libjpeg-turbo 2.0.1 has a heap-based buffer over-read in the put_pixel_rows function in wrbmp.c, as demonstrated by djpeg. https://nvd.nist.gov/vuln/detail/CVE-2018-19664