jpeg loader: crash when the original size is too big for a cairo surface

Iterate over the cairo surface dimensions instead of the
original dimensions when copying the pixels into the cairo
surface.

extensions/cairo_io/cairo-image-surface-jpeg.c

@@ -304,7 +304,7 @@ _cairo_image_surface_create_from_jpeg (GInputStream  *istream,
 			CMYK_table_init ();
 			cmyk_tab = CMYK_Tab;
 
-			while (srcinfo.output_scanline < srcinfo.output_height) {
+			while (srcinfo.output_scanline < destination_height) {
 				if (g_cancellable_is_cancelled (cancellable))
 					goto stop_loading;
 
@@ -318,7 +318,7 @@ _cairo_image_surface_create_from_jpeg (GInputStream  *istream,
 					if (g_cancellable_is_cancelled (cancellable))
 						goto stop_loading;
 
-					for (x = 0; x < srcinfo.output_width; x++) {
+					for (x = 0; x < destination_width; x++) {
 						if (srcinfo.saw_Adobe_marker) {
 							c = p_buffer[0];
 							m = p_buffer[1];
@@ -352,7 +352,7 @@ _cairo_image_surface_create_from_jpeg (GInputStream  *istream,
 
 	case JCS_GRAYSCALE:
 		{
-			while (srcinfo.output_scanline < srcinfo.output_height) {
+			while (srcinfo.output_scanline < destination_height) {
 				if (g_cancellable_is_cancelled (cancellable))
 					goto stop_loading;
 
@@ -366,7 +366,7 @@ _cairo_image_surface_create_from_jpeg (GInputStream  *istream,
 					if (g_cancellable_is_cancelled (cancellable))
 						goto stop_loading;
 
-					for (x = 0; x < srcinfo.output_width; x++) {
+					for (x = 0; x < destination_width; x++) {
 						r = g = b = p_buffer[0];
 						pixel = CAIRO_RGBA_TO_UINT32 (r, g, b, 0xff);
 						memcpy (p_surface, &pixel, sizeof (guint32));
@@ -384,7 +384,7 @@ _cairo_image_surface_create_from_jpeg (GInputStream  *istream,
 
 	case JCS_RGB:
 		{
-			while (srcinfo.output_scanline < srcinfo.output_height) {
+			while (srcinfo.output_scanline < destination_height) {
 				if (g_cancellable_is_cancelled (cancellable))
 					goto stop_loading;
 
@@ -398,7 +398,7 @@ _cairo_image_surface_create_from_jpeg (GInputStream  *istream,
 					if (g_cancellable_is_cancelled (cancellable))
 						goto stop_loading;
 
-					for (x = 0; x < srcinfo.output_width; x++) {
+					for (x = 0; x < destination_width; x++) {
 						r = p_buffer[0];
 						g = p_buffer[1];
 						b = p_buffer[2];
@@ -431,7 +431,7 @@ _cairo_image_surface_create_from_jpeg (GInputStream  *istream,
 			g_cr_tab = YCbCr_G_Cr_Tab;
 			b_cb_tab = YCbCr_B_Cb_Tab;
 
-			while (srcinfo.output_scanline < srcinfo.output_height) {
+			while (srcinfo.output_scanline < destination_height) {
 				if (g_cancellable_is_cancelled (cancellable))
 					goto stop_loading;
 
@@ -445,7 +445,7 @@ _cairo_image_surface_create_from_jpeg (GInputStream  *istream,
 					if (g_cancellable_is_cancelled (cancellable))
 						goto stop_loading;
 
-					for (x = 0; x < srcinfo.output_width; x++) {
+					for (x = 0; x < destination_width; x++) {
 						Y = p_buffer[0];
 						Cb = p_buffer[1];
 						Cr = p_buffer[2];
@@ -486,7 +486,7 @@ _cairo_image_surface_create_from_jpeg (GInputStream  *istream,
 			CMYK_table_init ();
 			cmyk_tab = CMYK_Tab;
 
-			while (srcinfo.output_scanline < srcinfo.output_height) {
+			while (srcinfo.output_scanline < destination_height) {
 				if (g_cancellable_is_cancelled (cancellable))
 					goto stop_loading;
 
@@ -500,7 +500,7 @@ _cairo_image_surface_create_from_jpeg (GInputStream  *istream,
 					if (g_cancellable_is_cancelled (cancellable))
 						goto stop_loading;
 
-					for (x = 0; x < srcinfo.output_width; x++) {
+					for (x = 0; x < destination_width; x++) {
 						Y = p_buffer[0];
 						Cb = p_buffer[1];
 						Cr = p_buffer[2];