From 982ad7a615c88e2683aaedfd20f85e0d9b1b88f3 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 03 2016 06:07:24 +0000
Subject: import fontconfig-2.10.95-10.el7


---

diff --git a/SOURCES/fontconfig-offset-in-elts.patch b/SOURCES/fontconfig-offset-in-elts.patch
new file mode 100644
index 0000000..48f7c27
--- /dev/null
+++ b/SOURCES/fontconfig-offset-in-elts.patch
@@ -0,0 +1,35 @@
+diff --git a/src/fccache.c b/src/fccache.c
+index 02ec301..6f3c68a 100644
+--- a/src/fccache.c
++++ b/src/fccache.c
+@@ -640,6 +640,7 @@ FcCacheOffsetsValid (FcCache *cache)
+             FcPattern		*font = FcFontSetFont (fs, i);
+             FcPatternElt	*e;
+             FcValueListPtr	 l;
++	    char                *last_offset;
+ 
+             if ((char *) font < base ||
+                 (char *) font > end - sizeof (FcFontSet) ||
+@@ -653,11 +654,17 @@ FcCacheOffsetsValid (FcCache *cache)
+             if (e->values != 0 && !FcIsEncodedOffset(e->values))
+                 return FcFalse;
+ 
+-            for (j = font->num, l = FcPatternEltValues(e); j >= 0 && l; j--, l = FcValueListNext(l))
+-                if (l->next != NULL && !FcIsEncodedOffset(l->next))
+-                    break;
+-            if (j < 0)
+-                return FcFalse;
++	    for (j = 0; j < font->num; j++)
++	    {
++		last_offset = (char *) font + font->elts_offset;
++		for (l = FcPatternEltValues(&e[j]); l; l = FcValueListNext(l))
++		{
++		    if ((char *) l < last_offset || (char *) l > end - sizeof (*l) ||
++			(l->next != NULL && !FcIsEncodedOffset(l->next)))
++			return FcFalse;
++		    last_offset = (char *) l + 1;
++		}
++	    }
+         }
+     }
+ 
diff --git a/SOURCES/fontconfig-update-45-latin.patch b/SOURCES/fontconfig-update-45-latin.patch
new file mode 100644
index 0000000..53b6613
--- /dev/null
+++ b/SOURCES/fontconfig-update-45-latin.patch
@@ -0,0 +1,293 @@
+diff --git a/conf.d/45-latin.conf b/conf.d/45-latin.conf
+index aa62ed4..5228945 100644
+--- a/conf.d/45-latin.conf
++++ b/conf.d/45-latin.conf
+@@ -14,23 +14,31 @@
+ 		<default><family>serif</family></default>
+ 	</alias>
+ 	<alias>
++		<family>Cambria</family>
++		<default><family>serif</family></default>
++	</alias>
++	<alias>
++		<family>Constantia</family>
++		<default><family>serif</family></default>
++	</alias>
++	<alias>
+ 		<family>DejaVu Serif</family>
+ 		<default><family>serif</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Liberation Serif</family>
++		<family>Elephant</family>
+ 		<default><family>serif</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Times New Roman</family>
++		<family>Garamond</family>
+ 		<default><family>serif</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Times</family>
++		<family>Georgia</family>
+ 		<default><family>serif</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Nimbus Roman No9 L</family>
++		<family>Liberation Serif</family>
+ 		<default><family>serif</family></default>
+ 	</alias>
+ 	<alias>
+@@ -38,42 +46,50 @@
+ 		<default><family>serif</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Thorndale AMT</family>
++		<family>MS Serif</family>
+ 		<default><family>serif</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Thorndale</family>
++		<family>Nimbus Roman No9 L</family>
+ 		<default><family>serif</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Georgia</family>
++		<family>Nimbus Roman</family>
+ 		<default><family>serif</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Garamond</family>
++		<family>Palatino Linotype</family>
+ 		<default><family>serif</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Palatino Linotype</family>
++		<family>Thorndale AMT</family>
+ 		<default><family>serif</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Trebuchet MS</family>
++		<family>Thorndale</family>
++		<default><family>serif</family></default>
++	</alias>
++	<alias>
++		<family>Times New Roman</family>
++		<default><family>serif</family></default>
++	</alias>
++	<alias>
++		<family>Times</family>
+ 		<default><family>serif</family></default>
+ 	</alias>
+ <!--
+   Sans-serif faces
+  -->
+ 	<alias>
+-		<family>Bitstream Vera Sans</family>
++		<family>Albany AMT</family>
+ 		<default><family>sans-serif</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>DejaVu Sans</family>
++		<family>Albany</family>
+ 		<default><family>sans-serif</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Liberation Sans</family>
++		<family>Arial Unicode MS</family>
+ 		<default><family>sans-serif</family></default>
+ 	</alias>
+ 	<alias>
+@@ -81,19 +97,47 @@
+ 		<default><family>sans-serif</family></default>
+ 	</alias>
+ 	<alias>
++		<family>Bitstream Vera Sans</family>
++		<default><family>sans-serif</family></default>
++	</alias>
++	<alias>
++		<family>Britannic</family>
++		<default><family>sans-serif</family></default>
++	</alias>
++	<alias>
++		<family>Calibri</family>
++		<default><family>sans-serif</family></default>
++	</alias>
++	<alias>
++		<family>Candara</family>
++		<default><family>sans-serif</family></default>
++	</alias>
++	<alias>
++		<family>Century Gothic</family>
++		<default><family>sans-serif</family></default>
++	</alias>
++	<alias>
++		<family>Corbel</family>
++		<default><family>sans-serif</family></default>
++	</alias>
++	<alias>
++		<family>DejaVu Sans</family>
++		<default><family>sans-serif</family></default>
++	</alias>
++	<alias>
+ 		<family>Helvetica</family>
+ 		<default><family>sans-serif</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Verdana</family>
++		<family>Haettenschweiler</family>
+ 		<default><family>sans-serif</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Albany AMT</family>
++		<family>Liberation Sans</family>
+ 		<default><family>sans-serif</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Albany</family>
++		<family>MS Sans Serif</family>
+ 		<default><family>sans-serif</family></default>
+ 	</alias>
+ 	<alias>
+@@ -101,88 +145,124 @@
+ 		<default><family>sans-serif</family></default>
+ 	</alias>
+ 	<alias>
++		<family>Nimbus Sans</family>
++		<default><family>sans-serif</family></default>
++	</alias>
++	<alias>
+ 		<family>Luxi Sans</family>
+ 		<default><family>sans-serif</family></default>
+ 	</alias>
++	<alias>
++		<family>Tahoma</family>
++		<default><family>sans-serif</family></default>
++	</alias>
++	<alias>
++		<family>Trebuchet MS</family>
++		<default><family>sans-serif</family></default>
++	</alias>
++	<alias>
++		<family>Twentieth Century</family>
++		<default><family>sans-serif</family></default>
++	</alias>
++	<alias>
++		<family>Verdana</family>
++		<default><family>sans-serif</family></default>
++	</alias>
+ <!--
+   Monospace faces
+  -->
++	<alias>
++		<family>Andale Mono</family>
++		<default><family>monospace</family></default>
++	</alias>
+  	<alias>
+ 		<family>Bitstream Vera Sans Mono</family>
+ 		<default><family>monospace</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>DejaVu Sans Mono</family>
++		<family>Consolas</family>
+ 		<default><family>monospace</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Liberation Mono</family>
++		<family>Courier New</family>
+ 		<default><family>monospace</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Inconsolata</family>
++		<family>Courier</family>
+ 		<default><family>monospace</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Courier New</family>
++		<family>Cumberland AMT</family>
+ 		<default><family>monospace</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Courier</family>
++		<family>Cumberland</family>
+ 		<default><family>monospace</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Andale Mono</family>
++		<family>DejaVu Sans Mono</family>
+ 		<default><family>monospace</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Luxi Mono</family>
++		<family>Fixedsys</family>
+ 		<default><family>monospace</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Cumberland AMT</family>
++		<family>Inconsolata</family>
+ 		<default><family>monospace</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Cumberland</family>
++		<family>Liberation Mono</family>
++		<default><family>monospace</family></default>
++	</alias>
++	<alias>
++		<family>Luxi Mono</family>
+ 		<default><family>monospace</family></default>
+ 	</alias>
+ 	<alias>
+ 		<family>Nimbus Mono L</family>
+ 		<default><family>monospace</family></default>
+ 	</alias>
++	<alias>
++		<family>Nimbus Mono</family>
++		<default><family>monospace</family></default>
++	</alias>
++	<alias>
++		<family>Terminal</family>
++		<default><family>monospace</family></default>
++	</alias>
+ <!--
+   Fantasy faces
+  -->
+- 	<alias>
+-		<family>Impact</family>
++	<alias>
++		<family>Bauhaus Std</family>
+ 		<default><family>fantasy</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Copperplate Gothic Std</family>
++		<family>Cooper Std</family>
+ 		<default><family>fantasy</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Cooper Std</family>
++		<family>Copperplate Gothic Std</family>
+ 		<default><family>fantasy</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Bauhaus Std</family>
++		<family>Impact</family>
+ 		<default><family>fantasy</family></default>
+ 	</alias>
+ <!--
+   Cursive faces
+   -->
+ 	<alias>
+-		<family>ITC Zapf Chancery Std</family>
++		<family>Comic Sans MS</family>
+ 		<default><family>cursive</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Zapfino</family>
++		<family>ITC Zapf Chancery Std</family>
+ 		<default><family>cursive</family></default>
+ 	</alias>
+ 	<alias>
+-		<family>Comic Sans MS</family>
++		<family>Zapfino</family>
+ 		<default><family>cursive</family></default>
+ 	</alias>
+ 
diff --git a/SOURCES/fontconfig-validate-offset-in-cache.patch b/SOURCES/fontconfig-validate-offset-in-cache.patch
new file mode 100644
index 0000000..9009ffd
--- /dev/null
+++ b/SOURCES/fontconfig-validate-offset-in-cache.patch
@@ -0,0 +1,112 @@
+diff -pruN fontconfig-2.10.95.orig/src/fccache.c fontconfig-2.10.95/src/fccache.c
+--- fontconfig-2.10.95.orig/src/fccache.c	2013-08-26 11:49:32.000000000 +0900
++++ fontconfig-2.10.95/src/fccache.c	2016-08-05 18:01:48.040872110 +0900
+@@ -30,6 +30,7 @@
+ #include <fcntl.h>
+ #include <dirent.h>
+ #include <string.h>
++#include <limits.h>
+ #include <sys/types.h>
+ #include <assert.h>
+ #if defined(HAVE_MMAP) || defined(__CYGWIN__)
+@@ -547,6 +548,82 @@ FcCacheTimeValid (FcCache *cache, struct
+     return cache->checksum == (int) dir_stat->st_mtime;
+ }
+ 
++static FcBool
++FcCacheOffsetsValid (FcCache *cache)
++{
++    char		*base = (char *)cache;
++    char		*end = base + cache->size;
++    intptr_t		*dirs;
++    FcFontSet		*fs;
++    int			 i, j;
++
++    if (cache->dir < 0 || cache->dir > cache->size - sizeof (intptr_t) ||
++        memchr (base + cache->dir, '\0', cache->size - cache->dir) == NULL)
++        return FcFalse;
++
++    if (cache->dirs < 0 || cache->dirs >= cache->size ||
++        cache->dirs_count < 0 ||
++        cache->dirs_count > (cache->size - cache->dirs) / sizeof (intptr_t))
++        return FcFalse;
++
++    dirs = FcCacheDirs (cache);
++    if (dirs)
++    {
++        for (i = 0; i < cache->dirs_count; i++)
++        {
++            FcChar8	*dir;
++
++            if (dirs[i] < 0 ||
++                dirs[i] > end - (char *) dirs - sizeof (intptr_t))
++                return FcFalse;
++
++            dir = FcOffsetToPtr (dirs, dirs[i], FcChar8);
++            if (memchr (dir, '\0', end - (char *) dir) == NULL)
++                return FcFalse;
++         }
++    }
++
++    if (cache->set < 0 || cache->set > cache->size - sizeof (FcFontSet))
++        return FcFalse;
++
++    fs = FcCacheSet (cache);
++    if (fs)
++    {
++        if (fs->nfont > (end - (char *) fs) / sizeof (FcPattern))
++            return FcFalse;
++
++        if (fs->fonts != 0 && !FcIsEncodedOffset(fs->fonts))
++            return FcFalse;
++
++        for (i = 0; i < fs->nfont; i++)
++        {
++            FcPattern		*font = FcFontSetFont (fs, i);
++            FcPatternElt	*e;
++            FcValueListPtr	 l;
++
++            if ((char *) font < base ||
++                (char *) font > end - sizeof (FcFontSet) ||
++                font->elts_offset < 0 ||
++                font->elts_offset > end - (char *) font ||
++                font->num > (end - (char *) font - font->elts_offset) / sizeof (FcPatternElt))
++                return FcFalse;
++
++
++            e = FcPatternElts(font);
++            if (e->values != 0 && !FcIsEncodedOffset(e->values))
++                return FcFalse;
++
++            for (j = font->num, l = FcPatternEltValues(e); j >= 0 && l; j--, l = FcValueListNext(l))
++                if (l->next != NULL && !FcIsEncodedOffset(l->next))
++                    break;
++            if (j < 0)
++                return FcFalse;
++        }
++    }
++
++    return FcTrue;
++}
++
+ /*
+  * Map a cache file into memory
+  */
+@@ -556,7 +633,8 @@ FcDirCacheMapFd (int fd, struct stat *fd
+     FcCache	*cache;
+     FcBool	allocated = FcFalse;
+ 
+-    if (fd_stat->st_size < (int) sizeof (FcCache))
++    if (fd_stat->st_size > INTPTR_MAX ||
++        fd_stat->st_size < (int) sizeof (FcCache))
+ 	return NULL;
+     cache = FcCacheFindByStat (fd_stat);
+     if (cache)
+@@ -612,6 +690,7 @@ FcDirCacheMapFd (int fd, struct stat *fd
+     if (cache->magic != FC_CACHE_MAGIC_MMAP ||
+ 	cache->version < FC_CACHE_CONTENT_VERSION ||
+ 	cache->size != (intptr_t) fd_stat->st_size ||
++	!FcCacheOffsetsValid (cache) ||
+ 	!FcCacheTimeValid (cache, dir_stat) ||
+ 	!FcCacheInsert (cache, fd_stat))
+     {
diff --git a/SPECS/fontconfig.spec b/SPECS/fontconfig.spec
index 878e553..de7aff2 100644
--- a/SPECS/fontconfig.spec
+++ b/SPECS/fontconfig.spec
@@ -3,7 +3,7 @@
 Summary:	Font configuration and customization library
 Name:		fontconfig
 Version:	2.10.95
-Release:	7%{?dist}
+Release:	10%{?dist}
 # src/ftglue.[ch] is in Public Domain
 # src/fccache.c contains Public Domain code
 # fc-case/CaseFolding.txt is in the UCD
@@ -22,6 +22,9 @@ Patch2:		fontconfig-fix-memleak.patch
 Patch3:		fontconfig-copy-all-value.patch
 Patch4:		fontconfig-fix-crash-on-fcfontsort.patch
 Patch5:		fontconfig-fix-race-condition.patch
+Patch6:		fontconfig-update-45-latin.patch
+Patch7:		fontconfig-validate-offset-in-cache.patch
+Patch8:		fontconfig-offset-in-elts.patch
 
 BuildRequires:	expat-devel
 BuildRequires:	freetype-devel >= %{freetype_version}
@@ -68,6 +71,9 @@ which is useful for developing applications that uses fontconfig.
 %patch3 -p1 -b .copy-all
 %patch4 -p1 -b .fix-crash
 %patch5 -p1 -b .fix-race
+%patch6 -p1 -b .update-45-latin
+%patch7 -p1 -b .validate-offset
+%patch8 -p1 -b .offset-elts
 cp %{SOURCE2} doc/
 
 %build
@@ -145,6 +151,15 @@ fi
 %doc fontconfig-devel.txt fontconfig-devel
 
 %changelog
+* Fri Sep 23 2016 Akira TAGOH <tagoh@redhat.com> - 2.10.95-10
+- Fix a regression in the previous change. (#1355930)
+
+* Fri Aug  5 2016 Akira TAGOH <tagoh@redhat.com> - 2.10.95-9
+- CVE-2016-5384: Validate offsets in cache files properly. (#1355930)
+
+* Fri Jun 10 2016 Akira TAGOH <tagoh@redhat.com> - 2.10.95-8
+- Update 45-latin.conf to add some hints to fall back for Windows fonts (#1073460)
+
 * Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.10.95-7
 - Mass rebuild 2014-01-24