schenney@ -- can you please take a look and help triage this more accurately? Thanks.

Adding component "Internals>Images>Codecs" though I am not sure if that is the right component.

Reproduces on 53.0.2785.89 (64-bit) on OSX

That's the right component. Thanks.

I'm OOO at the moment.  Looks like a denial of service corrupt JPEG, bones Firefox and the OSX image viewer too.

Looks to be stuck in jpeg_start_decompress().  It isn't fixed in the latest version of upstream.

I'm taking a look.  Can anyone suggest if it's ok to CC the maintainer of libjpeg-turbo on this type of bug?

Removing security labels.

DRC, have you seen this?

Sounds suspiciously like a problem reported in

http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf

Can you confirm that the specially-crafted JPEG is a progressive image with a ridiculous number of scans?  If so, then the report details a technique that you can use to restrict the allowable number of progressive scans to a more reasonable value.

Yes that's exactly the issue.  Is the maximum number of scans allowed configurable?

The report includes sample code on how to accomplish that using a libjpeg progress monitor.

Page 15

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/75bac58d037d14d78babf75e674654062a1c85eb

commit 75bac58d037d14d78babf75e674654062a1c85eb
Author: Matt Sarett <msarett@chromium.org>
Date: Mon Nov 07 18:21:56 2016

Fail to decode jpegs on a large number of progressive scans

BUG= 642462 
R=scroggo@chromium.org

Review URL: https://codereview.chromium.org/2482883002 .

Cr-Commit-Position: refs/heads/master@{#430321}

[modify] https://crrev.com/75bac58d037d14d78babf75e674654062a1c85eb/third_party/WebKit/Source/platform/image-decoders/ImageDecoderTestHelpers.h
[modify] https://crrev.com/75bac58d037d14d78babf75e674654062a1c85eb/third_party/WebKit/Source/platform/image-decoders/gif/GIFImageDecoderTest.cpp
[modify] https://crrev.com/75bac58d037d14d78babf75e674654062a1c85eb/third_party/WebKit/Source/platform/image-decoders/jpeg/JPEGImageDecoder.cpp
[modify] https://crrev.com/75bac58d037d14d78babf75e674654062a1c85eb/third_party/WebKit/Source/platform/image-decoders/jpeg/JPEGImageDecoderTest.cpp
[add] https://crrev.com/75bac58d037d14d78babf75e674654062a1c85eb/third_party/WebKit/Source/platform/image-decoders/testing/many-progressive-scans.jpg

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/dbdf6d210b7e34d66df8b08596c690b9b12e7f8a

commit dbdf6d210b7e34d66df8b08596c690b9b12e7f8a
Author: Matt Sarett <msarett@google.com>
Date: Tue Nov 08 20:26:56 2016

Fail jpeg decodes on too many progressive scans

BUG:642462

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=4560

Change-Id: I22891ce1e0b3a1bedefc34dadd5cf34dfc301b79
Reviewed-on: https://skia-review.googlesource.com/4560
Reviewed-by: Leon Scroggins <scroggo@google.com>
Commit-Queue: Matt Sarett <msarett@google.com>

[add] https://crrev.com/dbdf6d210b7e34d66df8b08596c690b9b12e7f8a/resources/invalid_images/many-progressive-scans.jpg
[modify] https://crrev.com/dbdf6d210b7e34d66df8b08596c690b9b12e7f8a/src/codec/SkJpegDecoderMgr.cpp
[modify] https://crrev.com/dbdf6d210b7e34d66df8b08596c690b9b12e7f8a/src/codec/SkJpegDecoderMgr.h
[modify] https://crrev.com/dbdf6d210b7e34d66df8b08596c690b9b12e7f8a/tests/CodecTest.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3baac7bfbce401ba30bd36b6210561f9bda2f94d

commit 3baac7bfbce401ba30bd36b6210561f9bda2f94d
Author: msarett <msarett@google.com>
Date: Tue Nov 08 22:08:01 2016

Replace many-progressive-scans test image with smaller version

Drops test time to 1ms on my Linux machine.

BUG= 663354 
BUG= 642462 

Review-Url: https://codereview.chromium.org/2486043002
Cr-Commit-Position: refs/heads/master@{#430734}

[modify] https://crrev.com/3baac7bfbce401ba30bd36b6210561f9bda2f94d/third_party/WebKit/Source/platform/image-decoders/testing/many-progressive-scans.jpg