Panic when decoding JPEG: assertion failed in bitstream decoding

[Yomihay-qut]

Description
Hello, I discovered a panic in zune-jpeg (version 0.5.5) while fuzzing image-tiff with cargo-fuzz. The parser panics with an assertion failure in src/bitstream.rs.

Panic Location
src/bitstream.rs:403:9

Reproduction Code
Here is a minimal reproduction case that triggers the crash (using cargo fuzz):

cargo fuzz run decode_image fuzz/artifacts/decode_image/crash-129aea8cda06194c29e48d1826eaae2feaa1be1e

Stack Trace

thread '<unnamed>' panicked at /home/zx/.cargo/registry/src/rsproxy.cn-e3de039b2554c837/zune-jpeg-0.5.5/src/bitstream.rs:403:9:
assertion failed: self.bits_left >= n
stack backtrace:
   0: rust_begin_unwind
   1: core::panicking::panic_fmt
   2: core::panicking::panic
   3: <zune_jpeg::bitstream::BitStream>::decode_mcu_block
             at /home/zx/.cargo/registry/src/rsproxy.cn-e3de039b2554c837/zune-jpeg-0.5.5/src/bitstream.rs:403:9
   4: <zune_jpeg::decoder::JpegDecoder<...>>::decode_mcu_width
             at /home/zx/.cargo/registry/src/rsproxy.cn-e3de039b2554c837/zune-jpeg-0.5.5/src/mcu.rs:425:45
   5: <zune_jpeg::decoder::JpegDecoder<...>>::decode_mcu_ycbcr_baseline
             at /home/zx/.cargo/registry/src/rsproxy.cn-e3de039b2554c837/zune-jpeg-0.5.5/src/mcu.rs:217:26

Environment

• zune-jpeg version: 0.5.5
• Rust: stable (used via cargo-fuzz)
• OS: Linux

Multiple samples

• Multiple fuzzing artifacts in Panic_Assertion__zune-jpeg-0.5.5_src_bitstream.rs_403.zip reproduce this assertion; any one of them can be used to reproduce the panic.

Panic_Assertion__zune-jpeg-0.5.5_src_bitstream.rs_403.zip