There are good decoders, and open source decoders, but not good open source decoders.
Mozilla's comments were 12 years ago. The patent situation has improved, with most patents expired. That would have to be checked, of course.
It's too bad that none of the C to Rust transpilers generate safe Rust. Corrade, etc, would generate unsafe Rust code with the same subscript and pointer bugs. Useful automatic translation of C to Rust requires something which can deduce from C code how big arrays are supposed to be. As far as I know, nobody has done that yet. Decoders like the one for JPEG 2000 involve pulling array indices from the input data and using them as subscripts into tables. That's the worst case for buffer overflows. Great use case for safe Rust, if anyone does the job.
Current workaround: Run
opj_decompress -i signboard.j2k -o signboard.png
in a subprocess. Standard Ubuntu utility. If it crashes, it only takes down the subprocess instance.