diff -Nru ntfs-3g-2021.8.22/debian/changelog ntfs-3g-2021.8.22/debian/changelog
--- ntfs-3g-2021.8.22/debian/changelog	2022-06-06 17:57:00.000000000 +0000
+++ ntfs-3g-2021.8.22/debian/changelog	2022-11-01 11:56:19.000000000 +0000
@@ -1,3 +1,14 @@
+ntfs-3g (1:2021.8.22-3ubuntu1.2) jammy-security; urgency=medium
+
+  * SECURITY UPDATE: code execution via incorrect validation of metadata
+    - debian/patches/CVE-2022-40284-1.patch: rejected zero-sized runs in
+      libntfs-3g/runlist.c.
+    - debian/patches/CVE-2022-40284-2.patch: avoided merging runlists with
+      no runs in libntfs-3g/runlist.c.
+    - CVE-2022-40284
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 01 Nov 2022 07:56:19 -0400
+
 ntfs-3g (1:2021.8.22-3ubuntu1.1) jammy-security; urgency=medium
 
   * SECURITY UPDATE: heap buffer overflow in ntfsck
diff -Nru ntfs-3g-2021.8.22/debian/patches/CVE-2022-40284-1.patch ntfs-3g-2021.8.22/debian/patches/CVE-2022-40284-1.patch
--- ntfs-3g-2021.8.22/debian/patches/CVE-2022-40284-1.patch	1970-01-01 00:00:00.000000000 +0000
+++ ntfs-3g-2021.8.22/debian/patches/CVE-2022-40284-1.patch	2022-11-01 11:56:10.000000000 +0000
@@ -0,0 +1,46 @@
+From 18bfc676119a1188e8135287b8327b0760ba44a1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= <jean-pierre.andre@wanadoo.fr>
+Date: Wed, 14 Sep 2022 08:29:58 +0200
+Subject: [PATCH] Rejected zero-sized runs
+
+A zero-size run is the universal way to indentify the end of a runlist,
+so we must reject zero-sized runs when decompressing a runlist. A
+zero-size data run is an error, and a zero-size hole is simply ignored.
+---
+ libntfs-3g/runlist.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/libntfs-3g/runlist.c b/libntfs-3g/runlist.c
+index c83c2b7d..720bdce6 100644
+--- a/libntfs-3g/runlist.c
++++ b/libntfs-3g/runlist.c
+@@ -5,7 +5,7 @@
+  * Copyright (c) 2002-2005 Richard Russon
+  * Copyright (c) 2002-2008 Szabolcs Szakacsits
+  * Copyright (c) 2004 Yura Pakhuchiy
+- * Copyright (c) 2007-2010 Jean-Pierre Andre
++ * Copyright (c) 2007-2022 Jean-Pierre Andre
+  *
+  * This program/include file is free software; you can redistribute it and/or
+  * modify it under the terms of the GNU General Public License as published
+@@ -918,11 +918,18 @@ static runlist_element *ntfs_mapping_pairs_decompress_i(const ntfs_volume *vol,
+ 						"array.\n");
+ 				goto err_out;
+ 			}
++			/* chkdsk accepts zero-sized runs only for holes */
++			if ((lcn != (LCN)-1) && !rl[rlpos].length) {
++				ntfs_log_debug(
++					"Invalid zero-sized data run.\n");
++				goto err_out;
++			}
+ 			/* Enter the current lcn into the runlist element. */
+ 			rl[rlpos].lcn = lcn;
+ 		}
+-		/* Get to the next runlist element. */
+-		rlpos++;
++		/* Get to the next runlist element, skipping zero-sized holes */
++		if (rl[rlpos].length)
++			rlpos++;
+ 		/* Increment the buffer position to the next mapping pair. */
+ 		buf += (*buf & 0xf) + ((*buf >> 4) & 0xf) + 1;
+ 	}
diff -Nru ntfs-3g-2021.8.22/debian/patches/CVE-2022-40284-2.patch ntfs-3g-2021.8.22/debian/patches/CVE-2022-40284-2.patch
--- ntfs-3g-2021.8.22/debian/patches/CVE-2022-40284-2.patch	1970-01-01 00:00:00.000000000 +0000
+++ ntfs-3g-2021.8.22/debian/patches/CVE-2022-40284-2.patch	2022-11-01 11:56:14.000000000 +0000
@@ -0,0 +1,37 @@
+From 76c3a799a97fbcedeeeca57f598be508ae2a1656 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= <jean-pierre.andre@wanadoo.fr>
+Date: Wed, 14 Sep 2022 08:31:31 +0200
+Subject: [PATCH] Avoided merging runlists with no runs
+
+Runlists with no runs are tolerated though not expected. However merging
+such runlists is problematic as there is no significant vcn to examine.
+So avoid merging them, and just return the other runlist.
+---
+ libntfs-3g/runlist.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/libntfs-3g/runlist.c b/libntfs-3g/runlist.c
+index 720bdce6..cb01e5a7 100644
+--- a/libntfs-3g/runlist.c
++++ b/libntfs-3g/runlist.c
+@@ -994,13 +994,18 @@ static runlist_element *ntfs_mapping_pairs_decompress_i(const ntfs_volume *vol,
+ 	rl[rlpos].vcn = vcn;
+ 	rl[rlpos].length = (s64)0;
+ 	/* If no existing runlist was specified, we are done. */
+-	if (!old_rl) {
++	if (!old_rl || !old_rl[0].length) {
+ 		ntfs_log_debug("Mapping pairs array successfully decompressed:\n");
+ 		ntfs_debug_runlist_dump(rl);
++		if (old_rl)
++			free(old_rl);
+ 		return rl;
+ 	}
+ 	/* Now combine the new and old runlists checking for overlaps. */
+-	old_rl = ntfs_runlists_merge(old_rl, rl);
++	if (rl[0].length)
++		old_rl = ntfs_runlists_merge(old_rl, rl);
++	else
++		free(rl);
+ 	if (old_rl)
+ 		return old_rl;
+ 	err = errno;
diff -Nru ntfs-3g-2021.8.22/debian/patches/series ntfs-3g-2021.8.22/debian/patches/series
--- ntfs-3g-2021.8.22/debian/patches/series	2022-06-06 17:56:16.000000000 +0000
+++ ntfs-3g-2021.8.22/debian/patches/series	2022-11-01 11:56:14.000000000 +0000
@@ -9,3 +9,5 @@
 CVE-2022-30788-1.patch
 CVE-2022-30788-2.patch
 CVE-2022-30789.patch
+CVE-2022-40284-1.patch
+CVE-2022-40284-2.patch