Test Case

<!DOCTYPE A SYSTEM ""
[
    <!ENTITY ENT_A SYSTEM "" NDATA A>
    <!ENTITY ENT_B "&ENT_A;&ENT_B;">
    <!ATTLIST A C CDATA "">
    <!ATTLIST A D CDATA "">
    <!ATTLIST A E CDATA "">
    <!ATTLIST A F CDATA "">
    <!ATTLIST A G CDATA "&ENT_B;">
]>

Reproducing the Issue

Simply run xmllint on the provided test case.

The bucket used in the hash function is affected by the random seed value used in hash randomization, therefore the test case may need to be run multiple times (by xmllint or any other parser using libxml2) to see the crash due to the system time being used to select the random seed.