diff --git a/BUILDING.md b/BUILDING.md
index c9f64684..eeb36bea 100644
--- a/BUILDING.md
+++ b/BUILDING.md
@@ -535,7 +535,10 @@ needs.
     # It should not be necessary to modify the rest
     HOST=arm-linux-androideabi
     SYSROOT=${NDK_PATH}/platforms/android-${ANDROID_VERSION}/arch-arm
-    export CFLAGS="-march=armv7-a -mfloat-abi=softfp -fprefetch-loop-arrays --sysroot=${SYSROOT}"
+    export CFLAGS="-march=armv7-a -mfloat-abi=softfp -fprefetch-loop-arrays \
+      -D__ANDROID_API__=${ANDROID_VERSION} --sysroot=${SYSROOT} \
+      -isystem ${NDK_PATH}/sysroot/usr/include \
+      -isystem ${NDK_PATH}/sysroot/usr/include/${HOST}"
     export LDFLAGS=-pie
     TOOLCHAIN=${NDK_PATH}/toolchains/${HOST}-${TOOLCHAIN_VERSION}/prebuilt/${BUILD_PLATFORM}
 
@@ -570,7 +573,9 @@ needs.
     # It should not be necessary to modify the rest
     HOST=aarch64-linux-android
     SYSROOT=${NDK_PATH}/platforms/android-${ANDROID_VERSION}/arch-arm64
-    export CFLAGS="--sysroot=${SYSROOT}"
+    export CFLAGS="-D__ANDROID_API__=${ANDROID_VERSION} --sysroot=${SYSROOT} \
+      -isystem ${NDK_PATH}/sysroot/usr/include \
+      -isystem ${NDK_PATH}/sysroot/usr/include/${HOST}"
     export LDFLAGS=-pie
     TOOLCHAIN=${NDK_PATH}/toolchains/${HOST}-${TOOLCHAIN_VERSION}/prebuilt/${BUILD_PLATFORM}
 
@@ -605,7 +610,9 @@ needs.
     # It should not be necessary to modify the rest
     HOST=i686-linux-android
     SYSROOT=${NDK_PATH}/platforms/android-${ANDROID_VERSION}/arch-x86
-    export CFLAGS="--sysroot=${SYSROOT}"
+    export CFLAGS="-D__ANDROID_API__=${ANDROID_VERSION} --sysroot=${SYSROOT} \
+      -isystem ${NDK_PATH}/sysroot/usr/include \
+      -isystem ${NDK_PATH}/sysroot/usr/include/${HOST}"
     export LDFLAGS=-pie
     TOOLCHAIN=${NDK_PATH}/toolchains/x86-${TOOLCHAIN_VERSION}/prebuilt/${BUILD_PLATFORM}
 
@@ -640,7 +647,9 @@ needs.
     # It should not be necessary to modify the rest
     HOST=x86_64-linux-android
     SYSROOT=${NDK_PATH}/platforms/android-${ANDROID_VERSION}/arch-x86_64
-    export CFLAGS="--sysroot=${SYSROOT}"
+    export CFLAGS="-D__ANDROID_API__=${ANDROID_VERSION} --sysroot=${SYSROOT} \
+      -isystem ${NDK_PATH}/sysroot/usr/include \
+      -isystem ${NDK_PATH}/sysroot/usr/include/${HOST}"
     export LDFLAGS=-pie
     TOOLCHAIN=${NDK_PATH}/toolchains/x86_64-${TOOLCHAIN_VERSION}/prebuilt/${BUILD_PLATFORM}
 
diff --git a/ChangeLog.md b/ChangeLog.md
index 9f87a568..28ace131 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -95,6 +95,12 @@ has red, green, blue, and alpha components.
 TurboJPEG C API.  This example mirrors the functionality of TJExample.java.
 Both files are now included in the libjpeg-turbo documentation.
 
+10. Fixed two signed integer overflows in the arithmetic decoder, detected by
+the Clang undefined behavior sanitizer, that could be triggered by attempting
+to decompress a specially-crafted malformed JPEG image.  These issues did not
+pose a security threat, but removing the warnings makes it easier to detect
+actual security issues, should they arise in the future.
+
 
 1.5.3
 =====
diff --git a/doxygen-extra.css b/doxygen-extra.css
index 5abbcc21..f1bd4c26 100644
--- a/doxygen-extra.css
+++ b/doxygen-extra.css
@@ -1,3 +1,3 @@
 code {
-	color: #4665A2; 
+	color: #4665A2;
 }
diff --git a/jdarith.c b/jdarith.c
index ce0f9209..0f560f65 100644
--- a/jdarith.c
+++ b/jdarith.c
@@ -4,7 +4,7 @@
  * This file was part of the Independent JPEG Group's software:
  * Developed 1997-2015 by Guido Vollbeding.
  * libjpeg-turbo Modifications:
- * Copyright (C) 2015-2016, D. R. Commander.
+ * Copyright (C) 2015-2017, D. R. Commander.
  * For conditions of distribution and use, see the accompanying README.ijg
  * file.
  *
@@ -306,7 +306,7 @@ decode_mcu_DC_first (j_decompress_ptr cinfo, JBLOCKROW *MCU_data)
       while (m >>= 1)
         if (arith_decode(cinfo, st)) v |= m;
       v += 1; if (sign) v = -v;
-      entropy->last_dc_val[ci] += v;
+      entropy->last_dc_val[ci] = (entropy->last_dc_val[ci] + v) & 0xffff;
     }
 
     /* Scale and output the DC coefficient (assumes jpeg_natural_order[0]=0) */
@@ -564,7 +564,7 @@ decode_mcu (j_decompress_ptr cinfo, JBLOCKROW *MCU_data)
       while (m >>= 1)
         if (arith_decode(cinfo, st)) v |= m;
       v += 1; if (sign) v = -v;
-      entropy->last_dc_val[ci] += v;
+      entropy->last_dc_val[ci] = (entropy->last_dc_val[ci] + v) & 0xffff;
     }
 
     if (block)
diff --git a/turbojpeg.c b/turbojpeg.c
index 41d06114..6aea2326 100644
--- a/turbojpeg.c
+++ b/turbojpeg.c
@@ -229,7 +229,7 @@ static int setCompDefaults(struct jpeg_compress_struct *cinfo,
 #ifndef NO_GETENV
 	if((env=getenv("TJ_OPTIMIZE"))!=NULL && strlen(env)>0 && !strcmp(env, "1"))
 		cinfo->optimize_coding=TRUE;
-	if((env=getenv("TJ_ARITHMETIC"))!=NULL && strlen(env)>0	&& !strcmp(env, "1"))
+	if((env=getenv("TJ_ARITHMETIC"))!=NULL && strlen(env)>0 && !strcmp(env, "1"))
 		cinfo->arith_code=TRUE;
 	if((env=getenv("TJ_RESTART"))!=NULL && strlen(env)>0)
 	{