I was fount that JasPer allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted image, related to the jp2_decode function in libjasper/jp2/jp2_dec.c.
Upstream issue:
https://github.com/mdadams/jasper/issues/140
Created jasper tracking bugs for this issue:
Affects: fedora-all [bug 1463998]
Created mingw-jasper tracking bugs for this issue:
Affects: epel-7 [bug 1463997]
Affects: fedora-all [bug 1463999]