zstd_safe::DCtx::decompress_stream may result in UB

[vilgotf]

The decompress_stream method internally calls ZSTD_decompressStream which has the following note:

Note: when an operation returns with an error code, the zds state may be left in undefined state.
It's UB to invoke ZSTD_decompressStream() on such a state.
In order to re-use such a state, it must be first reset,
which can be done explicitly (ZSTD_DCtx_reset()),
or is implied for operations starting some new decompression job (ZSTD_initDStream, ZSTD_decompressDCtx(), ZSTD_decompress_usingDict())

This is not enforced by zstd-safe and is left for callers to handle. The method must either be unsafe or error/panic when called on undefined state.

[gyscos]

Ouch, indeed.

I think we should add an internal flag that gets set on an error and reset on initialization/reset, and check that flag before running decompressStream. Technically not zero-cost, but a single (relatively easy to predict) extra branch per operation might not be terrible. And if this branch turns out to be such an issue, we can always add an unsafe version that skips the check (though I hope we don't need to).