From b88b453d5ecd7fd97b94248b7b7fca9a76ddffb4 Mon Sep 17 00:00:00 2001
From: Marek Kasik <mkasik@redhat.com>
Date: Apr 24 2020 09:28:43 +0000
Subject: cff: Allow empty array of operands for certain operators


Resolves: #1817958

---

diff --git a/0001-cff-Allow-empty-array-of-operands-for-certain-operat.patch b/0001-cff-Allow-empty-array-of-operands-for-certain-operat.patch
new file mode 100644
index 0000000..ac9784b
--- /dev/null
+++ b/0001-cff-Allow-empty-array-of-operands-for-certain-operat.patch
@@ -0,0 +1,116 @@
+From ef959bc76e65ea0b0d4ba3ee50dfbce31c3484ad Mon Sep 17 00:00:00 2001
+From: Marek Kasik <mkasik@redhat.com>
+Date: Fri, 27 Mar 2020 19:39:46 +0100
+Subject: [PATCH] cff: Allow empty array of operands for certain operators
+
+Operators BlueValues, OtherBlues, FamilyBlues, FamilyOtherBlues,
+StemSnapH and StemSnapV have operands of type delta which can be
+a number or an array of delta-encoded numbers. This array can be
+empty according to freetype developers.
+This commit checks whether current operator is among those listed
+and permits empty operand in such case.
+---
+ src/cairo-cff-subset.c | 78 ++++++++++++++++++++++++++----------------
+ 1 file changed, 49 insertions(+), 29 deletions(-)
+
+diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
+index 37727eddb..fce4195e9 100644
+--- a/src/cairo-cff-subset.c
++++ b/src/cairo-cff-subset.c
+@@ -56,30 +56,36 @@
+ 
+ /* CFF Dict Operators. If the high byte is 0 the command is encoded
+  * with a single byte. */
+-#define BASEFONTNAME_OP  0x0c16
+-#define CIDCOUNT_OP      0x0c22
+-#define CHARSET_OP       0x000f
+-#define CHARSTRINGS_OP   0x0011
+-#define COPYRIGHT_OP     0x0c00
+-#define DEFAULTWIDTH_OP  0x0014
+-#define ENCODING_OP      0x0010
+-#define FAMILYNAME_OP    0x0003
+-#define FDARRAY_OP       0x0c24
+-#define FDSELECT_OP      0x0c25
+-#define FONTBBOX_OP      0x0005
+-#define FONTMATRIX_OP    0x0c07
+-#define FONTNAME_OP      0x0c26
+-#define FULLNAME_OP      0x0002
+-#define LOCAL_SUB_OP     0x0013
+-#define NOMINALWIDTH_OP  0x0015
+-#define NOTICE_OP        0x0001
+-#define POSTSCRIPT_OP    0x0c15
+-#define PRIVATE_OP       0x0012
+-#define ROS_OP           0x0c1e
+-#define UNIQUEID_OP      0x000d
+-#define VERSION_OP       0x0000
+-#define WEIGHT_OP        0x0004
+-#define XUID_OP          0x000e
++#define BASEFONTNAME_OP     0x0c16
++#define CIDCOUNT_OP         0x0c22
++#define CHARSET_OP          0x000f
++#define CHARSTRINGS_OP      0x0011
++#define COPYRIGHT_OP        0x0c00
++#define DEFAULTWIDTH_OP     0x0014
++#define ENCODING_OP         0x0010
++#define FAMILYNAME_OP       0x0003
++#define FDARRAY_OP          0x0c24
++#define FDSELECT_OP         0x0c25
++#define FONTBBOX_OP         0x0005
++#define FONTMATRIX_OP       0x0c07
++#define FONTNAME_OP         0x0c26
++#define FULLNAME_OP         0x0002
++#define LOCAL_SUB_OP        0x0013
++#define NOMINALWIDTH_OP     0x0015
++#define NOTICE_OP           0x0001
++#define POSTSCRIPT_OP       0x0c15
++#define PRIVATE_OP          0x0012
++#define ROS_OP              0x0c1e
++#define UNIQUEID_OP         0x000d
++#define VERSION_OP          0x0000
++#define WEIGHT_OP           0x0004
++#define XUID_OP             0x000e
++#define BLUEVALUES_OP       0x0006
++#define OTHERBLUES_OP       0x0007
++#define FAMILYBLUES_OP      0x0008
++#define FAMILYOTHERBLUES_OP 0x0009
++#define STEMSNAPH_OP        0x0c0c
++#define STEMSNAPV_OP        0x0c0d
+ 
+ #define NUM_STD_STRINGS 391
+ 
+@@ -615,13 +621,27 @@ cff_dict_create_operator (int            operator,
+ 	return _cairo_error (CAIRO_STATUS_NO_MEMORY);
+ 
+     _cairo_dict_init_key (op, operator);
+-    op->operand = _cairo_malloc (size);
+-    if (unlikely (op->operand == NULL)) {
+-        free (op);
+-	return _cairo_error (CAIRO_STATUS_NO_MEMORY);
++    if (size != 0) {
++	op->operand = _cairo_malloc (size);
++	if (unlikely (op->operand == NULL)) {
++	    free (op);
++	    return _cairo_error (CAIRO_STATUS_NO_MEMORY);
++	}
++	memcpy (op->operand, operand, size);
++    } else {
++	op->operand = NULL;
++	/* Delta-encoded arrays can be empty. */
++	if (operator != BLUEVALUES_OP &&
++	    operator != OTHERBLUES_OP &&
++	    operator != FAMILYBLUES_OP &&
++	    operator != FAMILYOTHERBLUES_OP &&
++	    operator != STEMSNAPH_OP &&
++	    operator != STEMSNAPV_OP) {
++	    free (op);
++	    return _cairo_error (CAIRO_STATUS_NO_MEMORY);
++	}
+     }
+ 
+-    memcpy (op->operand, operand, size);
+     op->operand_length = size;
+     op->operand_offset = -1;
+ 
+-- 
+2.26.0
+
diff --git a/cairo.spec b/cairo.spec
index 7bf624b..705f2a2 100644
--- a/cairo.spec
+++ b/cairo.spec
@@ -11,7 +11,7 @@
 
 Name:		cairo
 Version:	1.16.0
-Release:	6%{?dist}
+Release:	7%{?dist}
 Summary:	A 2D graphics library
 
 License:	LGPLv2 or MPLv1.1
@@ -29,6 +29,9 @@ Patch5:         0001-ft-Use-FT_Done_MM_Var-instead-of-free-when-available.patch
 # https://github.com/matthiasclasen/cairo/commit/79ad01724161502e8d9d2bd384ff1f0174e5df6e
 Patch6:         cairo-composite_color_glyphs.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=1817958
+Patch7:         0001-cff-Allow-empty-array-of-operands-for-certain-operat.patch
+
 BuildRequires:  gcc
 BuildRequires: pkgconfig
 BuildRequires: libXrender-devel
@@ -179,6 +182,10 @@ find $RPM_BUILD_ROOT -name '*.la' -delete
 %{_libdir}/cairo/
 
 %changelog
+* Fri Apr 24 2020 Marek Kasik <mkasik@redhat.com> - 1.16.0-7
+- Allow empty array of operands for certain operators in CFF fonts
+- Resolves: #1817958
+
 * Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.16.0-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild