Guard against num_components being a ridiculous value due to a corrupt header

git-svn-id: svn+ssh://svn.code.sf.net/p/libjpeg-turbo/code/branches/1.2.x@831 632fc199-4ca6-4c93-a231-07263d6284db

ChangeLog.txt

@@ -15,6 +15,10 @@ correct behavior of the colorspace extensions when merged upsampling is used.
 upper 64 bits of xmm6 and xmm7 on Win64 platforms, which violated the Win64
 calling conventions.
 
+[4] Fixed a regression caused by 1.2.0[6] whereby decompressing corrupt JPEG
+images (specifically, images in which the component count was erroneously set
+to a large value) would cause libjpeg-turbo to segfault.
+
 
 1.2.0
 =====

jdmarker.c

@@ -323,14 +323,15 @@ get_sos (j_decompress_ptr cinfo)
 
   /* Collect the component-spec parameters */
 
-  for (i = 0; i < cinfo->num_components; i++)
+  for (i = 0; i < MAX_COMPS_IN_SCAN; i++)
     cinfo->cur_comp_info[i] = NULL;
 
   for (i = 0; i < n; i++) {
     INPUT_BYTE(cinfo, cc, return FALSE);
     INPUT_BYTE(cinfo, c, return FALSE);
     
-    for (ci = 0, compptr = cinfo->comp_info; ci < cinfo->num_components;
+    for (ci = 0, compptr = cinfo->comp_info;
+	 ci < cinfo->num_components && ci < MAX_COMPS_IN_SCAN;
 	 ci++, compptr++) {
       if (cc == compptr->component_id && !cinfo->cur_comp_info[ci])
 	goto id_found;