nb_celp: add missing guard before memset

Fixes: Null-dereference WRITE in nb_decode
Fixes: clusterfuzz-testcase-minimized-speex_decode_fuzzer_fixed-5091735494524928

Regression from commit 630163d19be79c37d28b5e2d25f8a0aed669d639

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/speex
Signed-off-by: Tristan Matthews <tmatth@videolan.org>

libspeex/nb_celp.c

@@ -1467,7 +1467,8 @@ int nb_decode(void *state, SpeexBits *bits, void *vout)
 
       /* Normally this is written to later but since this is returning early,
          avoid reading uninitialized memory in caller */
-      SPEEX_MEMSET(st->innov_save, 0, NB_NB_SUBFRAMES*NB_SUBFRAME_SIZE);
+      if (st->innov_save)
+         SPEEX_MEMSET(st->innov_save, 0, NB_NB_SUBFRAMES*NB_SUBFRAME_SIZE);
 
       st->count_lost=0;
       return 0;