jchuff.c/flush_bits(): Guard against free_bits < 0

This fixes a buffer overrun, reported by OSS-Fuzz, that occurred when
attempting to transform a specially-crafted malformed arithmetic-coded
JPEG image into a baseline Huffman-coded JPEG destination image with
default Huffman tables.  This issue probably had a similar root cause to
the issue fixed in 31a3013, but in this
case, the issue only occurred with the SIMD baseline Huffman encoder in
libjpeg-turbo 2.1.x and 2.0.x.  It was not reproducible in 3.0.x or when
using the C baseline Huffman encoder.  (NOTE: In order to reproduce the
issue with 2.1.x, it was necessary to revert
58cee6d.)

Author: dcommander

jchuff.c

@@ -500,6 +500,8 @@ flush_bits(working_state *state)
   int localbuf = 0;
 
   if (state->simd) {
+    if (state->cur.free_bits < 0)
+      ERREXIT(state->cinfo, JERR_BAD_DCT_COEF);
 #if defined(__aarch64__) && !defined(NEON_INTRINSICS)
     put_bits = state->cur.free_bits;
 #else