From c50f0e47e14d2dec088ce4b9bed6228232607869 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Mon, 9 Jun 2014 19:47:31 +0200
Subject: [PATCH] freetype: major update, including some CVE security

- There's no fontconfig update yet, as I failed to debug it yet.
- Infinality patches are now taken from a different (maintained) source.
---
 .../display-managers/slim/default.nix         |  2 +
 .../libraries/fontconfig/default.nix          | 20 ++++--
 .../libraries/freetype/default.nix            | 67 +++++++++----------
 pkgs/servers/x11/xorg/overrides.nix           |  8 +++
 4 files changed, 53 insertions(+), 44 deletions(-)

diff --git a/pkgs/applications/display-managers/slim/default.nix b/pkgs/applications/display-managers/slim/default.nix
index 26500939db81..42d2c777aea2 100644
--- a/pkgs/applications/display-managers/slim/default.nix
+++ b/pkgs/applications/display-managers/slim/default.nix
@@ -24,6 +24,8 @@ stdenv.mkDerivation rec {
 
   cmakeFlags = [ "-DUSE_PAM=1" ];
 
+  NIX_CFLAGS_COMPILE = "-I${freetype}/include/freetype";
+
   enableParallelBuilding = true;
 
   buildInputs =
diff --git a/pkgs/development/libraries/fontconfig/default.nix b/pkgs/development/libraries/fontconfig/default.nix
index 89feb3df8d5a..73461b077dea 100644
--- a/pkgs/development/libraries/fontconfig/default.nix
+++ b/pkgs/development/libraries/fontconfig/default.nix
@@ -8,18 +8,22 @@ stdenv.mkDerivation rec {
     sha256 = "0llraqw86jmw4vzv7inskp3xxm2gc64my08iwq5mzncgfdbfza4f";
   };
 
-  infinality_patch = with freetype.infinality; if useInfinality
-    then let subvers = "1";
+  infinality_patch =
+    let subvers = "1";
       in fetchurl {
         url = http://www.infinality.net/fedora/linux/zips/fontconfig-infinality-1-20130104_1.tar.bz2;
         sha256 = "1fm5xx0mx2243jrq5rxk4v0ajw2nawpj23399h710bx6hd1rviq7";
       }
-    else null;
+    ;
 
   propagatedBuildInputs = [ freetype ];
   buildInputs = [ pkgconfig expat ];
 
-  configureFlags = "--sysconfdir=/etc --with-cache-dir=/var/cache/fontconfig --disable-docs --with-default-fonts=";
+  configureFlags = [
+    "--with-cache-dir=/var/cache/fontconfig"
+    "--disable-docs"
+    "--with-default-fonts="
+  ];
 
   # We should find a better way to access the arch reliably.
   crossArch = stdenv.cross.arch or null;
@@ -32,10 +36,12 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  # Don't try to write to /etc/fonts or /var/cache/fontconfig at install time.
-  installFlags = "sysconfdir=$(out)/etc RUN_FC_CACHE_TEST=false fc_cachedir=$(TMPDIR)/dummy";
+  doCheck = true;
 
-  postInstall = stdenv.lib.optionalString freetype.infinality.useInfinality ''
+  # Don't try to write to /var/cache/fontconfig at install time.
+  installFlags = "fc_cachedir=$(TMPDIR)/dummy";
+
+  postInstall = ''
     cd "$out/etc/fonts" && tar xvf ${infinality_patch}
   '';
 
diff --git a/pkgs/development/libraries/freetype/default.nix b/pkgs/development/libraries/freetype/default.nix
index 235d7e723746..510e816f88c9 100644
--- a/pkgs/development/libraries/freetype/default.nix
+++ b/pkgs/development/libraries/freetype/default.nix
@@ -1,57 +1,52 @@
-{ stdenv, fetchurl, gnumake
+{ stdenv, fetchurl, fetchpatch, pkgconfig, which, zlib, bzip2, libpng, gnumake
   # FreeType supports sub-pixel rendering.  This is patented by
   # Microsoft, so it is disabled by default.  This option allows it to
   # be enabled.  See http://www.freetype.org/patents.html.
-, useEncumberedCode ? false
-, useInfinality ? true
+, useEncumberedCode ? true
 }:
 
-assert !(useEncumberedCode && useInfinality); # probably wouldn't make sense
-
 let
+  version = "2.5.3";
 
-  version = "2.4.12";
-
+  fetch_bohoomil = name: sha256: fetchpatch {
+    url = https://raw.githubusercontent.com/bohoomil/fontconfig-ultimate/8a155db28f264520596cc3e76eb44824bdb30f8e/01_freetype2-iu/ + name;
+    inherit sha256;
+  };
 in
-
+with { inherit (stdenv.lib) optional optionalString; };
 stdenv.mkDerivation rec {
   name = "freetype-${version}";
 
   src = fetchurl {
     url = "mirror://sourceforge/freetype/${name}.tar.bz2";
-    sha256 = "10akr2c37iv9y7fkgwp2szgwjyl2g6qmk9z1m596iaw9cr41g2m7";
+    sha256 = "0pppcn73b5pwd7zdi9yfx16f5i93y18q7q4jmlkwmwrfsllqp160";
   };
 
-  infinality_patch =
-    if useInfinality then fetchurl {
-      url = http://www.infinality.net/fedora/linux/zips/freetype-infinality-2.4.12-20130514_01-x86_64.tar.bz2;
-      sha256 = "1lg2nzvxmwzwdfhxranw8iyflhr72cw9p11rkpgq1scxbp37668m";
-    } else null;
-
-  configureFlags = "--disable-static";
-
-  NIX_CFLAGS_COMPILE = with stdenv.lib;
-    " -fno-strict-aliasing" # from Gentoo, see https://bugzilla.redhat.com/show_bug.cgi?id=506840
-    + optionalString useEncumberedCode " -DFT_CONFIG_OPTION_SUBPIXEL_RENDERING=1"
-    + optionalString useInfinality " -DTT_CONFIG_OPTION_SUBPIXEL_HINTING=1";
-
   patches = [ ./enable-validation.patch ] # from Gentoo
-    ++ stdenv.lib.optional useInfinality [ infinality_patch ];
+    ++ [
+      (fetch_bohoomil "freetype-2.5.3-pkgconfig.patch" "1dpfdh8kmka3gzv14glz7l79i545zizah6wma937574v5z2iy3nn")
+      (fetch_bohoomil "fix_segfault_with_harfbuzz.diff" "1nx36inqrw717b86cla2miprdb3hii4vndw95k0jbbhfmax9k6fy")
+    ]
+    ++ optional useEncumberedCode
+      (fetch_bohoomil "infinality-2.5.3.patch" "0mxiybcb4wwbicrjiinh1b95rv543bh05sdqk1v0ipr3fxfrb47q")
+    ;
 
+  propagatedBuildInputs = [ zlib bzip2 libpng ]; # needed when linking against freetype
+  # dependence on harfbuzz is looser than the reverse dependence
+  buildInputs = [ pkgconfig which ]
+    # FreeType requires GNU Make, which is not part of stdenv on FreeBSD.
+    ++ optional (!stdenv.isLinux) gnumake;
+
+  # from Gentoo, see https://bugzilla.redhat.com/show_bug.cgi?id=506840
+  NIX_CFLAGS_COMPILE = "-fno-strict-aliasing";
   # The asm for armel is written with the 'asm' keyword.
-  CFLAGS = stdenv.lib.optionalString stdenv.isArm "-std=gnu99";
-
-  # FreeType requires GNU Make, which is not part of stdenv on FreeBSD.
-  buildInputs = stdenv.lib.optional (!stdenv.isLinux) gnumake;
+  CFLAGS = optionalString stdenv.isArm "-std=gnu99";
 
   enableParallelBuilding = true;
 
   doCheck = true;
 
-  postInstall =
-    ''
-      ln -s freetype2/freetype $out/include/freetype
-    '';
+  postInstall = ''ln -s freetype2 "$out"/include/freetype''; # compat hack
 
   crossAttrs = {
     # Somehow it calls the unwrapped gcc, "i686-pc-linux-gnu-gcc", instead
@@ -60,13 +55,11 @@ stdenv.mkDerivation rec {
     configureFlags = "--disable-static CC_BUILD=gcc";
   };
 
-  passthru.infinality.useInfinality = useInfinality; # for fontconfig
-
-  meta = {
+  meta = with stdenv.lib; {
     description = "A font rendering engine";
     homepage = http://www.freetype.org/;
-    license = if useEncumberedCode then "unfree"
-      else "GPLv2+"; # or the FreeType License (BSD + advertising clause)
-    platforms = stdenv.lib.platforms.all;
+    license = licenses.gpl2Plus; # or the FreeType License (BSD + advertising clause)
+    #ToDo: encumbered = useEncumberedCode;
+    platforms = platforms.all;
   };
 }
diff --git a/pkgs/servers/x11/xorg/overrides.nix b/pkgs/servers/x11/xorg/overrides.nix
index bb97eadef462..e5aad4aea406 100644
--- a/pkgs/servers/x11/xorg/overrides.nix
+++ b/pkgs/servers/x11/xorg/overrides.nix
@@ -73,6 +73,10 @@ in
       '';
   };
 
+  libXfont = attrs: attrs // {
+    propagatedBuildInputs = [ args.freetype ]; # propagate link reqs. like bzip2
+  };
+
   libXxf86vm = attrs: attrs // {
     preConfigure = setMalloc0ReturnsNullCrossCompiling;
   };
@@ -111,6 +115,10 @@ in
   libXft = attrs: attrs // {
     propagatedBuildInputs = [ xorg.libXrender args.freetype args.fontconfig ];
     preConfigure = setMalloc0ReturnsNullCrossCompiling;
+    # the include files need ft2build.h, and Requires.private isn't enough for us
+    postInstall = ''
+      sed "/^Requires:/s/$/, freetype2/" -i "$out/lib/pkgconfig/xft.pc"
+    '';
   };
 
   libXext = attrs: attrs // {