Fix buffer overrun with certain narrow prog JPEGs

Regression introduced by 6d91e950c8

last_block_column in decompress_smooth_data() can be 0 if, for instance,
decompressing a 4:4:4 image of width 8 or less or a 4:2:2 or 4:2:0 image
of width 16 or less.  Since last_block_column is an unsigned int,
subtracting 1 from it produced 0xFFFFFFFF, the test in line 590 passed,
and we attempted to access blocks from a second block column that didn't
actually exist.

Closes #476

ChangeLog.md

@@ -1,3 +1,13 @@
+2.1 post-beta
+=============
+
+### Significant changes relative to 2.1 beta1
+
+1. Fixed a regression introduced by 2.1 beta1[6(b)] whereby attempting to
+decompress certain progressive JPEG images with one or more component planes of
+width 8 or less caused a buffer overrun.
+
+
 2.0.90 (2.1 beta1)
 ==================
 

jdcoefct.c

@@ -587,7 +587,7 @@ decompress_smooth_data(j_decompress_ptr cinfo, JSAMPIMAGE output_buf)
           DC19 = (int)next_block_row[1][0];
           DC24 = (int)next_next_block_row[1][0];
         }
-        if (block_num < last_block_column - 1) {
+        if (block_num + 1 < last_block_column) {
           DC05 = (int)prev_prev_block_row[2][0];
           DC10 = (int)prev_block_row[2][0];
           DC15 = (int)buffer_ptr[2][0];