp/src/parquet/arrow/schema.cc:1163](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/schema.cc#L1163):5
    #8 0x573b9738199e in Init [arrow/cpp/src/parquet/arrow/reader.cc:149](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/reader.cc#L149):12
    #9 0x573b9738199e in parquet::arrow::FileReader::Make(arrow::MemoryPool*, std::__1::unique_ptr<parquet::ParquetFileReader, std::__1::default_delete<parquet::ParquetFileReader>>, parquet::ArrowReaderProperties const&, std::__1::unique_ptr<parquet::arrow::FileReader, std::__1::default_delete<parquet::arrow::FileReader>>*) [arrow/cpp/src/parquet/arrow/reader.cc:1334](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/reader.cc#L1334):52
    #10 0x573b97386330 in Build [arrow/cpp/src/parquet/arrow/reader.cc:1375](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/reader.cc#L1375):10
    #11 0x573b97386330 in parquet::arrow::internal::FuzzReader(unsigned char const*, long) [arrow/cpp/src/parquet/arrow/reader.cc:1426](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/reader.cc#L1426):5
    #12 0x573b9737e841 in LLVMFuzzerTestOneInput [arrow/cpp/src/parquet/arrow/fuzz.cc:22](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/fuzz.cc#L22):17
    #13 0x573b972332f0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #14 0x573b9721e565 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #15 0x573b97223fff in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #16 0x573b9724f2a2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #17 0x79a2ad7ab082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
    #18 0x573b9721674d in _start
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13f7e87)
==405==ABORTING
+----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+
==405==The signal is caused by a READ memory access.
==405==Hint: address points to the zero page.
    #0 0x573b974bbe87  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13f7e87)
    #1 0x573b974ae38a  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13ea38a)
    #2 0x573b974bda2e  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13f9a2e)
    #3 0x573b974af34e  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13eb34e)
    #4 0x573b974ac31b  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13e831b)
    #5 0x573b9738199e  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x12bd99e)
    #6 0x573b97386330  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x12c2330)
    #7 0x573b9737e841  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x12ba841)
    #8 0x573b972332f0  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x116f2f0)
    #9 0x573b9721e565  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x115a565)
    #10 0x573b97223fff  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x115ffff)
    #11 0x573b9724f2a2  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x118b2a2)
    #12 0x79a2ad7ab082  (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
    #13 0x573b9721674d  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x115274d)

Which is introduced in #43995

Component(s)

C++, Parquet

[mapleFU]

Issue resolved by pull request 45152
#45152