diff --git a/SOURCES/fontconfig-offset-in-elts.patch b/SOURCES/fontconfig-offset-in-elts.patch
new file mode 100644
index 0000000..48f7c27
--- /dev/null
+++ b/SOURCES/fontconfig-offset-in-elts.patch
@@ -0,0 +1,35 @@
+diff --git a/src/fccache.c b/src/fccache.c
+index 02ec301..6f3c68a 100644
+--- a/src/fccache.c
++++ b/src/fccache.c
+@@ -640,6 +640,7 @@ FcCacheOffsetsValid (FcCache *cache)
+ FcPattern *font = FcFontSetFont (fs, i);
+ FcPatternElt *e;
+ FcValueListPtr l;
++ char *last_offset;
+
+ if ((char *) font < base ||
+ (char *) font > end - sizeof (FcFontSet) ||
+@@ -653,11 +654,17 @@ FcCacheOffsetsValid (FcCache *cache)
+ if (e->values != 0 && !FcIsEncodedOffset(e->values))
+ return FcFalse;
+
+- for (j = font->num, l = FcPatternEltValues(e); j >= 0 && l; j--, l = FcValueListNext(l))
+- if (l->next != NULL && !FcIsEncodedOffset(l->next))
+- break;
+- if (j < 0)
+- return FcFalse;
++ for (j = 0; j < font->num; j++)
++ {
++ last_offset = (char *) font + font->elts_offset;
++ for (l = FcPatternEltValues(&e[j]); l; l = FcValueListNext(l))
++ {
++ if ((char *) l < last_offset || (char *) l > end - sizeof (*l) ||
++ (l->next != NULL && !FcIsEncodedOffset(l->next)))
++ return FcFalse;
++ last_offset = (char *) l + 1;
++ }
++ }
+ }
+ }
+
diff --git a/SOURCES/fontconfig-update-45-latin.patch b/SOURCES/fontconfig-update-45-latin.patch
new file mode 100644
index 0000000..53b6613
--- /dev/null
+++ b/SOURCES/fontconfig-update-45-latin.patch
@@ -0,0 +1,293 @@
+diff --git a/conf.d/45-latin.conf b/conf.d/45-latin.conf
+index aa62ed4..5228945 100644
+--- a/conf.d/45-latin.conf
++++ b/conf.d/45-latin.conf
+@@ -14,23 +14,31 @@
+ <default><family>serif</family></default>
+ </alias>
+ <alias>
++ <family>Cambria</family>
++ <default><family>serif</family></default>
++ </alias>
++ <alias>
++ <family>Constantia</family>
++ <default><family>serif</family></default>
++ </alias>
++ <alias>
+ <family>DejaVu Serif</family>
+ <default><family>serif</family></default>
+ </alias>
+ <alias>
+- <family>Liberation Serif</family>
++ <family>Elephant</family>
+ <default><family>serif</family></default>
+ </alias>
+ <alias>
+- <family>Times New Roman</family>
++ <family>Garamond</family>
+ <default><family>serif</family></default>
+ </alias>
+ <alias>
+- <family>Times</family>
++ <family>Georgia</family>
+ <default><family>serif</family></default>
+ </alias>
+ <alias>
+- <family>Nimbus Roman No9 L</family>
++ <family>Liberation Serif</family>
+ <default><family>serif</family></default>
+ </alias>
+ <alias>
+@@ -38,42 +46,50 @@
+ <default><family>serif</family></default>
+ </alias>
+ <alias>
+- <family>Thorndale AMT</family>
++ <family>MS Serif</family>
+ <default><family>serif</family></default>
+ </alias>
+ <alias>
+- <family>Thorndale</family>
++ <family>Nimbus Roman No9 L</family>
+ <default><family>serif</family></default>
+ </alias>
+ <alias>
+- <family>Georgia</family>
++ <family>Nimbus Roman</family>
+ <default><family>serif</family></default>
+ </alias>
+ <alias>
+- <family>Garamond</family>
++ <family>Palatino Linotype</family>
+ <default><family>serif</family></default>
+ </alias>
+ <alias>
+- <family>Palatino Linotype</family>
++ <family>Thorndale AMT</family>
+ <default><family>serif</family></default>
+ </alias>
+ <alias>
+- <family>Trebuchet MS</family>
++ <family>Thorndale</family>
++ <default><family>serif</family></default>
++ </alias>
++ <alias>
++ <family>Times New Roman</family>
++ <default><family>serif</family></default>
++ </alias>
++ <alias>
++ <family>Times</family>
+ <default><family>serif</family></default>
+ </alias>
+ <!--
+ Sans-serif faces
+ -->
+ <alias>
+- <family>Bitstream Vera Sans</family>
++ <family>Albany AMT</family>
+ <default><family>sans-serif</family></default>
+ </alias>
+ <alias>
+- <family>DejaVu Sans</family>
++ <family>Albany</family>
+ <default><family>sans-serif</family></default>
+ </alias>
+ <alias>
+- <family>Liberation Sans</family>
++ <family>Arial Unicode MS</family>
+ <default><family>sans-serif</family></default>
+ </alias>
+ <alias>
+@@ -81,19 +97,47 @@
+ <default><family>sans-serif</family></default>
+ </alias>
+ <alias>
++ <family>Bitstream Vera Sans</family>
++ <default><family>sans-serif</family></default>
++ </alias>
++ <alias>
++ <family>Britannic</family>
++ <default><family>sans-serif</family></default>
++ </alias>
++ <alias>
++ <family>Calibri</family>
++ <default><family>sans-serif</family></default>
++ </alias>
++ <alias>
++ <family>Candara</family>
++ <default><family>sans-serif</family></default>
++ </alias>
++ <alias>
++ <family>Century Gothic</family>
++ <default><family>sans-serif</family></default>
++ </alias>
++ <alias>
++ <family>Corbel</family>
++ <default><family>sans-serif</family></default>
++ </alias>
++ <alias>
++ <family>DejaVu Sans</family>
++ <default><family>sans-serif</family></default>
++ </alias>
++ <alias>
+ <family>Helvetica</family>
+ <default><family>sans-serif</family></default>
+ </alias>
+ <alias>
+- <family>Verdana</family>
++ <family>Haettenschweiler</family>
+ <default><family>sans-serif</family></default>
+ </alias>
+ <alias>
+- <family>Albany AMT</family>
++ <family>Liberation Sans</family>
+ <default><family>sans-serif</family></default>
+ </alias>
+ <alias>
+- <family>Albany</family>
++ <family>MS Sans Serif</family>
+ <default><family>sans-serif</family></default>
+ </alias>
+ <alias>
+@@ -101,88 +145,124 @@
+ <default><family>sans-serif</family></default>
+ </alias>
+ <alias>
++ <family>Nimbus Sans</family>
++ <default><family>sans-serif</family></default>
++ </alias>
++ <alias>
+ <family>Luxi Sans</family>
+ <default><family>sans-serif</family></default>
+ </alias>
++ <alias>
++ <family>Tahoma</family>
++ <default><family>sans-serif</family></default>
++ </alias>
++ <alias>
++ <family>Trebuchet MS</family>
++ <default><family>sans-serif</family></default>
++ </alias>
++ <alias>
++ <family>Twentieth Century</family>
++ <default><family>sans-serif</family></default>
++ </alias>
++ <alias>
++ <family>Verdana</family>
++ <default><family>sans-serif</family></default>
++ </alias>
+ <!--
+ Monospace faces
+ -->
++ <alias>
++ <family>Andale Mono</family>
++ <default><family>monospace</family></default>
++ </alias>
+ <alias>
+ <family>Bitstream Vera Sans Mono</family>
+ <default><family>monospace</family></default>
+ </alias>
+ <alias>
+- <family>DejaVu Sans Mono</family>
++ <family>Consolas</family>
+ <default><family>monospace</family></default>
+ </alias>
+ <alias>
+- <family>Liberation Mono</family>
++ <family>Courier New</family>
+ <default><family>monospace</family></default>
+ </alias>
+ <alias>
+- <family>Inconsolata</family>
++ <family>Courier</family>
+ <default><family>monospace</family></default>
+ </alias>
+ <alias>
+- <family>Courier New</family>
++ <family>Cumberland AMT</family>
+ <default><family>monospace</family></default>
+ </alias>
+ <alias>
+- <family>Courier</family>
++ <family>Cumberland</family>
+ <default><family>monospace</family></default>
+ </alias>
+ <alias>
+- <family>Andale Mono</family>
++ <family>DejaVu Sans Mono</family>
+ <default><family>monospace</family></default>
+ </alias>
+ <alias>
+- <family>Luxi Mono</family>
++ <family>Fixedsys</family>
+ <default><family>monospace</family></default>
+ </alias>
+ <alias>
+- <family>Cumberland AMT</family>
++ <family>Inconsolata</family>
+ <default><family>monospace</family></default>
+ </alias>
+ <alias>
+- <family>Cumberland</family>
++ <family>Liberation Mono</family>
++ <default><family>monospace</family></default>
++ </alias>
++ <alias>
++ <family>Luxi Mono</family>
+ <default><family>monospace</family></default>
+ </alias>
+ <alias>
+ <family>Nimbus Mono L</family>
+ <default><family>monospace</family></default>
+ </alias>
++ <alias>
++ <family>Nimbus Mono</family>
++ <default><family>monospace</family></default>
++ </alias>
++ <alias>
++ <family>Terminal</family>
++ <default><family>monospace</family></default>
++ </alias>
+ <!--
+ Fantasy faces
+ -->
+- <alias>
+- <family>Impact</family>
++ <alias>
++ <family>Bauhaus Std</family>
+ <default><family>fantasy</family></default>
+ </alias>
+ <alias>
+- <family>Copperplate Gothic Std</family>
++ <family>Cooper Std</family>
+ <default><family>fantasy</family></default>
+ </alias>
+ <alias>
+- <family>Cooper Std</family>
++ <family>Copperplate Gothic Std</family>
+ <default><family>fantasy</family></default>
+ </alias>
+ <alias>
+- <family>Bauhaus Std</family>
++ <family>Impact</family>
+ <default><family>fantasy</family></default>
+ </alias>
+ <!--
+ Cursive faces
+ -->
+ <alias>
+- <family>ITC Zapf Chancery Std</family>
++ <family>Comic Sans MS</family>
+ <default><family>cursive</family></default>
+ </alias>
+ <alias>
+- <family>Zapfino</family>
++ <family>ITC Zapf Chancery Std</family>
+ <default><family>cursive</family></default>
+ </alias>
+ <alias>
+- <family>Comic Sans MS</family>
++ <family>Zapfino</family>
+ <default><family>cursive</family></default>
+ </alias>
+
diff --git a/SOURCES/fontconfig-validate-offset-in-cache.patch b/SOURCES/fontconfig-validate-offset-in-cache.patch
new file mode 100644
index 0000000..9009ffd
--- /dev/null
+++ b/SOURCES/fontconfig-validate-offset-in-cache.patch
@@ -0,0 +1,112 @@
+diff -pruN fontconfig-2.10.95.orig/src/fccache.c fontconfig-2.10.95/src/fccache.c
+--- fontconfig-2.10.95.orig/src/fccache.c 2013-08-26 11:49:32.000000000 +0900
++++ fontconfig-2.10.95/src/fccache.c 2016-08-05 18:01:48.040872110 +0900
+@@ -30,6 +30,7 @@
+ #include <fcntl.h>
+ #include <dirent.h>
+ #include <string.h>
++#include <limits.h>
+ #include <sys/types.h>
+ #include <assert.h>
+ #if defined(HAVE_MMAP) || defined(__CYGWIN__)
+@@ -547,6 +548,82 @@ FcCacheTimeValid (FcCache *cache, struct
+ return cache->checksum == (int) dir_stat->st_mtime;
+ }
+
++static FcBool
++FcCacheOffsetsValid (FcCache *cache)
++{
++ char *base = (char *)cache;
++ char *end = base + cache->size;
++ intptr_t *dirs;
++ FcFontSet *fs;
++ int i, j;
++
++ if (cache->dir < 0 || cache->dir > cache->size - sizeof (intptr_t) ||
++ memchr (base + cache->dir, '\0', cache->size - cache->dir) == NULL)
++ return FcFalse;
++
++ if (cache->dirs < 0 || cache->dirs >= cache->size ||
++ cache->dirs_count < 0 ||
++ cache->dirs_count > (cache->size - cache->dirs) / sizeof (intptr_t))
++ return FcFalse;
++
++ dirs = FcCacheDirs (cache);
++ if (dirs)
++ {
++ for (i = 0; i < cache->dirs_count; i++)
++ {
++ FcChar8 *dir;
++
++ if (dirs[i] < 0 ||
++ dirs[i] > end - (char *) dirs - sizeof (intptr_t))
++ return FcFalse;
++
++ dir = FcOffsetToPtr (dirs, dirs[i], FcChar8);
++ if (memchr (dir, '\0', end - (char *) dir) == NULL)
++ return FcFalse;
++ }
++ }
++
++ if (cache->set < 0 || cache->set > cache->size - sizeof (FcFontSet))
++ return FcFalse;
++
++ fs = FcCacheSet (cache);
++ if (fs)
++ {
++ if (fs->nfont > (end - (char *) fs) / sizeof (FcPattern))
++ return FcFalse;
++
++ if (fs->fonts != 0 && !FcIsEncodedOffset(fs->fonts))
++ return FcFalse;
++
++ for (i = 0; i < fs->nfont; i++)
++ {
++ FcPattern *font = FcFontSetFont (fs, i);
++ FcPatternElt *e;
++ FcValueListPtr l;
++
++ if ((char *) font < base ||
++ (char *) font > end - sizeof (FcFontSet) ||
++ font->elts_offset < 0 ||
++ font->elts_offset > end - (char *) font ||
++ font->num > (end - (char *) font - font->elts_offset) / sizeof (FcPatternElt))
++ return FcFalse;
++
++
++ e = FcPatternElts(font);
++ if (e->values != 0 && !FcIsEncodedOffset(e->values))
++ return FcFalse;
++
++ for (j = font->num, l = FcPatternEltValues(e); j >= 0 && l; j--, l = FcValueListNext(l))
++ if (l->next != NULL && !FcIsEncodedOffset(l->next))
++ break;
++ if (j < 0)
++ return FcFalse;
++ }
++ }
++
++ return FcTrue;
++}
++
+ /*
+ * Map a cache file into memory
+ */
+@@ -556,7 +633,8 @@ FcDirCacheMapFd (int fd, struct stat *fd
+ FcCache *cache;
+ FcBool allocated = FcFalse;
+
+- if (fd_stat->st_size < (int) sizeof (FcCache))
++ if (fd_stat->st_size > INTPTR_MAX ||
++ fd_stat->st_size < (int) sizeof (FcCache))
+ return NULL;
+ cache = FcCacheFindByStat (fd_stat);
+ if (cache)
+@@ -612,6 +690,7 @@ FcDirCacheMapFd (int fd, struct stat *fd
+ if (cache->magic != FC_CACHE_MAGIC_MMAP ||
+ cache->version < FC_CACHE_CONTENT_VERSION ||
+ cache->size != (intptr_t) fd_stat->st_size ||
++ !FcCacheOffsetsValid (cache) ||
+ !FcCacheTimeValid (cache, dir_stat) ||
+ !FcCacheInsert (cache, fd_stat))
+ {
diff --git a/SPECS/fontconfig.spec b/SPECS/fontconfig.spec
index 878e553..de7aff2 100644
--- a/SPECS/fontconfig.spec
+++ b/SPECS/fontconfig.spec
@@ -3,7 +3,7 @@
Summary: Font configuration and customization library
Name: fontconfig
Version: 2.10.95
-Release: 7%{?dist}
+Release: 10%{?dist}
# src/ftglue.[ch] is in Public Domain
# src/fccache.c contains Public Domain code
# fc-case/CaseFolding.txt is in the UCD
@@ -22,6 +22,9 @@ Patch2: fontconfig-fix-memleak.patch
Patch3: fontconfig-copy-all-value.patch
Patch4: fontconfig-fix-crash-on-fcfontsort.patch
Patch5: fontconfig-fix-race-condition.patch
+Patch6: fontconfig-update-45-latin.patch
+Patch7: fontconfig-validate-offset-in-cache.patch
+Patch8: fontconfig-offset-in-elts.patch
BuildRequires: expat-devel
BuildRequires: freetype-devel >= %{freetype_version}
@@ -68,6 +71,9 @@ which is useful for developing applications that uses fontconfig.
%patch3 -p1 -b .copy-all
%patch4 -p1 -b .fix-crash
%patch5 -p1 -b .fix-race
+%patch6 -p1 -b .update-45-latin
+%patch7 -p1 -b .validate-offset
+%patch8 -p1 -b .offset-elts
cp %{SOURCE2} doc/
%build
@@ -145,6 +151,15 @@ fi
%doc fontconfig-devel.txt fontconfig-devel
%changelog
+* Fri Sep 23 2016 Akira TAGOH <tagoh@redhat.com> - 2.10.95-10
+- Fix a regression in the previous change. (#1355930)
+
+* Fri Aug 5 2016 Akira TAGOH <tagoh@redhat.com> - 2.10.95-9
+- CVE-2016-5384: Validate offsets in cache files properly. (#1355930)
+
+* Fri Jun 10 2016 Akira TAGOH <tagoh@redhat.com> - 2.10.95-8
+- Update 45-latin.conf to add some hints to fall back for Windows fonts (#1073460)
+
* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.10.95-7
- Mass rebuild 2014-01-24