From f9298cb8b4b9133250f48b3486bbdb928aed8f8c Mon Sep 17 00:00:00 2001
From: Vincent Rabaud <vrabaud@google.com>
Date: Mon, 9 Jul 2018 20:20:52 +0200
Subject: [PATCH] Make sure partition #0 is read before VP8 data in IDecode.

BUG=oss-fuzz:9186,webp:512

Change-Id: Ie0b264b6422774343206ddba3c2820a0cf37ffc0
(cherry picked from commit 5f0f5c07c460c286c8da25f986e1b152079a79b8)
(cherry picked from commit 99d079023372016da046eaea3719ba0f78da3322)
---
 src/dec/idec_dec.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/dec/idec_dec.c b/src/dec/idec_dec.c
index 205ca7a5..6a44236a 100644
--- a/src/dec/idec_dec.c
+++ b/src/dec/idec_dec.c
@@ -449,7 +449,10 @@ static VP8StatusCode DecodeRemaining(WebPIDecoder* const idec) {
   VP8Decoder* const dec = (VP8Decoder*)idec->dec_;
   VP8Io* const io = &idec->io_;
 
-  assert(dec->ready_);
+  // Make sure partition #0 has been read before, to set dec to ready_.
+  if (!dec->ready_) {
+    return IDecError(idec, VP8_STATUS_BITSTREAM_ERROR);
+  }
   for (; dec->mb_y_ < dec->mb_h_; ++dec->mb_y_) {
     if (idec->last_mb_y_ != dec->mb_y_) {
       if (!VP8ParseIntraModeRow(&dec->br_, dec)) {
@@ -570,6 +573,10 @@ static VP8StatusCode IDecode(WebPIDecoder* idec) {
     status = DecodePartition0(idec);
   }
   if (idec->state_ == STATE_VP8_DATA) {
+    const VP8Decoder* const dec = (VP8Decoder*)idec->dec_;
+    if (dec == NULL) {
+      return VP8_STATUS_SUSPENDED;  // can't continue if we have no decoder.
+    }
     status = DecodeRemaining(idec);
   }
   if (idec->state_ == STATE_VP8L_HEADER) {