Suricata

In DetectEngineSignatureIsDuplicate() (detect-parse.c), HashListTableLookup()
is called in four places and the result is dereferenced unconditionally.

The code relies on an invariant — that every Signature in sig_list has a
corresponding dup_sig_hash_table entry — but the invariant is neither
asserted nor guarded. One location has a comment "sw_old == NULL case is
impossible", which acknowledges the assumption but does not enforce it.

If the invariant is ever violated due to a bug in adjacent code, the process
will crash with a NULL dereference.

Flagged by Svace static analyzer at detect-parse.c:3250,3253.

Proposed fix: add DEBUG_VALIDATE_BUG_ON() at each site to catch violations
in debug builds, and NULL guards to prevent a crash in production builds.

pull request
https://github.com/OISF/suricata/pull/15557