libwebp/libwebp-Allow-for-a-non-initialized-alpha-decompressor-in-DoRemap.patch

From 0b271f10c428b59d20a4415247e228f31e0030e4 Mon Sep 17 00:00:00 2001
From: Vincent Rabaud <vrabaud@google.com>
Date: Fri, 13 Jul 2018 22:09:06 +0200
Subject: [PATCH] Allow for a non-initialized alpha decompressor in DoRemap.

BUG=oss-fuzz:9364

Change-Id: Ib1a1c6b0ccfcc255505f019e3e8fd15db73bc4b6
(cherry picked from commit da96d8d9ab4b10d023ffa701c8e4ff5843db010a)
---
 src/dec/idec_dec.c | 3 +--
 src/dec/vp8l_dec.c | 6 +++---
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/dec/idec_dec.c b/src/dec/idec_dec.c
index 6a44236ab..738e14c95 100644
--- a/src/dec/idec_dec.c
+++ b/src/dec/idec_dec.c
@@ -140,10 +140,9 @@ static void DoRemap(WebPIDecoder* const idec, ptrdiff_t offset) {
       if (NeedCompressedAlpha(idec)) {
         ALPHDecoder* const alph_dec = dec->alph_dec_;
         dec->alpha_data_ += offset;
-        if (alph_dec != NULL) {
+        if (alph_dec != NULL && alph_dec->vp8l_dec_ != NULL) {
           if (alph_dec->method_ == ALPHA_LOSSLESS_COMPRESSION) {
             VP8LDecoder* const alph_vp8l_dec = alph_dec->vp8l_dec_;
-            assert(alph_vp8l_dec != NULL);
             assert(dec->alpha_data_size_ >= ALPHA_HEADER_LEN);
             VP8LBitReaderSetBuffer(&alph_vp8l_dec->br_,
                                    dec->alpha_data_ + ALPHA_HEADER_LEN,
diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
index 7549cdaee..838e7f29d 100644
--- a/src/dec/vp8l_dec.c
+++ b/src/dec/vp8l_dec.c
@@ -1527,7 +1527,6 @@ int VP8LDecodeAlphaHeader(ALPHDecoder* const alph_dec,
   if (dec == NULL) return 0;
 
   assert(alph_dec != NULL);
-  alph_dec->vp8l_dec_ = dec;
 
   dec->width_ = alph_dec->width_;
   dec->height_ = alph_dec->height_;
@@ -1559,11 +1558,12 @@ int VP8LDecodeAlphaHeader(ALPHDecoder* const alph_dec,
 
   if (!ok) goto Err;
 
+  // Only set here, once we are sure it is valid (to avoid thread races).
+  alph_dec->vp8l_dec_ = dec;
   return 1;
 
  Err:
-  VP8LDelete(alph_dec->vp8l_dec_);
-  alph_dec->vp8l_dec_ = NULL;
+  VP8LDelete(dec);
   return 0;
 }