From 7bb6a9ccd6d4626af451777218a993173e7ef50f Mon Sep 17 00:00:00 2001
From: James Zern <jzern@google.com>
Date: Tue, 31 Jan 2012 15:17:49 -0800
Subject: [PATCH] idec: fix internal state corruption

A call to Append/Update would index the parts_ array w/-1 as num_parts_
had yet to be set by DecodePartition0. This would cause corruption
within the VP8Decoder member.

Fixes issue #106.

Change-Id: Ib9f2811594ff19e948a66fda862a4e0a384bb9aa
---
 src/dec/idec.c | 2 ++
 src/dec/vp8.c  | 1 +
 2 files changed, 3 insertions(+)

diff --git a/src/dec/idec.c b/src/dec/idec.c
index fdce8839..e7733333 100644
--- a/src/dec/idec.c
+++ b/src/dec/idec.c
@@ -127,6 +127,7 @@ static int AppendToMemBuffer(WebPIDecoder* const idec,
   memcpy(mem->buf_ + mem->end_, data, data_size);
   mem->end_ += data_size;
   assert(mem->end_ <= mem->buf_size_);
+  assert(last_part >= 0);
   dec->parts_[last_part].buf_end_ = mem->buf_ + mem->end_;
 
   // note: setting up idec->io_ is only really needed at the beginning
@@ -155,6 +156,7 @@ static int RemapMemBuffer(WebPIDecoder* const idec,
       REMAP(dec->parts_[p].buf_end_, base, data);
     }
   }
+  assert(last_part >= 0);
   dec->parts_[last_part].buf_end_ = data + data_size;
 
   // Remap partition #0 data pointer to new offset.
diff --git a/src/dec/vp8.c b/src/dec/vp8.c
index 8f3889c5..b37d87d5 100644
--- a/src/dec/vp8.c
+++ b/src/dec/vp8.c
@@ -47,6 +47,7 @@ VP8Decoder* VP8New(void) {
     SetOk(dec);
     WebPWorkerInit(&dec->worker_);
     dec->ready_ = 0;
+    dec->num_parts_ = 1;
   }
   return dec;
 }