diff -Nru htmldoc-1.9.11/debian/changelog htmldoc-1.9.11/debian/changelog
--- htmldoc-1.9.11/debian/changelog	2021-05-10 14:10:41.000000000 +0000
+++ htmldoc-1.9.11/debian/changelog	2021-06-03 19:29:16.000000000 +0000
@@ -1,7 +1,16 @@
+htmldoc (1.9.11-4) unstable; urgency=medium
+
+  * Add patches to fix many CVE's. Closes: #989437
+    Fix: CVE-2021-23158, CVE-2021-23165, CVE-2021-23180, CVE-2021-23191,
+    CVE-2021-23206, CVE-2021-26252, CVE-2021-26259, CVE-2021-26948.
+  * Switch to DEP-14 layout
+
+ -- Håvard Flaget Aasen <haavard_aasen@yahoo.no>  Thu, 03 Jun 2021 21:29:16 +0200
+
 htmldoc (1.9.11-3) unstable; urgency=medium
 
   * Add patch to mitigate buffer-overflow caused by integer-overflow in
-    image_load_gif() Closes: 984765 and fixes CVE-2021-20308
+    image_load_gif() Closes: #984765 and fixes CVE-2021-20308
 
  -- Håvard Flaget Aasen <haavard_aasen@yahoo.no>  Mon, 10 May 2021 16:10:41 +0200
 
diff -Nru htmldoc-1.9.11/debian/gbp.conf htmldoc-1.9.11/debian/gbp.conf
--- htmldoc-1.9.11/debian/gbp.conf	1970-01-01 00:00:00.000000000 +0000
+++ htmldoc-1.9.11/debian/gbp.conf	2021-05-23 06:32:55.000000000 +0000
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch = debian/latest
+upstream-branch = upstream/latest
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch htmldoc-1.9.11/debian/patches/CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch
--- htmldoc-1.9.11/debian/patches/CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch	1970-01-01 00:00:00.000000000 +0000
+++ htmldoc-1.9.11/debian/patches/CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch	2021-06-03 19:29:16.000000000 +0000
@@ -0,0 +1,128 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 1 Apr 2021 09:37:58 -0400
+Subject: CVE-2021-23158, CVE-2021-23191, CVE-2021-26252
+
+Fix JPEG error handling (Issue #415)
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/369b2ea1fd0d0537ba707f20a2f047b6afd2fbdc
+Bug: https://github.com/michaelrsweet/htmldoc/issues/412
+Bug: https://github.com/michaelrsweet/htmldoc/issues/414
+Bug: https://github.com/michaelrsweet/htmldoc/issues/415
+Bug-Debian: https://bugs.debian.org/989437
+---
+ htmldoc/file.c     |  9 ++++++++-
+ htmldoc/image.cxx  | 38 +++++++++++++++++++++++++++++++-------
+ htmldoc/ps-pdf.cxx |  5 +++++
+ 3 files changed, 44 insertions(+), 8 deletions(-)
+
+diff --git a/htmldoc/file.c b/htmldoc/file.c
+index 20229c1..9f017de 100644
+--- a/htmldoc/file.c
++++ b/htmldoc/file.c
+@@ -1000,8 +1000,15 @@ file_rlookup(const char *filename)	/* I - Filename */
+ 
+ 
+   for (i = web_files, wc = web_cache; i > 0; i --, wc ++)
++  {
+     if (!strcmp(wc->name, filename))
+-      return (wc->url);
++    {
++      if (!strncmp(wc->url, "data:", 5))
++        return ("data URL");
++      else
++        return (wc->url);
++    }
++  }
+ 
+   return (filename);
+ }
+diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
+index 8f53050..74abfac 100644
+--- a/htmldoc/image.cxx
++++ b/htmldoc/image.cxx
+@@ -1336,6 +1336,15 @@ image_load_gif(image_t *img,	/* I - Image pointer */
+ }
+ 
+ 
++typedef struct hd_jpeg_err_s	// JPEG error manager extension
++{
++  struct jpeg_error_mgr	jerr;	// JPEG error manager information
++  jmp_buf	retbuf;		// setjmp() return buffer
++  char		message[JMSG_LENGTH_MAX];
++				// Last error message
++} hd_jpeg_err_t;
++
++
+ /*
+  * 'image_load_jpeg()' - Load a JPEG image file.
+  */
+@@ -1347,14 +1356,21 @@ image_load_jpeg(image_t *img,	/* I - Image pointer */
+                 int     load_data)/* I - 1 = load image data, 0 = just info */
+ {
+   struct jpeg_decompress_struct	cinfo;		/* Decompressor info */
+-  struct jpeg_error_mgr		jerr;		/* Error handler info */
+-  JSAMPROW			row;		/* Sample row pointer */
++  hd_jpeg_err_t			jerr;		// JPEG error handler
++JSAMPROW			row;		/* Sample row pointer */
+ 
+ 
+-  jpeg_std_error(&jerr);
+-  jerr.error_exit = jpeg_error_handler;
++  jpeg_std_error(&jerr.jerr);
++  jerr.jerr.error_exit = jpeg_error_handler;
+ 
+-  cinfo.err = &jerr;
++  if (setjmp(jerr.retbuf))
++  {
++    progress_error(HD_ERROR_BAD_FORMAT, "%s (%s)", jerr.message,  file_rlookup(img->filename));
++    jpeg_destroy_decompress(&cinfo);
++    return (-1);
++  }
++
++  cinfo.err = (struct jpeg_error_mgr *)&jerr;
+   jpeg_create_decompress(&cinfo);
+   jpeg_stdio_src(&cinfo, fp);
+   jpeg_read_header(&cinfo, (boolean)1);
+@@ -1797,9 +1813,17 @@ image_unload(image_t *img)	// I - Image
+  */
+ 
+ static void
+-jpeg_error_handler(j_common_ptr)
++jpeg_error_handler(j_common_ptr p)	// Common JPEG data
+ {
+-  return;
++  hd_jpeg_err_t	*jerr = (hd_jpeg_err_t *)p->err;
++					// JPEG error handler
++
++
++  // Save the error message in the string buffer...
++  (jerr->jerr.format_message)(p, jerr->message);
++
++  // Return to the point we called setjmp()...
++  longjmp(jerr->retbuf, 1);
+ }
+ 
+ 
+diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
+index af1a55e..499f487 100644
+--- a/htmldoc/ps-pdf.cxx
++++ b/htmldoc/ps-pdf.cxx
+@@ -1404,6 +1404,8 @@ pspdf_prepare_page(int page)		/* I - Page number */
+ 
+ 
+   DEBUG_printf(("pspdf_prepare_page(%d)\n", page));
++  if (page < 0 || page >= num_pages)
++    return;
+ 
+  /*
+   * Make a page number; use roman numerals for the table of contents
+@@ -12258,6 +12260,9 @@ write_trailer(FILE  *out,		/* I - Output file */
+ 
+       for (j = 1; j <= TocDocCount; j ++)
+       {
++        if (chapter_starts[j] < 0)
++          continue;
++
+         page  = pages + chapter_starts[j];
+ 	start = chapter_starts[j] - chapter_starts[1] + 1;
+ 	type  = 'D';
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-23165.patch htmldoc-1.9.11/debian/patches/CVE-2021-23165.patch
--- htmldoc-1.9.11/debian/patches/CVE-2021-23165.patch	1970-01-01 00:00:00.000000000 +0000
+++ htmldoc-1.9.11/debian/patches/CVE-2021-23165.patch	2021-06-03 19:29:16.000000000 +0000
@@ -0,0 +1,26 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 1 Apr 2021 09:47:56 -0400
+Subject: CVE-2021-23165
+
+Fix a number-up crash bug (Issue #413)
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/6e8a95561988500b5b5ae4861b3b0cbf4fba517f
+Bug: https://github.com/michaelrsweet/htmldoc/issues/413
+Bug-Debian: https://bugs.debian.org/989437
+---
+ htmldoc/ps-pdf.cxx | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
+index 8804df4..7fbc345 100644
+--- a/htmldoc/ps-pdf.cxx
++++ b/htmldoc/ps-pdf.cxx
+@@ -1318,7 +1318,7 @@ pspdf_prepare_outpages()
+     chapter_outstarts[c] = num_outpages;
+ 
+     for (i = chapter_starts[c], j = 0, nup = -1, page = pages + i;
+-         i <= chapter_ends[c];
++         i <= chapter_ends[c] && num_outpages < num_pages;
+ 	 i ++, page ++)
+     {
+       if (nup != page->nup)
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-23180.patch htmldoc-1.9.11/debian/patches/CVE-2021-23180.patch
--- htmldoc-1.9.11/debian/patches/CVE-2021-23180.patch	1970-01-01 00:00:00.000000000 +0000
+++ htmldoc-1.9.11/debian/patches/CVE-2021-23180.patch	2021-06-03 19:29:16.000000000 +0000
@@ -0,0 +1,35 @@
+From: Michael R Sweet <msweet@msweet.org>
+Date: Tue, 26 Jan 2021 08:02:32 -0500
+Subject: CVE-2021-23180
+
+Fix a crash bug with malformed URIs (Issue #418)
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/19c582fb32eac74b57e155cffbb529377a9e751a
+Bug: https://github.com/michaelrsweet/htmldoc/issues/418
+Bug-Debian: https://bugs.debian.org/989437
+---
+ htmldoc/file.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/htmldoc/file.c b/htmldoc/file.c
+index 9f017de..eee89af 100644
+--- a/htmldoc/file.c
++++ b/htmldoc/file.c
+@@ -304,6 +304,7 @@ const char *			/* O - File extension */
+ file_extension(const char *s)	/* I - Filename or URL */
+ {
+   const char	*extension;	/* Pointer to directory separator */
++  char		*bufptr;	/* Pointer into buffer */
+   static char	buf[1024];	/* Buffer for files with targets */
+ 
+ 
+@@ -334,7 +335,8 @@ file_extension(const char *s)	/* I - Filename or URL */
+ 
+   strlcpy(buf, extension, sizeof(buf));
+ 
+-  *(char *)strchr(buf, '#') = '\0';
++  if ((bufptr = strchr(buf, '#')) != NULL)
++    *bufptr = '\0';
+ 
+   return (buf);
+ }
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-23206.patch htmldoc-1.9.11/debian/patches/CVE-2021-23206.patch
--- htmldoc-1.9.11/debian/patches/CVE-2021-23206.patch	1970-01-01 00:00:00.000000000 +0000
+++ htmldoc-1.9.11/debian/patches/CVE-2021-23206.patch	2021-06-03 19:29:16.000000000 +0000
@@ -0,0 +1,61 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 1 Apr 2021 08:21:57 -0400
+Subject: CVE-2021-23206
+
+Fix crash bugs with bogus table attributes (Issue #416)
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/ba61a3ece382389ae4482c7027af8b32e8ab4cc8
+Bug: https://github.com/michaelrsweet/htmldoc/issues/416
+Bug-Debian: https://bugs.debian.org/989437
+---
+ htmldoc/ps-pdf.cxx | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
+index 499f487..bb8a5b9 100644
+--- a/htmldoc/ps-pdf.cxx
++++ b/htmldoc/ps-pdf.cxx
+@@ -5735,7 +5735,7 @@ render_table_row(hdtable_t &table,
+       if ((var = htmlGetVariable(cells[row][col], (uchar *)"ROWSPAN")) != NULL)
+         table.row_spans[col] = atoi((char *)var);
+ 
+-      if (table.row_spans[col] == 1)
++      if (table.row_spans[col] <= 1)
+         table.row_spans[col] = 0;
+ 
+       if (table.row_spans[col] > (table.num_rows - row))
+@@ -6555,7 +6555,12 @@ parse_table(tree_t *t,			// I - Tree to parse
+         {
+ 	  // Handle colspan and rowspan stuff...
+           if ((var = htmlGetVariable(tempcol, (uchar *)"COLSPAN")) != NULL)
+-            colspan = atoi((char *)var);
++          {
++            if ((colspan = atoi((char *)var)) < 1)
++              colspan = 1;
++            else if (colspan > (MAX_COLUMNS - col))
++              colspan = MAX_COLUMNS - col;
++          }
+           else
+             colspan = 1;
+ 
+@@ -6563,7 +6568,7 @@ parse_table(tree_t *t,			// I - Tree to parse
+ 	  {
+             table.row_spans[col] = atoi((char *)var);
+ 
+-	    if (table.row_spans[col] == 1)
++	    if (table.row_spans[col] <= 1)
+ 	      table.row_spans[col] = 0;
+ 
+ 	    for (tcol = 1; tcol < colspan; tcol ++)
+@@ -6585,6 +6590,11 @@ parse_table(tree_t *t,			// I - Tree to parse
+ 	    {
+               col_width -= 2.0 * table.cellpadding;
+ 	    }
++
++	    if (col_width <= 0.0f)
++	      col_width = 0.0f;
++	    else if (col_width > PageWidth)
++	      col_width = PageWidth;
+ 	  }
+ 	  else
+ 	    col_width = 0.0f;
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-26259.patch htmldoc-1.9.11/debian/patches/CVE-2021-26259.patch
--- htmldoc-1.9.11/debian/patches/CVE-2021-26259.patch	1970-01-01 00:00:00.000000000 +0000
+++ htmldoc-1.9.11/debian/patches/CVE-2021-26259.patch	2021-06-03 19:29:16.000000000 +0000
@@ -0,0 +1,71 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 1 Apr 2021 08:14:29 -0400
+Subject: CVE-2021-26259
+
+Fix a crash bug with bogus table attributes (Issue #417)
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/0ddab26a542c74770317b622e985c52430092ba5
+Bug: https://github.com/michaelrsweet/htmldoc/issues/417
+Bug-Debian: https://bugs.debian.org/989437
+---
+ htmldoc/ps-pdf.cxx | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
+index bb8a5b9..8804df4 100644
+--- a/htmldoc/ps-pdf.cxx
++++ b/htmldoc/ps-pdf.cxx
+@@ -6379,6 +6379,9 @@ parse_table(tree_t *t,			// I - Tree to parse
+       table_width = (float)(atof((char *)var) * (right - left) / 100.0f);
+     else
+       table_width = (float)(atoi((char *)var) * PagePrintWidth / _htmlBrowserWidth);
++
++    if (table_width < 0.0f || table_width > PagePrintWidth)
++      table_width = right - left;
+   }
+   else
+     table_width = right - left;
+@@ -6396,19 +6399,31 @@ parse_table(tree_t *t,			// I - Tree to parse
+   DEBUG_printf(("table_width = %.1f\n", table_width));
+ 
+   if ((var = htmlGetVariable(t, (uchar *)"CELLPADDING")) != NULL)
+-    table.cellpadding = atoi((char *)var);
++  {
++    if ((table.cellpadding = atoi((char *)var)) < 0.0f)
++      table.cellpadding = 0.0f;
++    else if (table.cellpadding > 20.0f)
++      table.cellpadding = 20.0f;
++  }
+   else
+     table.cellpadding = 1.0f;
+ 
+   if ((var = htmlGetVariable(t, (uchar *)"CELLSPACING")) != NULL)
+-    cellspacing = atoi((char *)var);
++  {
++    if ((cellspacing = atoi((char *)var)) < 0.0f)
++      cellspacing = 0.0f;
++    else if (cellspacing > 20.0f)
++      cellspacing = 20.0f;
++  }
+   else
+     cellspacing = 0.0f;
+ 
+   if ((var = htmlGetVariable(t, (uchar *)"BORDER")) != NULL)
+   {
+-    if ((table.border = (float)atof((char *)var)) == 0.0 && var[0] != '0')
++    if ((table.border = (float)atof((char *)var)) <= 0.0 && var[0] != '0')
+       table.border = 1.0f;
++    else if (table.border > 20.0f)
++      table.border = 20.0f;
+ 
+     table.cellpadding += table.border;
+   }
+@@ -6438,7 +6453,7 @@ parse_table(tree_t *t,			// I - Tree to parse
+ 
+   table.border_size = table.border - 1.0f;
+ 
+-  cellspacing *= PagePrintWidth / _htmlBrowserWidth;
++  cellspacing       *= PagePrintWidth / _htmlBrowserWidth;
+   table.cellpadding *= PagePrintWidth / _htmlBrowserWidth;
+   table.border      *= PagePrintWidth / _htmlBrowserWidth;
+   table.border_size *= PagePrintWidth / _htmlBrowserWidth;
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-26948.patch htmldoc-1.9.11/debian/patches/CVE-2021-26948.patch
--- htmldoc-1.9.11/debian/patches/CVE-2021-26948.patch	1970-01-01 00:00:00.000000000 +0000
+++ htmldoc-1.9.11/debian/patches/CVE-2021-26948.patch	2021-06-03 19:29:16.000000000 +0000
@@ -0,0 +1,65 @@
+From: =?utf-8?q?H=C3=A5vard_Flaget_Aasen?= <haavard_aasen@yahoo.no>
+Date: Thu, 3 Jun 2021 21:15:52 +0200
+Subject: CVE-2021-26948
+
+Fix crash bug with data: URIs (Issue #410)
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/008861d8339c6ec777e487770b70b95b1ed0c1d2
+Bug: https://github.com/michaelrsweet/htmldoc/issues/410
+Bug-Debian: https://bugs.debian.org/989437
+---
+ htmldoc/file.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/htmldoc/file.c b/htmldoc/file.c
+index eee89af..9a5f3e2 100644
+--- a/htmldoc/file.c
++++ b/htmldoc/file.c
+@@ -624,11 +624,13 @@ file_find(const char *path,		/* I - Path "dir;dir;dir" */
+   */
+ 
+   for (i = 0; i < (int)web_files; i ++)
++  {
+     if (strcmp(s, web_cache[i].name) == 0)
+     {
+       DEBUG_printf(("file_find: Returning cache file \"%s\"!\n", s));
+       return (s);
+     }
++  }
+ 
+   DEBUG_printf(("file_find: \"%s\" not in web cache of %d files...\n", s, (int)web_files));
+ 
+@@ -637,11 +639,14 @@ file_find(const char *path,		/* I - Path "dir;dir;dir" */
+   */
+ 
+   if (strchr(s, '%') == NULL)
++  {
+     strlcpy(basename, s, sizeof(basename));
++  }
+   else
+   {
+     for (sptr = s, temp = basename;
+ 	 *sptr && temp < (basename + sizeof(basename) - 1);)
++    {
+       if (*sptr == '%' && isxdigit(sptr[1]) && isxdigit(sptr[2]))
+       {
+        /*
+@@ -664,6 +669,7 @@ file_find(const char *path,		/* I - Path "dir;dir;dir" */
+       }
+       else
+ 	*temp++ = *sptr++;
++    }
+ 
+     *temp = '\0';
+   }
+@@ -918,7 +924,9 @@ file_localize(const char *filename,	/* I - Filename */
+ const char *			/* O - Method string ("http", "ftp", etc.) */
+ file_method(const char *s)	/* I - Filename or URL */
+ {
+-  if (strncmp(s, "http:", 5) == 0)
++  if (strncmp(s, "data:", 5) == 0)
++    return ("data");
++  else if (strncmp(s, "http:", 5) == 0)
+     return ("http");
+   else if (strncmp(s, "https:", 6) == 0)
+     return ("https");
diff -Nru htmldoc-1.9.11/debian/patches/series htmldoc-1.9.11/debian/patches/series
--- htmldoc-1.9.11/debian/patches/series	2021-05-10 14:10:41.000000000 +0000
+++ htmldoc-1.9.11/debian/patches/series	2021-06-03 19:29:16.000000000 +0000
@@ -6,3 +6,9 @@
 disable_libz.patch
 remove-os-check.patch
 Fix-crash-bug-with-bad-GIFs-Issue-423.patch
+CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch
+CVE-2021-23165.patch
+CVE-2021-23180.patch
+CVE-2021-23206.patch
+CVE-2021-26259.patch
+CVE-2021-26948.patch