main inclusion report for chmlib

Despite the original MIR, chmlib has had quite a few vulns in the past, and due to its handling of HTML and integration into browsers it makes quite a nice attack vector. Kees, Jamie, can you please give this a deeper security review and an opinion about the general sanity of chmlib? Thanks!

Initial review shows several problems:
* chm_http.c doesn't check return value of fgets()
* chm_http.c and lzx.c doesn't check return values of malloc (possible null pointer dereference)
* extract_chmLib.c uses stat() resulting in TOCTOU (time of check/time of use) vulnerability (specifically possibility of directory symlink attacks)
* chm_lib.c has unsigned int assignment to signed int (line 1353)
* chm_lib.c doesn't always check for cmpLen < 0, which causes read/pread to be called with negative length (logic error, probably not exploitable)
* chm_lib.c doesn't check return values of read/pread

I could continue reviewing, but after spending the time with the code I did, I don't have a lot of confidence in it.

Can we have detailed review, so that upstream can fix it?

Thank you for taking the time to report this bug and helping to make Ubuntu better. You reported this bug a while ago and there hasn't been any activity in it recently. We were wondering if this is still an issue for you. Can you try with the latest Ubuntu release? Thanks in advance.