jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.
The undefined behavior sanitizer shows a signed integer overflow in jas_image.c
As you can see, the commit which fixes the issue is not a fix itself for the signed integer overflow, but changed a bit how, in jasper, the things work.
The complete UBSan output:
# imginfo -f $FILE /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/base/jas_image.c:162:49: runtime error: signed integer overflow: 8543608947741818625 * 15 cannot be represented in type 'long'
This bug was discovered by Agostino Sarubbo of Gentoo.
2016-10-29: bug discovered and reported to upstream
2016-11-12: upstream released a patch and 1.900.25
2016-11-19: blog post about the issue
2016-11-23: CVE assigned
This bug was found with American Fuzzy Lop.