I don't know about jpeg, but there was a bmp buffer exploit some time
ago that could be used to infect Microsoft systems.

In article ,
says...
codepath wrote:

I even heard recently that there is a new virus that gets
imbedded into JPG files. If that is true (I have not confirmed
it), then all of the Internet is vulnerable.

Oh my! Since JPEG files aren't ever executed, this would indicate
that at least /one/ vendor's JPEG decoder fails to check for
improperly or maliciously formatted image files, which failure
exposes all of their customers to whatever damage any virus
hacker might choose to inflict.

Hmm. I wonder which software producer would be so careless of
quality and so unconcerned with the welfare of their customers?

I am here at Microsoft, doing my part to fix security issues
in my product and to keep others motivated to do the same.

How could I possibly not have known! I suppose this means I'll
have to install Linux on this (SWMBO's) machine, too...