jpeg-js DoS (infinite loop)

[sohomdatta1]

The following input can create a infinite loop inside jpeg-js causing it to never return:

const jpeg = require('jpeg-js');

let buf = Buffer.from( 'ffd8ffc1f151d800ff51d800ffdaffde', 'hex' );
jpeg.decode( buf );

Based on some preliminary debugging it appears to be related to the following code:

jpeg-js/lib/decoder.js

Lines 579 to 589 in b58cc11

	var maxH = 0, maxV = 0;
	var component, componentId;
	for (componentId in frame.components) {
	if (frame.components.hasOwnProperty(componentId)) {
	component = frame.components[componentId];
	if (maxH < component.h) maxH = component.h;
	if (maxV < component.v) maxV = component.v;
	}
	}
	var mcusPerLine = Math.ceil(frame.samplesPerLine / 8 / maxH);
	var mcusPerColumn = Math.ceil(frame.scanLines / 8 / maxV);

Here maxH and maxV are initialized to zero, but since there are no components, the values are never modified, leading to a divide by zero error in the last two line (which set mcusPerLine and mcusPerColumn to Infinity).

These values are later used inside the decodeAsScan() function, where the following loop condition never evaluates to false since mcuExpected is set to frame.mcusPerLine * frame.mcusPerColumn (i.e. Infinity * Infinity) at line 292 in /lib/decoder.js.

jpeg-js/lib/decoder.js

Line 297 in b58cc11

while (mcu < mcuExpected) {

found using jsfuzz

[sohomdatta1]

I've created a PR to fix this issue (#106) based on some digging around I did wrt to the JPEG specification.