The JPEG format allows for encoding very large images using a very small number of bytes, if you have no interest in whether those images actually depict anything interesting. Cure53 demonstrated that it is possible to create a 102-byte image, approximately 250 megapixels in size, which requires 1GB of memory to decode, but this image is not a legal JPEG image and will cause warnings to be thrown by most JPEG decoders, including libjpeg and libjpeg-turbo. However, it is also possible to generate fully legal JPEG images that occupy less than 2MB of storage but still require 1GB of memory to decode.

Mitigation:

Because these images are entirely legal, they cannot be detected and discarded by a conforming JPEG implementation. Therefore, the only way to deal with this in applications which process untrusted JPEGs is to place limits on the size of the image one is willing to process. However, such limits should not be coded in a way which makes them hard to change; as memory gets cheaper and camera technology improves, it will be necessary for applications to handle larger and larger JPEG images.

External references:

https://docs.google.com/document/d/17exDyGr2txYJ5Ntv4Q8B3MnLSvbcSfs5dje_xuDZPNA