Can simply decompressing a JPEG image trigger an exploit?

Is there such a thing?

Absolutely. Feeding malicious input to a parser is one of the most common ways of creating an exploit (and, for a JPEG, "decompression" is "parsing").

Is this description based on some real exploit?

It might be based on the Microsoft Windows GDI+ buffer overflow vulnerability:

There is a buffer overflow vulnerability in the way the JPEG parsing component of GDI+ (Gdiplus.dll) handles malformed JPEG images. By introducing a specially crafted JPEG file to the vulnerable component, a remote attacker could trigger a buffer overflow condition.

...

A remote, unauthenticated attacker could potentially execute arbitrary code on a vulnerable system by introducing a specially crafted JPEG file. This malicious JPEG image may be introduced to the system via a malicious web page, HTML email, or an email attachment.

.

This was published in December 2006.

The GDI+ JPEG parsing vulnerability was published in September 2004.

Is it sensible to say "the operating system" was decompressing the image to render it?

Sure; in this case, it was a system library that required an OS vendor patch to correct it. Often such libraries are used by multiple software packages, making them part of the operating system rather than application-specific.

In actuality, "the email application invoked a system library to parse a JPEG," but "the operating system" is close enough for a novel.


Agreeing with others to say yes this is totally possible, but also to add an interesting anecdote:

Joshua Drake (@jduck), discovered a bug based on a very similar concept (images being interpreted by the OS) which ended up being named "Stagefright", and affected a ridiculous number of Android devices.

He also discovered a similar image based bug in libpng that would cause certain devices to crash. He tweeted an example of the exploit basically saying "Hey, check out this cool malicious PNG I made, it'll probably crash your device", without realising that twitter had added automatic rendering of inline images. Needless to say a lot of his followers started having their machines crash the instant the browser tried to load the image thumbnail in their feed.


Unrealistic? There was recent critical bug in font definition parsing: https://technet.microsoft.com/en-us/library/security/ms15-078.aspx and libjpeg changenotes are full of security advisories. Parsing files[1] is hard: overflows, underflows, out of bounds access. Recently there were many fuzzing tools developed for semi-automatic detection of input that can cause crash.

[1] or network packets, XML or even SQL queries.