[clang] Fix possible nullptr deref in BuildCXXNestedNameSpecifier (llvm#166995)

There is a possible nullptr deref in BuildCXXNestedNameSpecifier when
calling ExtendNestedNameSpecifier or using isa<>. This initially showed
up as a crash in clangd, that didn't manifest in when compiling w/
clang. The reduced test case added in this patch, however does expose
the issue in clang. Testing locally shows that both this test case and
the original clangd issue are fixed by checking the validity of the
pointer before trying to dispatch. Since all code paths require the
pointer to be valid (usually by virtue of a dyn_cast or isa<> check),
there should be no functional difference.

Fixes llvm#166843

Author: ilovepi

clang/lib/Sema/SemaCXXScopeSpec.cpp

@@ -780,6 +780,11 @@ bool Sema::BuildCXXNestedNameSpecifier(Scope *S, NestedNameSpecInfo &IdInfo,
 
   if (!Found.empty()) {
     const auto *ND = Found.getAsSingle<NamedDecl>();
+    if (!ND) {
+      Diag(IdInfo.IdentifierLoc, diag::err_expected_class_or_namespace)
+          << IdInfo.Identifier << getLangOpts().CPlusPlus;
+      return true;
+    }
     if (::ExtendNestedNameSpecifier(*this, SS, ND, IdInfo.IdentifierLoc,
                                     IdInfo.CCLoc)) {
       const Type *T = SS.getScopeRep().getAsType();

clang/test/Sema/PR166843.cpp

@@ -0,0 +1,7 @@
+// RUN: %clang_cc1 -fsyntax-only %s -verify
+namespace a {
+template <class b>
+void c() {
+  ((::c::x)); // expected-error {{'c' is not a class, namespace, or enumeration}}
+}
+}