There are other potential attack vectors than buffer overflows, though that seems the most likely source of vulnerabilities if you're going to limit images to JPG or PNG.

Of course now you're not only prohibiting third party resources except images, you're even prohibiting modern image formats like SVG, which is a little ironic since SVG-based ads might be smaller and/or look cleaner than equivalent bitmaps.