From 207d03b484cfffdbd4eb12701bc1a8b9cb05d874 Mon Sep 17 00:00:00 2001
From: skal <pascal.massimino@gmail.com>
Date: Wed, 26 Mar 2014 17:02:51 +0100
Subject: [PATCH] fix out-of-bound read during alpha-plane decoding

With -bypass_filter switched on, the lossless-compressed
data is decoded ahead of time (before being transformed and
display). Hence, the last row was called twice.

http://code.google.com/p/webp/issues/detail?id=193

Change-Id: I9e13f495f6bd6f75fa84c4a21911f14c402d4b10
---
 src/dec/vp8l.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/dec/vp8l.c b/src/dec/vp8l.c
index 159eefa3..47584c8a 100644
--- a/src/dec/vp8l.c
+++ b/src/dec/vp8l.c
@@ -12,8 +12,8 @@
 // Authors: Vikas Arora (vikaas.arora@gmail.com)
 //          Jyrki Alakuijala (jyrki@google.com)
 
-#include <stdio.h>
 #include <stdlib.h>
+
 #include "./alphai.h"
 #include "./vp8li.h"
 #include "../dsp/lossless.h"
@@ -740,6 +740,7 @@ static int DecodeAlphaData(VP8LDecoder* const dec, uint8_t* const data,
   const int len_code_limit = NUM_LITERAL_CODES + NUM_LENGTH_CODES;
   const int mask = hdr->huffman_mask_;
   assert(htree_group != NULL);
+  assert(pos < end);
   assert(last_row <= height);
   assert(Is8bOptimizable(hdr));
 
@@ -830,6 +831,7 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data,
       (hdr->color_cache_size_ > 0) ? &hdr->color_cache_ : NULL;
   const int mask = hdr->huffman_mask_;
   assert(htree_group != NULL);
+  assert(src < src_end);
   assert(src_last <= src_end);
 
   while (!br->eos_ && src < src_last) {
@@ -1294,6 +1296,10 @@ int VP8LDecodeAlphaImageStream(ALPHDecoder* const alph_dec, int last_row) {
   assert(dec->action_ == READ_DATA);
   assert(last_row <= dec->height_);
 
+  if (dec->last_pixel_ == dec->width_ * dec->height_) {
+    return 1;  // done
+  }
+
   // Decode (with special row processing).
   return alph_dec->use_8b_decode ?
       DecodeAlphaData(dec, (uint8_t*)dec->pixels_, dec->width_, dec->height_,