Panic discovered while fuzzing

[frewsxcv]

Reproduce with the following JPEG byte slice: [255, 216, 255, 217]

#![no_main]
use libfuzzer_sys::fuzz_target;
use std::io;
use image::ImageDecoder;

fuzz_target!(|data: &[u8]| {
    let result = image::codecs::jpeg::JpegDecoder::new(io::Cursor::new(data));
    let decoder = match result {
        Ok(d) => d,
        Err(_) => return,
    };
    if decoder.total_bytes() > 2_000_000_000 {
        return;
    }
    let mut buf = vec![0; decoder.total_bytes() as usize];
    let _ = decoder.read_image(&mut buf);
});

thread '<unnamed>' panicked at 'called `Option::unwrap()` on a `None` value', /Users/coreyf/.cargo/registry/src/github.jparrowsec.cn-1ecc6299db9ec823/jpeg-decoder-0.1.21/src/decoder.rs:412:41
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==22439== ERROR: libFuzzer: deadly signal
    #0 0x106523890 in __sanitizer_print_stack_trace+0x28 (librustc-nightly_rt.asan.dylib:arm64+0x47890)
    image-rs/jpeg-decoder#1 0x105444244 in fuzzer::PrintStackTrace()+0x30 (jpeg:arm64+0x100ec4244)
    image-rs/jpeg-decoder#2 0x105438e7c in fuzzer::Fuzzer::CrashCallback()+0x54 (jpeg:arm64+0x100eb8e7c)
    image-rs/jpeg-decoder#3 0x182764c40 in _sigtramp+0x34 (libsystem_platform.dylib:arm64+0x3c40)
    image-rs/jpeg-decoder#4 0x631880018271cc20  (<unknown module>)
    image-rs/jpeg-decoder#5 0xe41e800182664860  (<unknown module>)
    image-rs/jpeg-decoder#6 0x6c670001054b05d0  (<unknown module>)
    image-rs/jpeg-decoder#7 0x1045eff0c in image::codecs::jpeg::decoder::JpegDecoder$LT$R$GT$::new::h4d15dafbf93e2fbf+0x1a4 (jpeg:arm64+0x10006ff0c)
    image-rs/jpeg-decoder#8 0x104601584 in rust_fuzzer_test_input+0x4b4 (jpeg:arm64+0x100081584)
    image-rs/jpeg-decoder#9 0x105438034 in __rust_try+0x14 (jpeg:arm64+0x100eb8034)
    image-rs/jpeg-decoder#10 0x10543a6c4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)+0x154 (jpeg:arm64+0x100eba6c4)
    image-rs/jpeg-decoder#11 0x10543cc78 in fuzzer::Fuzzer::MinimizeCrashLoop(std::__1::vector<unsigned char, fuzzer::fuzzer_allocator<unsigned char> > const&)+0xf0 (jpeg:arm64+0x100ebcc78)
    image-rs/jpeg-decoder#12 0x1054547e4 in fuzzer::MinimizeCrashInputInternalStep(fuzzer::Fuzzer*, fuzzer::InputCorpus*)+0xd8 (jpeg:arm64+0x100ed47e4)
    image-rs/jpeg-decoder#13 0x1054573f0 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))+0x1418 (jpeg:arm64+0x100ed73f0)
    image-rs/jpeg-decoder#14 0x10546563c in main+0x24 (jpeg:arm64+0x100ee563c)
    image-rs/jpeg-decoder#15 0x182738f30 in start+0x0 (libdyld.dylib:arm64+0x16f30)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 1 EraseBytes-; base unit: 0000000000000000000000000000000000000000
0xff,0xd8,0xff,0xd9,
\xff\xd8\xff\xd9
artifact_prefix='/Users/coreyf/dev/frewsxcv/fuzz-art/image-fuzzer/fuzz/artifacts/jpeg/'; Test unit written to /Users/coreyf/dev/frewsxcv/fuzz-art/image-fuzzer/fuzz/artifacts/jpeg/minimized-from-3f6140d251c515861e54d059b038258f4945f1c1
Base64: /9j/2Q==

Minimized artifact:

	fuzz/artifacts/jpeg/minimized-from-3f6140d251c515861e54d059b038258f4945f1c1

Output of `std::fmt::Debug`:

	[255, 216, 255, 217]

[HeroicKatora]

I had transferred this because it initially hits an unwrap in codes. Then I noted, it also hits an additional one in jpeg-decoder itself. But it's probably slightly more appropriate here then.