NULL Pointer Dereference vulnerability in void repodata_search_keyskip(), src/repodata.c

[QiuYitai]

The NULL Dereference vulnerability happens in void repodata_search_keyskip(), src/repodata.c
How the NULL Pointer Dereference happens:

1. When the function repodata_search calls repodata_search_keyskip and passes *keyskip, the value of *keyskip is 0.
2. kv.parentis set to NULL at kv.parent = (KeyValue *)keyskip;
3. Dereference of NULL variable kv.parent in schema = kv.parent->id;

void
repodata_search(Repodata *data, Id solvid, Id keyname, int flags, int (*callback)
                (void *cbdata, Solvable *s, Repodata *data, Repokey *key, 
                    KeyValue *kv), void *cbdata)
{
=> repodata_search_keyskip(data, solvid, keyname, flags, 0, callback, cbdata);
}

void
repodata_search_keyskip(Repodata *data, Id solvid, Id keyname, int flags, 
                        Id *keyskip, int (*callback)(void *cbdata, Solvable *s, 
                        Repodata *data, Repokey *key, KeyValue *kv), void *cbdata)
{
      Id schema;
      Repokey *key;
      Id keyid, *kp, *keyp;
      unsigned char *dp, *ddp;
      int onekey = 0;
      int stop;
      KeyValue kv;
      Solvable *s;

      if (!maybe_load_repodata(data, keyname))
        return;
=>    if ((flags & SEARCH_SUBSCHEMA) != 0)
      {
          flags ^= SEARCH_SUBSCHEMA;
=>        kv.parent = (KeyValue *)keyskip;
          keyskip = 0;
=>        schema = kv.parent->id;
          dp = (unsigned char *)kv.parent->str;
      }
      else
      {
          ......
      }
      ......
}