Fix out-of-bounds write in partial decomp. feature

Reported by Clang UBSan (refer to
https://bugzilla.mozilla.org/show_bug.cgi?id=1301252 for test image.)
This appears to be a legitimate bug introduced by
3ab68cf563f6edc2608c085f5c8b2d5d5c61157e.  Any component array, such
as first_MCU_col and last_MCU_col, should always be able to accommodate
MAX_COMPONENTS values.  The aforementioned test image had 8 components,
which was not enough to make the out-of-bounds write bust out of the
jpeg_decomp_master struct (and fortunately the memory after last_MCU_col
is an integer used as a boolean, so stomping on it will do nothing other
than change the decoder state.)  I crafted another special image that
has 10 components (the maximum allowable), but that was apparently not
enough to bust out of the allocated memory, either.  Thus, it is
posited that the security threat posed by this bug is either extremely
minimal or non-existent.
2 files changed
tree: f0cb647e573b1660cfba7c442eb5d8a20984f16f
  1. .gitignore
  2. BUILDING.md
  3. CMakeLists.txt
  4. ChangeLog.md
  5. LICENSE.md
  6. Makefile.am
  7. README.ijg
  8. README.md
  9. acinclude.m4
  10. bmp.c
  11. bmp.h
  12. cderror.h
  13. cdjpeg.c
  14. cdjpeg.h
  15. change.log
  16. cjpeg.1
  17. cjpeg.c
  18. cmakescripts/
  19. coderules.txt
  20. configure.ac
  21. djpeg.1
  22. djpeg.c
  23. doc/
  24. doxygen-extra.css
  25. doxygen.config
  26. example.c
  27. jaricom.c
  28. java/
  29. jcapimin.c
  30. jcapistd.c
  31. jcarith.c
  32. jccoefct.c
  33. jccolext.c
  34. jccolor.c
  35. jcdctmgr.c
  36. jchuff.c
  37. jchuff.h
  38. jcinit.c
  39. jcmainct.c
  40. jcmarker.c
  41. jcmaster.c
  42. jcomapi.c
  43. jconfig.h.in
  44. jconfig.txt
  45. jconfigint.h.in
  46. jcparam.c
  47. jcphuff.c
  48. jcprepct.c
  49. jcsample.c
  50. jcstest.c
  51. jctrans.c
  52. jdapimin.c
  53. jdapistd.c
  54. jdarith.c
  55. jdatadst-tj.c
  56. jdatadst.c
  57. jdatasrc-tj.c
  58. jdatasrc.c
  59. jdcoefct.c
  60. jdcoefct.h
  61. jdcol565.c
  62. jdcolext.c
  63. jdcolor.c
  64. jdct.h
  65. jddctmgr.c
  66. jdhuff.c
  67. jdhuff.h
  68. jdinput.c
  69. jdmainct.c
  70. jdmainct.h
  71. jdmarker.c
  72. jdmaster.c
  73. jdmaster.h
  74. jdmerge.c
  75. jdmrg565.c
  76. jdmrgext.c
  77. jdphuff.c
  78. jdpostct.c
  79. jdsample.c
  80. jdsample.h
  81. jdtrans.c
  82. jerror.c
  83. jerror.h
  84. jfdctflt.c
  85. jfdctfst.c
  86. jfdctint.c
  87. jidctflt.c
  88. jidctfst.c
  89. jidctint.c
  90. jidctred.c
  91. jinclude.h
  92. jmemmgr.c
  93. jmemnobs.c
  94. jmemsys.h
  95. jmorecfg.h
  96. jpeg_nbits_table.h
  97. jpegcomp.h
  98. jpegint.h
  99. jpeglib.h
  100. jpegtran.1
  101. jpegtran.c
  102. jquant1.c
  103. jquant2.c
  104. jsimd.h
  105. jsimd_none.c
  106. jsimddct.h
  107. jstdhuff.c
  108. jutils.c
  109. jversion.h
  110. libjpeg.map.in
  111. libjpeg.txt
  112. md5/
  113. rdbmp.c
  114. rdcolmap.c
  115. rdgif.c
  116. rdjpgcom.1
  117. rdjpgcom.c
  118. rdppm.c
  119. rdrle.c
  120. rdswitch.c
  121. rdtarga.c
  122. release/
  123. sharedlib/
  124. simd/
  125. structure.txt
  126. testimages/
  127. tjbench.c
  128. tjbenchtest.in
  129. tjbenchtest.java.in
  130. tjexampletest.in
  131. tjunittest.c
  132. tjutil.c
  133. tjutil.h
  134. transupp.c
  135. transupp.h
  136. turbojpeg-jni.c
  137. turbojpeg-mapfile
  138. turbojpeg-mapfile.jni
  139. turbojpeg.c
  140. turbojpeg.h
  141. usage.txt
  142. win/
  143. wizard.txt
  144. wrbmp.c
  145. wrgif.c
  146. wrjpgcom.1
  147. wrjpgcom.c
  148. wrppm.c
  149. wrppm.h
  150. wrrle.c
  151. wrtarga.c