From 438e9e146c090d9b842cfa80c133170391d5502b Mon Sep 17 00:00:00 2001
From: Tim Ledbetter <timledbetter@gmail.com>
Date: Fri, 3 Nov 2023 20:29:31 +0000
Subject: [PATCH] LibGfx/JPEG: Refill reservoir if necessary when discarding
 bits

This condition was hit 157 times out of the 109,233 JPEG images in the
Govdocs1 corpus. This change allows all of these
images to load correctly.
---
 Tests/LibGfx/TestImageDecoder.cpp                |   3 ++-
 .../test-inputs/jpg/oss-fuzz-testcase-63815.jpg  | Bin 0 -> 4190 bytes
 .../Libraries/LibGfx/ImageFormats/JPEGLoader.cpp |   7 ++-----
 3 files changed, 4 insertions(+), 6 deletions(-)
 create mode 100644 Tests/LibGfx/test-inputs/jpg/oss-fuzz-testcase-63815.jpg

diff --git a/Tests/LibGfx/TestImageDecoder.cpp b/Tests/LibGfx/TestImageDecoder.cpp
index 35f2915ba1..f61ae92013 100644
--- a/Tests/LibGfx/TestImageDecoder.cpp
+++ b/Tests/LibGfx/TestImageDecoder.cpp
@@ -270,7 +270,8 @@ TEST_CASE(test_jpeg_malformed_header)
 TEST_CASE(test_jpeg_malformed_frame)
 {
     Array test_inputs = {
-        TEST_INPUT("jpg/oss-fuzz-testcase-62584.jpg"sv)
+        TEST_INPUT("jpg/oss-fuzz-testcase-62584.jpg"sv),
+        TEST_INPUT("jpg/oss-fuzz-testcase-63815.jpg"sv)
     };
 
     for (auto test_input : test_inputs) {
diff --git a/Tests/LibGfx/test-inputs/jpg/oss-fuzz-testcase-63815.jpg b/Tests/LibGfx/test-inputs/jpg/oss-fuzz-testcase-63815.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..b28c6d380cb79ff10ee8e25cadebb740b26c9b01
GIT binary patch
literal 4190
zcmex=<NyD641A6$`AMk^DGUq@VhsOpGqf<Uv9NHmvaqqTvT?GpGJrw<BOWd;ZZ0k!
z0UsU^5C9P<_&tKh$j;9Gmxot^Q9we3kIzU%gzx*ukFN#63Irh(k01}vm(O7E4J?jA
z{6D}T$ic+Gz{t!f$iO7X$SlbC|1JXygTntKjEfi;7}yy>0PHXZ1_l;ZW+o;^26hfk
zE^bB!CMIT(BqLOok%5Vsg_R8~DZs$Q$jr>d!o<eT%)-RRRLsc4EXcyZswiaO7|14^
zs8r|x)#apoFzDh#<7cw`w|i^(ZaG^7Pg=Aox%iN&i~8ino6W>SQc4att6h4;!716o
zB{5~I+Y+CZI;*ZfWtaba<n5C$simz`mu@|J_378NvSV%2wk^B%?3<B$czQX*^ySl!
zUw{7H#3Lf3qGQI29Vc$Q_@Qa(8JStxS+jEI$(t`3IIXrWo!Z(pYt^n(w_g1cWME=q
zWMXDzWnpDw;b3OYWn^FyWM)wmGIV4O6i!iMD{P!-v~c4Gk%Jc>Dm#e=B^7-%Q@OaO
z_GRvxTd~QT4zU+sGJWLIEFLnMgOf`_Qq9a&N<F0{)cn)p&4)EKFF*d=GG)n@BUg}}
z>=u?*);4X~Hd{?ePLP}1r!U_Qa<c`*%`11Du&B5Znd$kWvU4Wb$v?HMyrQzIU{3yj
zi-Ct3>`Xxhdxp+FNRUc71#IYnFqx)pyZ-$9sBxg^9t}HCdLB(E3=E^WVzfj7mH30Q
z_^ci++(&D&;Zbe7nW{?t0%tNvYlK06w5>AQFxx?sM(tG+!DtOQXluYh)4ee^F)*?)
pGBz`_G%~O>wlFa>HZe0cHa9UdFgGzaG&i#_GBh+XH68da8URFweq8_n

literal 0
HcmV?d00001

diff --git a/Userland/Libraries/LibGfx/ImageFormats/JPEGLoader.cpp b/Userland/Libraries/LibGfx/ImageFormats/JPEGLoader.cpp
index 3d2487ca4a..01668dc037 100644
--- a/Userland/Libraries/LibGfx/ImageFormats/JPEGLoader.cpp
+++ b/Userland/Libraries/LibGfx/ImageFormats/JPEGLoader.cpp
@@ -296,11 +296,8 @@ public:
     {
         m_bit_offset += count;
 
-        if (m_bit_offset > bits_in_reservoir) {
-            // FIXME: I can't find a test case for that so let's leave it for later
-            //        instead of inserting an hard-to-find bug.
-            TODO();
-        }
+        if (m_bit_offset > bits_in_reservoir)
+            TRY(refill_reservoir());
 
         return {};
     }