From 0bb3916d215e11a6c87a44055bb9334388031e2f Mon Sep 17 00:00:00 2001
From: James Zern <jzern@google.com>
Date: Mon, 18 Mar 2024 14:13:29 -0700
Subject: [PATCH 1/4] avifMetaDestroy: check meta pointer before accessing

fixes a NULL dereference should avifMetaCreate() fail and
avifDecoderDataDestroy() is called to clean up.

Found by Nallocfuzz (https://github.com/catenacyber/nallocfuzz).
---
 src/read.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/read.c b/src/read.c
index 87005a7d14..f202b9b8e7 100644
--- a/src/read.c
+++ b/src/read.c
@@ -760,6 +760,7 @@ static avifMeta * avifMetaCreate()
 
 static void avifMetaDestroy(avifMeta * meta)
 {
+    if (meta == NULL) return;
     for (uint32_t i = 0; i < meta->items.count; ++i) {
         avifDecoderItem * item = meta->items.item[i];
         avifArrayDestroy(&item->properties);

From 3445b59ace73b6708f48c172c8690fdd70e0aeda Mon Sep 17 00:00:00 2001
From: James Zern <jzern@google.com>
Date: Mon, 18 Mar 2024 14:18:37 -0700
Subject: [PATCH 2/4] read.c: fix formatting

---
 src/read.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/read.c b/src/read.c
index f202b9b8e7..d1aa71a3e6 100644
--- a/src/read.c
+++ b/src/read.c
@@ -760,7 +760,10 @@ static avifMeta * avifMetaCreate()
 
 static void avifMetaDestroy(avifMeta * meta)
 {
-    if (meta == NULL) return;
+    if (meta == NULL) {
+      return;
+    }
+
     for (uint32_t i = 0; i < meta->items.count; ++i) {
         avifDecoderItem * item = meta->items.item[i];
         avifArrayDestroy(&item->properties);

From 8d8ed478e7553f008adbe97f71932d010c3ad289 Mon Sep 17 00:00:00 2001
From: James Zern <jzern@google.com>
Date: Mon, 18 Mar 2024 14:19:32 -0700
Subject: [PATCH 3/4] read.c: fix formatting x 2

---
 src/read.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/read.c b/src/read.c
index d1aa71a3e6..8065af6c05 100644
--- a/src/read.c
+++ b/src/read.c
@@ -761,7 +761,7 @@ static avifMeta * avifMetaCreate()
 static void avifMetaDestroy(avifMeta * meta)
 {
     if (meta == NULL) {
-      return;
+        return;
     }
 
     for (uint32_t i = 0; i < meta->items.count; ++i) {

From 0ca98f269176a7bf65372226890b41322a82f52a Mon Sep 17 00:00:00 2001
From: James Zern <jzern@google.com>
Date: Mon, 18 Mar 2024 15:17:19 -0700
Subject: [PATCH 4/4] read.c: relocate pointer check

---
 src/read.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/src/read.c b/src/read.c
index 8065af6c05..6872ba5892 100644
--- a/src/read.c
+++ b/src/read.c
@@ -760,10 +760,6 @@ static avifMeta * avifMetaCreate()
 
 static void avifMetaDestroy(avifMeta * meta)
 {
-    if (meta == NULL) {
-        return;
-    }
-
     for (uint32_t i = 0; i < meta->items.count; ++i) {
         avifDecoderItem * item = meta->items.item[i];
         avifArrayDestroy(&item->properties);
@@ -997,7 +993,9 @@ static void avifDecoderDataClearTiles(avifDecoderData * data)
 
 static void avifDecoderDataDestroy(avifDecoderData * data)
 {
-    avifMetaDestroy(data->meta);
+    if (data->meta) {
+        avifMetaDestroy(data->meta);
+    }
     for (uint32_t i = 0; i < data->tracks.count; ++i) {
         avifTrack * track = &data->tracks.track[i];
         if (track->sampleTable) {