Catch libjpeg errors in tjDecompressToYUV2()

Even though tjDecompressToYUV2() is mostly just a wrapper for
tjDecompressToYUVPlanes(), tjDecompressToYUV2() still calls
jpeg_read_header(), so it needs to properly set up the libjpeg error
handler prior to making this call.  Otherwise, under very esoteric (and
arguably incorrect) use cases, a program can call tjDecompressToYUV2()
without first checking the JPEG header using tjDecompressHeader3(), and
if the header is corrupt, tjDecompressToYUV2() will abort without
triggering an error.

Fixes flutter#72

Author: dcommander

ChangeLog.md

@@ -19,6 +19,13 @@ included a similar fix for ASCII PPM/PGM files.  Note that these issues were
 not security bugs, since they were confined to the cjpeg program and did not
 affect any of the libjpeg-turbo libraries.
 
+4. Fixed an issue whereby attempting to decompress a JPEG file with a corrupt
+header using the `tjDecompressToYUV2()` function would cause the function to
+abort without returning an error.  This only occurred if `tjDecompressToYUV2()`
+was called prior to calling `tjDecompressHeader3()`, or if the return value
+from `tjDecompressHeader3()` was ignored (both cases represent incorrect usage
+of the TurboJPEG API.)
+
 
 1.4.90 (1.5 beta1)
 ==================

turbojpeg.c

@@ -1892,6 +1892,12 @@ DLLEXPORT int DLLCALL tjDecompressToYUV2(tjhandle handle,
 		|| !isPow2(pad) || height<0)
 		_throw("tjDecompressToYUV2(): Invalid argument");
 
+	if(setjmp(this->jerr.setjmp_buffer))
+	{
+		/* If we get here, the JPEG code has signaled an error. */
+		return -1;
+	}
+
 	jpeg_mem_src_tj(dinfo, jpegBuf, jpegSize);
 	jpeg_read_header(dinfo, TRUE);
 	jpegSubsamp=getSubsamp(dinfo);