diff --git a/component/jasper/CVE-2016-1867_CVE-2016-8654_CVE-2016-8691_CVE-2016-8692_CVE-2016-8693_CVE-2016-8882_CVE-2016-9560.patch b/component/jasper/CVE-2016-1867_CVE-2016-8654_CVE-2016-8691_CVE-2016-8692_CVE-2016-8693_CVE-2016-8882_CVE-2016-9560.patch
new file mode 100644
index 0000000000000000000000000000000000000000..dd177643bb825dade47e246161dccb700a5658df
--- /dev/null
+++ b/component/jasper/CVE-2016-1867_CVE-2016-8654_CVE-2016-8691_CVE-2016-8692_CVE-2016-8693_CVE-2016-8882_CVE-2016-9560.patch
@@ -0,0 +1,194 @@
+diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1-debian1/src/libjasper/base/jas_stream.c
+--- jasper-1.900.1-debian1.orig/src/libjasper/base/jas_stream.c	2017-02-07 22:46:28.000000000 +0100
++++ jasper-1.900.1-debian1/src/libjasper/base/jas_stream.c	2017-02-07 22:46:07.040456152 +0100
+@@ -985,8 +985,9 @@
+ {
+ 	unsigned char *buf;
+ 
+-	assert(m->buf_);
+-	if (!(buf = jas_realloc(m->buf_, bufsize))) {
++	//assert(m->buf_);
++	assert(bufsize >= 0);
++	if (!(buf = jas_realloc(m->buf_, bufsize)) && bufsize) {
+ 		return -1;
+ 	}
+ 	m->buf_ = buf;
+diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1-debian1/src/libjasper/jpc/jpc_cs.c
+--- jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_cs.c	2017-02-07 22:46:28.000000000 +0100
++++ jasper-1.900.1-debian1/src/libjasper/jpc/jpc_cs.c	2017-02-07 22:46:02.168382641 +0100
+@@ -512,6 +512,16 @@
+ 			jas_free(siz->comps);
+ 			return -1;
+ 		}
++		if (siz->comps[i].hsamp == 0 || siz->comps[i].hsamp > 255) {
++			jas_eprintf("invalid XRsiz value %d\n", siz->comps[i].hsamp);
++			jas_free(siz->comps);
++			return -1;
++		}
++		if (siz->comps[i].vsamp == 0 || siz->comps[i].vsamp > 255) {
++			jas_eprintf("invalid YRsiz value %d\n", siz->comps[i].vsamp);
++			jas_free(siz->comps);
++			return -1;
++		}
+ 		siz->comps[i].sgnd = (tmp >> 7) & 1;
+ 		siz->comps[i].prec = (tmp & 0x7f) + 1;
+ 	}
+diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1-debian1/src/libjasper/jpc/jpc_dec.c
+--- jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_dec.c	2017-02-07 22:46:28.000000000 +0100
++++ jasper-1.900.1-debian1/src/libjasper/jpc/jpc_dec.c	2017-02-07 22:46:13.736555435 +0100
+@@ -674,7 +674,7 @@
+ 	uint_fast32_t tmpxend;
+ 	uint_fast32_t tmpyend;
+ 	jpc_dec_cp_t *cp;
+-	jpc_tsfb_band_t bnds[64];
++	jpc_tsfb_band_t bnds[JPC_MAXBANDS];
+ 	jpc_pchg_t *pchg;
+ 	int pchgno;
+ 	jpc_dec_cmpt_t *cmpt;
+@@ -989,23 +989,23 @@
+ }
+ 	if (tile->cp) {
+ 		jpc_dec_cp_destroy(tile->cp);
+-		tile->cp = 0;
++		//tile->cp = 0;
+ 	}
+ 	if (tile->tcomps) {
+ 		jas_free(tile->tcomps);
+-		tile->tcomps = 0;
++		//tile->tcomps = 0;
+ 	}
+ 	if (tile->pi) {
+ 		jpc_pi_destroy(tile->pi);
+-		tile->pi = 0;
++		//tile->pi = 0;
+ 	}
+ 	if (tile->pkthdrstream) {
+ 		jas_stream_close(tile->pkthdrstream);
+-		tile->pkthdrstream = 0;
++		//tile->pkthdrstream = 0;
+ 	}
+ 	if (tile->pptstab) {
+ 		jpc_ppxstab_destroy(tile->pptstab);
+-		tile->pptstab = 0;
++		//tile->pptstab = 0;
+ 	}
+ 
+ 	tile->state = JPC_TILE_DONE;
+@@ -1148,7 +1148,11 @@
+ 				return -1;
+ 			}
+ 		}
+-		jpc_dec_tilefini(dec, tile);
++		/* If the tile has not yet been finalized, finalize it. */
++		// OLD CODE: jpc_dec_tilefini(dec, tile);
++		if (tile->state != JPC_TILE_DONE) {
++			jpc_dec_tilefini(dec, tile);
++		}
+ 	}
+ 
+ 	/* We are done processing the code stream. */
+@@ -1204,6 +1208,8 @@
+ 	dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
+ 	dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight);
+ 	dec->numtiles = dec->numhtiles * dec->numvtiles;
++	JAS_DBGLOG(10, ("numtiles = %d; numhtiles = %d; numvtiles = %d;\n",
++	  dec->numtiles, dec->numhtiles, dec->numvtiles));
+ 	if (!(dec->tiles = jas_alloc2(dec->numtiles, sizeof(jpc_dec_tile_t)))) {
+ 		return -1;
+ 	}
+@@ -1228,6 +1234,7 @@
+ 		tile->pkthdrstreampos = 0;
+ 		tile->pptstab = 0;
+ 		tile->cp = 0;
++		tile->pi = 0;
+ 		if (!(tile->tcomps = jas_alloc2(dec->numcomps,
+ 		  sizeof(jpc_dec_tcomp_t)))) {
+ 			return -1;
+diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_qmfb.c jasper-1.900.1-debian1/src/libjasper/jpc/jpc_qmfb.c
+--- jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_qmfb.c	2017-02-07 22:46:28.000000000 +0100
++++ jasper-1.900.1-debian1/src/libjasper/jpc/jpc_qmfb.c	2017-02-07 22:45:59.328339293 +0100
+@@ -372,7 +372,7 @@
+ 	register jpc_fix_t *dstptr;
+ 	register int n;
+ 	register int m;
+-	int hstartcol;
++	int hstartrow;
+ 
+ 	/* Get a buffer. */
+ 	if (bufsize > QMFB_SPLITBUFSIZE) {
+@@ -383,8 +383,9 @@
+ 	}
+ 
+ 	if (numrows >= 2) {
+-		hstartcol = (numrows + 1 - parity) >> 1;
+-		m = (parity) ? hstartcol : (numrows - hstartcol);
++		hstartrow = (numrows + 1 - parity) >> 1;
++		m = (parity) ? hstartrow : (numrows - hstartrow);
++
+ 		/* Save the samples destined for the highpass channel. */
+ 		n = m;
+ 		dstptr = buf;
+@@ -404,7 +405,7 @@
+ 			srcptr += stride << 1;
+ 		}
+ 		/* Copy the saved samples into the highpass channel. */
+-		dstptr = &a[hstartcol * stride];
++		dstptr = &a[hstartrow * stride];
+ 		srcptr = buf;
+ 		n = m;
+ 		while (n-- > 0) {
+@@ -435,19 +436,20 @@
+ 	register int n;
+ 	register int i;
+ 	int m;
+-	int hstartcol;
++	int hstartrow;
+ 
+ 	/* Get a buffer. */
+ 	if (bufsize > QMFB_SPLITBUFSIZE) {
+-		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
++                if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE, sizeof(jpc_fix_t)))) {
+ 			/* We have no choice but to commit suicide in this case. */
+ 			abort();
+ 		}
+ 	}
+ 
+ 	if (numrows >= 2) {
+-		hstartcol = (numrows + 1 - parity) >> 1;
+-		m = (parity) ? hstartcol : (numrows - hstartcol);
++		hstartrow = (numrows + 1 - parity) >> 1;
++		m = (parity) ? hstartrow : (numrows - hstartrow);
++
+ 		/* Save the samples destined for the highpass channel. */
+ 		n = m;
+ 		dstptr = buf;
+@@ -479,7 +481,7 @@
+ 			srcptr += stride << 1;
+ 		}
+ 		/* Copy the saved samples into the highpass channel. */
+-		dstptr = &a[hstartcol * stride];
++		dstptr = &a[hstartrow * stride];
+ 		srcptr = buf;
+ 		n = m;
+ 		while (n-- > 0) {
+@@ -520,7 +522,7 @@
+ 
+ 	/* Get a buffer. */
+ 	if (bufsize > QMFB_SPLITBUFSIZE) {
+-		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
++		if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
+ 			/* We have no choice but to commit suicide in this case. */
+ 			abort();
+ 		}
+diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_t2cod.c jasper-1.900.1-debian1/src/libjasper/jpc/jpc_t2cod.c
+--- jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_t2cod.c	2017-02-07 22:46:28.000000000 +0100
++++ jasper-1.900.1-debian1/src/libjasper/jpc/jpc_t2cod.c	2017-02-07 22:45:54.464331040 +0100
+@@ -429,7 +429,7 @@
+ 	}
+ 
+ 	for (pi->compno = pchg->compnostart, pi->picomp =
+-	  &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno,
++	  &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno,
+ 	  ++pi->picomp) {
+ 		pirlvl = pi->picomp->pirlvls;
+ 		pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn +
diff --git a/component/jasper/buildout.cfg b/component/jasper/buildout.cfg
index 271c96c8859a30c9c1678319a21f0fbe8596da76..48e82f482fe4d1873a93357f82586d0de2894612 100644
--- a/component/jasper/buildout.cfg
+++ b/component/jasper/buildout.cfg
@@ -22,6 +22,7 @@ patches =
   ${:_profile_base_location_}/CVE-2016-1577.patch#bc970cf3e8535559454781ec54db2d15
   ${:_profile_base_location_}/CVE-2016-2089.patch#9b73eda015b04a6da493de89ce9b5685
   ${:_profile_base_location_}/CVE-2016-2116.patch#387df217963281827e006ab4f14f869a
+  ${:_profile_base_location_}/CVE-2016-1867_CVE-2016-8654_CVE-2016-8691_CVE-2016-8692_CVE-2016-8693_CVE-2016-8882_CVE-2016-9560.patch#0bcc58c823aa19ac4beef469d65dbb56
 configure-options =
   --disable-static
   --enable-shared