JPEG has the ability to encode images progressively–that is, to encode images into multiple “scans” of differing resolutions, such that the lowest-resolution scan is decoded first and subsequent scans fill in the image detail. The progressive JPEG format also provides a feature, called an “EOB run”, that allows it to represent large blocks of zeroes using only a few bytes.

One can combine these two features to generate an image with a very large number of progressive scans (say, 80,000), each of which uses the EOB run feature to represent millions of zero-value pixels using less than 100 bytes. Because millions of pixels are being represented, each of these scans takes significant time to decode, and the decode time goes up linearly with the number of 100-byte scans one adds to the image.

Mitigation:

These images are entirely legal, as the JPEG standard permits an unlimited number of progressive scans. However, it is hard to imagine any real-world application needing more than 100. Therefore, limiting the number to 1,000 before exiting with an error should avoid this problem while not preventing the decoding of any legal, non-hostile JPEGs.

External references:

https://docs.google.com/document/d/17exDyGr2txYJ5Ntv4Q8B3MnLSvbcSfs5dje_xuDZPNA