From eb7f9cefc2320c7ea0773f918f80462e9d1e46dd Mon Sep 17 00:00:00 2001
From: Hubert Figuière <hub@figuiere.net>
Date: Mon, 26 Feb 2018 01:50:40 -0500
Subject: 2.4.x: Bug 105247 - Fix a null dereference in WEBP parser

---
 XMPFiles/source/FormatSupport/WEBP_Support.cpp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'XMPFiles/source/FormatSupport')

diff --git a/XMPFiles/source/FormatSupport/WEBP_Support.cpp b/XMPFiles/source/FormatSupport/WEBP_Support.cpp
index a211697..ffaf220 100644
--- a/XMPFiles/source/FormatSupport/WEBP_Support.cpp
+++ b/XMPFiles/source/FormatSupport/WEBP_Support.cpp
@@ -120,8 +120,10 @@ VP8XChunk::VP8XChunk(Container* parent)
     this->data.assign(this->size, 0);
     XMP_Uns8* bitstream =
         (XMP_Uns8*)parent->chunks[WEBP_CHUNK_IMAGE][0]->data.data();
-    XMP_Uns32 width = ((bitstream[7] << 8) | bitstream[6]) & 0x3fff;
-    XMP_Uns32 height = ((bitstream[9] << 8) | bitstream[8]) & 0x3fff;
+    // See bug https://bugs.freedesktop.org/show_bug.cgi?id=105247
+    // bitstream could be NULL.
+    XMP_Uns32 width = bitstream ? ((bitstream[7] << 8) | bitstream[6]) & 0x3fff : 0;
+    XMP_Uns32 height = bitstream ? ((bitstream[9] << 8) | bitstream[8]) & 0x3fff : 0;
     this->width(width);
     this->height(height);
     parent->vp8x = this;
-- 
cgit v1.2.3