Version in base suite: 1.9.11-4+deb11u2

Base version: htmldoc_1.9.11-4+deb11u2
Target version: htmldoc_1.9.11-4+deb11u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/h/htmldoc/htmldoc_1.9.11-4+deb11u2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/h/htmldoc/htmldoc_1.9.11-4+deb11u3.dsc

 changelog                    |   18 ++++++++
 patches/CVE-2022-24191.patch |   47 ++++++++++++++++++++++
 patches/CVE-2022-27114.patch |   88 +++++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2022-28085.patch |   24 +++++++++++
 patches/series               |    3 +
 5 files changed, 180 insertions(+)

diff -Nru htmldoc-1.9.11/debian/changelog htmldoc-1.9.11/debian/changelog
--- htmldoc-1.9.11/debian/changelog	2022-02-25 21:03:02.000000000 +0000
+++ htmldoc-1.9.11/debian/changelog	2022-05-15 08:13:03.000000000 +0000
@@ -1,3 +1,21 @@
+htmldoc (1.9.11-4+deb11u3) bullseye; urgency=medium
+
+  * CVE-2022-24191
+    Infinite loop in the gif_read_lzw function can lead to a
+    pointer arbitrarily pointing to heap memory and resulting
+    in a buffer overflow.
+  * CVE-2022-27114
+    Integer Overflow bugs in image.cxx, malloc function may
+    return a heap block smaller than the expected size, and
+    it will cause a buffer overflow/Address boundary error in
+    the jpeg_read_scanlines function.
+  * CVE-2022-28085
+    A heap buffer overflow in the function pdf_write_names
+    in ps-pdf.cxx may lead to arbitrary code execution and
+    Denial of Service (DoS).
+
+ -- Håvard Flaget Aasen <haavard_aasen@yahoo.no>  Sun, 15 May 2022 10:13:03 +0200
+
 htmldoc (1.9.11-4+deb11u2) bullseye; urgency=medium
 
   * Non-maintainer upload by the LTS Team.
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2022-24191.patch htmldoc-1.9.11/debian/patches/CVE-2022-24191.patch
--- htmldoc-1.9.11/debian/patches/CVE-2022-24191.patch	1970-01-01 00:00:00.000000000 +0000
+++ htmldoc-1.9.11/debian/patches/CVE-2022-24191.patch	2022-05-15 08:13:03.000000000 +0000
@@ -0,0 +1,47 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Tue, 25 Jan 2022 18:11:34 -0500
+Subject: CVE-2022-24191
+
+Fix a potential stack overflow bug with GIF images (Issue #470)
+---
+ htmldoc/image.cxx | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
+index 91074a6..a85f1f9 100644
+--- a/htmldoc/image.cxx
++++ b/htmldoc/image.cxx
+@@ -453,7 +453,6 @@ gif_read_lzw(FILE *fp,			/* I - File to read from */
+     {
+       uchar	buf[260];
+ 
+-
+       if (!gif_eof)
+         while (gif_get_block(fp, buf) > 0);
+ 
+@@ -470,17 +469,23 @@ gif_read_lzw(FILE *fp,			/* I - File to read from */
+ 
+     while (code >= clear_code)
+     {
++      if (sp >= (stack + sizeof(stack)))
++        return (255);
++
+       *sp++ = table[1][code];
++
+       if (code == table[0][code])
+ 	return (255);
+ 
+       code = table[0][code];
+     }
+ 
++    if (sp >= (stack + sizeof(stack)))
++      return (255);
++
+     *sp++ = firstcode = table[1][code];
+-    code  = max_code;
+ 
+-    if (code < 4096)
++    if ((code = max_code) < 4096)
+     {
+       table[0][code] = oldcode;
+       table[1][code] = firstcode;
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2022-27114.patch htmldoc-1.9.11/debian/patches/CVE-2022-27114.patch
--- htmldoc-1.9.11/debian/patches/CVE-2022-27114.patch	1970-01-01 00:00:00.000000000 +0000
+++ htmldoc-1.9.11/debian/patches/CVE-2022-27114.patch	2022-05-15 08:13:03.000000000 +0000
@@ -0,0 +1,88 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 10 Mar 2022 15:29:36 -0500
+Subject: CVE-2022-27114
+
+Fix a potential integer overflow bug in the JPEG and PNG loaders (Issue #471)
+All images are now limited to 4GiB of memory usage (37837x37837 pixels).
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/31f780487e5ddc426888638786cdc47631687275
+---
+ htmldoc/image.cxx | 30 ++++++++++++++++++++++++++++--
+ 1 file changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
+index a85f1f9..70bd23f 100644
+--- a/htmldoc/image.cxx
++++ b/htmldoc/image.cxx
+@@ -21,6 +21,13 @@ extern "C" {		/* Workaround for JPEG header problems... */
+ #include <png.h>	/* Portable Network Graphics (PNG) definitions */
+ 
+ 
++/*
++ * Limits...
++ */
++
++#define IMAGE_MAX_DIM	37837		// Maximum dimension - sqrt(4GiB / 3)
++
++
+ /*
+  * GIF definitions...
+  */
+@@ -910,7 +917,7 @@ image_load_bmp(image_t *img,	/* I - Image to load into */
+   colors_used      = (int)read_dword(fp);
+   read_dword(fp);
+ 
+-  if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height > 8192)
++  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
+     return (-1);
+ 
+   if (info_size > 40)
+@@ -1262,7 +1269,7 @@ image_load_gif(image_t *img,	/* I - Image pointer */
+   img->height = (buf[9] << 8) | buf[8];
+   ncolors     = 2 << (buf[10] & 0x07);
+ 
+-  if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)
++  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
+     return (-1);
+ 
+   // If we are writing an encrypted PDF file, bump the use count so we create
+@@ -1306,6 +1313,13 @@ image_load_gif(image_t *img,	/* I - Image pointer */
+ 	      return (-1);
+ 	  }
+ 
++          img->width  = (buf[5] << 8) | buf[4];
++          img->height = (buf[7] << 8) | buf[6];
++          img->depth  = gray ? 1 : 3;
++
++	  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
++	    return (-1);
++
+           if (transparent >= 0)
+           {
+            /*
+@@ -1422,6 +1436,12 @@ JSAMPROW			row;		/* Sample row pointer */
+   img->height = (int)cinfo.output_height;
+   img->depth  = (int)cinfo.output_components;
+ 
++  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
++  {
++    jpeg_destroy_decompress(&cinfo);
++    return (-1);
++  }
++
+   if (!load_data)
+   {
+     jpeg_destroy_decompress(&cinfo);
+@@ -1574,6 +1594,12 @@ image_load_png(image_t *img,	/* I - Image pointer */
+   img->width  = (int)png_get_image_width(pp, info);
+   img->height = (int)png_get_image_height(pp, info);
+ 
++  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
++  {
++    png_destroy_read_struct(&pp, &info, NULL);
++    return (-1);
++  }
++
+   if (color_type & PNG_COLOR_MASK_ALPHA)
+   {
+     if ((PSLevel == 0 && PDFVersion >= 14) || PSLevel == 3)
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2022-28085.patch htmldoc-1.9.11/debian/patches/CVE-2022-28085.patch
--- htmldoc-1.9.11/debian/patches/CVE-2022-28085.patch	1970-01-01 00:00:00.000000000 +0000
+++ htmldoc-1.9.11/debian/patches/CVE-2022-28085.patch	2022-05-15 08:13:03.000000000 +0000
@@ -0,0 +1,24 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 24 Mar 2022 16:30:07 -0400
+Subject: CVE-2022-28085
+
+Call check_pages when writing links (Issue #480)
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/46c8ec2b9bccb8ccabff52d998c5eee77a228348
+---
+ htmldoc/ps-pdf.cxx | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
+index 7fbc345..8b1a45f 100644
+--- a/htmldoc/ps-pdf.cxx
++++ b/htmldoc/ps-pdf.cxx
+@@ -3578,6 +3578,8 @@ pdf_write_names(FILE *out)		/* I - Output file */
+     pdf_start_object(out);
+     float x, y;
+ 
++    check_pages(link->page);
++
+     x = 0.0f;
+     y = link->top + pages[link->page].bottom;
+     pspdf_transform_coords(pages + link->page, x, y);
diff -Nru htmldoc-1.9.11/debian/patches/series htmldoc-1.9.11/debian/patches/series
--- htmldoc-1.9.11/debian/patches/series	2022-02-25 21:03:02.000000000 +0000
+++ htmldoc-1.9.11/debian/patches/series	2022-05-15 08:13:03.000000000 +0000
@@ -18,3 +18,6 @@
 CVE-2022-0534-1.patch
 CVE-2022-0534-2.patch
 
+CVE-2022-24191.patch
+CVE-2022-27114.patch
+CVE-2022-28085.patch