diff --git a/2cd30c2b06ce332dede81cccad8b334cde997281.patch b/2cd30c2b06ce332dede81cccad8b334cde997281.patch
new file mode 100644
index 0000000..dd9183d
--- /dev/null
+++ b/2cd30c2b06ce332dede81cccad8b334cde997281.patch
@@ -0,0 +1,80 @@
+From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 17 Aug 2017 11:47:40 +0200
+Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and
+ fixes unaligned load (#995)
+
+---
+ src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------
+ 1 file changed, 27 insertions(+), 12 deletions(-)
+
+diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
+index a4eb81f6a..73dfc8d5f 100644
+--- a/src/bin/jp2/convert.c
++++ b/src/bin/jp2/convert.c
+@@ -580,13 +580,10 @@ struct tga_header {
+ };
+ #endif /* INFORMATION_ONLY */
+ 
+-static unsigned short get_ushort(const unsigned char *data)
++/* Returns a ushort from a little-endian serialized value */
++static unsigned short get_tga_ushort(const unsigned char *data)
+ {
+-    unsigned short val = *(const unsigned short *)data;
+-#ifdef OPJ_BIG_ENDIAN
+-    val = ((val & 0xffU) << 8) | (val >> 8);
+-#endif
+-    return val;
++    return data[0] | (data[1] << 8);
+ }
+ 
+ #define TGA_HEADER_SIZE 18
+@@ -613,17 +610,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel,
+     id_len = tga[0];
+     /*cmap_type = tga[1];*/
+     image_type = tga[2];
+-    /*cmap_index = get_ushort(&tga[3]);*/
+-    cmap_len = get_ushort(&tga[5]);
++    /*cmap_index = get_tga_ushort(&tga[3]);*/
++    cmap_len = get_tga_ushort(&tga[5]);
+     cmap_entry_size = tga[7];
+ 
+ 
+ #if 0
+-    x_origin = get_ushort(&tga[8]);
+-    y_origin = get_ushort(&tga[10]);
++    x_origin = get_tga_ushort(&tga[8]);
++    y_origin = get_tga_ushort(&tga[10]);
+ #endif
+-    image_w = get_ushort(&tga[12]);
+-    image_h = get_ushort(&tga[14]);
++    image_w = get_tga_ushort(&tga[12]);
++    image_h = get_tga_ushort(&tga[14]);
+     pixel_depth = tga[16];
+     image_desc  = tga[17];
+ 
+@@ -817,6 +814,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters)
+         color_space = OPJ_CLRSPC_SRGB;
+     }
+ 
++    /* If the declared file size is > 10 MB, check that the file is big */
++    /* enough to avoid excessive memory allocations */
++    if (image_height != 0 && image_width > 10000000 / image_height / numcomps) {
++        char ch;
++        OPJ_UINT64 expected_file_size =
++            (OPJ_UINT64)image_width * image_height * numcomps;
++        long curpos = ftell(f);
++        if (expected_file_size > (OPJ_UINT64)INT_MAX) {
++            expected_file_size = (OPJ_UINT64)INT_MAX;
++        }
++        fseek(f, (long)expected_file_size - 1, SEEK_SET);
++        if (fread(&ch, 1, 1, f) != 1) {
++            fclose(f);
++            return NULL;
++        }
++        fseek(f, curpos, SEEK_SET);
++    }
++
+     subsampling_dx = parameters->subsampling_dx;
+     subsampling_dy = parameters->subsampling_dy;
+ 
diff --git a/4241ae6fbbf1de9658764a80944dc8108f2b4154.patch b/4241ae6fbbf1de9658764a80944dc8108f2b4154.patch
new file mode 100644
index 0000000..d165090
--- /dev/null
+++ b/4241ae6fbbf1de9658764a80944dc8108f2b4154.patch
@@ -0,0 +1,35 @@
+From 4241ae6fbbf1de9658764a80944dc8108f2b4154 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 15 Aug 2017 11:55:58 +0200
+Subject: [PATCH] Fix assertion in debug mode / heap-based buffer overflow in
+ opj_write_bytes_LE for Cinema profiles with numresolutions = 1 (#985)
+
+---
+ src/lib/openjp2/j2k.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index a2521ebbc..54b490a8c 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -6573,10 +6573,16 @@ static void opj_j2k_set_cinema_parameters(opj_cparameters_t *parameters,
+ 
+     /* Precincts */
+     parameters->csty |= 0x01;
+-    parameters->res_spec = parameters->numresolution - 1;
+-    for (i = 0; i < parameters->res_spec; i++) {
+-        parameters->prcw_init[i] = 256;
+-        parameters->prch_init[i] = 256;
++    if (parameters->numresolution == 1) {
++        parameters->res_spec = 1;
++        parameters->prcw_init[0] = 128;
++        parameters->prch_init[0] = 128;
++    } else {
++        parameters->res_spec = parameters->numresolution - 1;
++        for (i = 0; i < parameters->res_spec; i++) {
++            parameters->prcw_init[i] = 256;
++            parameters->prch_init[i] = 256;
++        }
+     }
+ 
+     /* The progression order shall be CPRL */
diff --git a/afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch b/afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch
new file mode 100644
index 0000000..c8a1fd6
--- /dev/null
+++ b/afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch
@@ -0,0 +1,43 @@
+From afb308b9ccbe129608c9205cf3bb39bbefad90b9 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 14 Aug 2017 17:20:37 +0200
+Subject: [PATCH] Encoder: grow buffer size in
+ opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in
+ opj_mqc_flush (#982)
+
+---
+ src/lib/openjp2/tcd.c                   | 7 +++++--
+ tests/nonregression/test_suite.ctest.in | 2 ++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
+index 301c7213e..53cdcf64d 100644
+--- a/src/lib/openjp2/tcd.c
++++ b/src/lib/openjp2/tcd.c
+@@ -1187,8 +1187,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t *
+ {
+     OPJ_UINT32 l_data_size;
+ 
+-    /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
+-    l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
++    /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
++    /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */
++    /* TODO: is there a theoretical upper-bound for the compressed code */
++    /* block size ? */
++    l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+                                    (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
+ 
+     if (l_data_size > p_code_block->data_size) {
+diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in
+index aaf40d7d0..ffd964c2a 100644
+--- a/tests/nonregression/test_suite.ctest.in
++++ b/tests/nonregression/test_suite.ctest.in
+@@ -169,6 +169,8 @@ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_ban
+ # Same rate as Bretagne2_4.j2k
+ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_band_r800.j2k -t 2591,1943 -n 2 -r 800
+ 
++opj_compress -i @INPUT_NR_PATH@/issue982.bmp -o @TEMP_PATH@/issue982.j2k -n 1
++
+ # DECODER TEST SUITE
+ opj_decompress -i  @INPUT_NR_PATH@/Bretagne2.j2k -o @TEMP_PATH@/Bretagne2.j2k.pgx
+ opj_decompress -i  @INPUT_NR_PATH@/_00042.j2k -o @TEMP_PATH@/_00042.j2k.pgx
diff --git a/e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch b/e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
new file mode 100644
index 0000000..ebfe1ad
--- /dev/null
+++ b/e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
@@ -0,0 +1,22 @@
+From e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Fri, 18 Aug 2017 13:39:20 +0200
+Subject: [PATCH] pgxtoimage(): fix write stack buffer overflow (#997)
+
+---
+ src/bin/jp2/convert.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
+index 5459f7d44..e606c9be7 100644
+--- a/src/bin/jp2/convert.c
++++ b/src/bin/jp2/convert.c
+@@ -1185,7 +1185,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
+     }
+ 
+     fseek(f, 0, SEEK_SET);
+-    if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
++    if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
+                &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
+         fclose(f);
+         fprintf(stderr,
diff --git a/openjpeg2.spec b/openjpeg2.spec
index 6424eac..653ae87 100644
--- a/openjpeg2.spec
+++ b/openjpeg2.spec
@@ -5,7 +5,7 @@
 
 Name:           openjpeg2
 Version:        2.2.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        C-Library for JPEG 2000
 
 # windirent.h is MIT, the rest is BSD
@@ -19,8 +19,16 @@ Source1:        data.tar.xz
 
 # Remove bundled libraries
 Patch0:         openjpeg2_remove-thirdparty.patch
-# Backport: bmp_read_info_header(): reject bmp files with biBitCount == 0 (CVE-2017-12982)
+# Backport fix for CVE-2017-12982
 Patch1:         baf0c1ad4572daa89caa3b12985bdd93530f0dd7.patch
+# Backport fix for CVE-2017-14041
+Patch2:         e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
+# Backport fix for CVE-2017-14040
+Patch3:         2cd30c2b06ce332dede81cccad8b334cde997281.patch
+# Backport fix for Heap-based buffer overflow in opj_write_bytes_LE in cio.c
+Patch4:         4241ae6fbbf1de9658764a80944dc8108f2b4154.patch
+# Backport fix for Heap-based buffer overflow in opj_mqc_flush in mqc.c
+Patch5:         afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch
 
 BuildRequires:  cmake
 BuildRequires:  zlib-devel
@@ -328,6 +336,9 @@ make test -C %{_target_platform}
 
 
 %changelog
+* Thu Aug 31 2017 Sandro Mani <manisandro@gmail.com> - 2.2.0-3
+- Backport more security fixes, including for CVE-2017-14041 and CVE-2017-14040
+
 * Thu Aug 31 2017 Sandro Mani <manisandro@gmail.com> - 2.2.0-2
 - Backport patch for CVE-2017-12982