Backport of the upstream commit:
From 142245b9bbb33274a7c620aa7a8f85bc00b2d68e Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Mon, 19 Sep 2016 10:03:36 +0100
Subject: [PATCH] CVE-2016-2116
diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_icc.c jasper-1.900.1/src/libjasper/base/jas_icc.c
--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2017-03-24 14:06:15.000000000 +0100
+++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2017-03-24 14:06:34.000000000 +0100
@@ -1692,6 +1692,8 @@ jas_iccprof_t *jas_iccprof_createfrombuf
jas_stream_close(in);
return prof;
error:
+ if (in)
+ jas_stream_close(in);
return 0;
}