diff -Nru cairo-1.12.2/debian/changelog cairo-1.12.2/debian/changelog
--- cairo-1.12.2/debian/changelog	2012-09-28 19:20:45.000000000 +0000
+++ cairo-1.12.2/debian/changelog	2012-11-10 14:21:31.000000000 +0000
@@ -1,3 +1,17 @@
+cairo (1.12.2-1ubuntu2.2) quantal-proposed; urgency=low
+
+  * debian/patches/git-crash_in_tor-fudge_the_edge.patch: Fix crashes when
+    loading some svg or pdf files (LP: #1074667).
+
+ -- Matthieu Baerts (matttbe) <matttbe@ubuntu.com>  Sat, 10 Nov 2012 15:21:25 +0100
+
+cairo (1.12.2-1ubuntu2.1) quantal-proposed; urgency=low
+
+  * debian/patches/font-handling-fixes.patch: Fix several font handling bugs
+    in the PDF generator (LP: #1063618).
+
+ -- Till Kamppeter <till.kamppeter@gmail.com>  Wed, 17 Oct 2012 14:11:27 +0200
+
 cairo (1.12.2-1ubuntu2) quantal; urgency=low
 
   * Cherry-pick fixes from upstream (LP: #1030357)
diff -Nru cairo-1.12.2/debian/patches/font-handling-fixes.patch cairo-1.12.2/debian/patches/font-handling-fixes.patch
--- cairo-1.12.2/debian/patches/font-handling-fixes.patch	1970-01-01 00:00:00.000000000 +0000
+++ cairo-1.12.2/debian/patches/font-handling-fixes.patch	2012-11-10 14:04:25.000000000 +0000
@@ -0,0 +1,93 @@
+--- a/src/cairo-type1-subset.c
++++ b/src/cairo-type1-subset.c
+@@ -114,6 +114,8 @@
+ 
+     const char *rd, *nd, *np;
+ 
++    int lenIV;
++
+     char *type1_data;
+     unsigned int type1_length;
+     char *type1_end;
+@@ -754,7 +756,7 @@
+ 						charstring);
+     end = charstring + encrypted_charstring_length;
+ 
+-    p = charstring + 4;
++    p = charstring + font->lenIV;
+ 
+     last_op_was_integer = FALSE;
+ 
+@@ -778,6 +780,7 @@
+ 		    font->build_stack.top_value < font->num_subrs)
+ 		{
+ 		    subr_num = font->build_stack.top_value;
++		    font->build_stack.sp--;
+ 		    font->subrs[subr_num].used = TRUE;
+ 		    last_op_was_integer = FALSE;
+ 		    status = cairo_type1_font_subset_parse_charstring (font,
+@@ -1137,9 +1140,9 @@
+ {
+     cairo_status_t status;
+     const char *p, *subrs, *charstrings, *array_start, *array_end, *dict_start, *dict_end;
+-    const char *closefile_token;
+-    char buffer[32], *subr_count_end, *glyph_count_end;
+-    int length;
++    const char *lenIV_start, *lenIV_end, *closefile_token;
++    char buffer[32], *lenIV_str, *subr_count_end, *glyph_count_end;
++    int ret, lenIV, length;
+     const cairo_scaled_font_backend_t *backend;
+     unsigned int i;
+     int glyph, j;
+@@ -1161,6 +1164,38 @@
+      * subroutines and charstrings not required.
+      */
+ 
++    /* Determine lenIV, the number of random characters at the start of
++       each encrypted charstring. The defaults is 4, but this can be
++       overridden in the private dict. */
++    font->lenIV = 4;
++    if ((lenIV_start = find_token (font->cleartext, font->cleartext_end, "/lenIV")) != NULL) {
++        lenIV_start += 6;
++        lenIV_end = find_token (lenIV_start, font->cleartext_end, "def");
++        if (lenIV_end == NULL)
++	    return CAIRO_INT_STATUS_UNSUPPORTED;
++
++        lenIV_str = malloc (lenIV_end - lenIV_start + 1);
++        if (unlikely (lenIV_str == NULL))
++	    return _cairo_error (CAIRO_STATUS_NO_MEMORY);
++
++        strncpy (lenIV_str, lenIV_start, lenIV_end - lenIV_start);
++        lenIV_str[lenIV_end - lenIV_start] = 0;
++
++        ret = sscanf(lenIV_str, "%d", &lenIV);
++        free(lenIV_str);
++
++        if (unlikely (ret <= 0))
++	    return CAIRO_INT_STATUS_UNSUPPORTED;
++
++        /* Apparently some fonts signal unencrypted charstrings with a negative lenIV,
++           though this is not part of the Type 1 Font Format specification.  See, e.g.
++           http://lists.gnu.org/archive/html/freetype-devel/2000-06/msg00064.html. */
++        if (unlikely (lenIV < 0))
++	    return CAIRO_INT_STATUS_UNSUPPORTED;
++
++        font->lenIV = lenIV;
++    }
++
+     /* Find start of Subrs */
+     subrs = find_token (font->cleartext, font->cleartext_end, "/Subrs");
+     if (subrs == NULL) {
+@@ -1274,6 +1309,12 @@
+ 	    return status;
+     }
+ 
++    /* Always include the first four subroutines in case the Flex/hint mechanism is
++     * being used. */
++    for (j = 0; j < MIN(font->num_subrs, 4); j++) {
++	font->subrs[j].used = TRUE;
++    }
++
+     closefile_token = find_token (dict_end, font->cleartext_end, "closefile");
+     if (closefile_token == NULL)
+ 	return CAIRO_INT_STATUS_UNSUPPORTED;
diff -Nru cairo-1.12.2/debian/patches/git-crash_in_tor-fudge_the_edge.patch cairo-1.12.2/debian/patches/git-crash_in_tor-fudge_the_edge.patch
--- cairo-1.12.2/debian/patches/git-crash_in_tor-fudge_the_edge.patch	1970-01-01 00:00:00.000000000 +0000
+++ cairo-1.12.2/debian/patches/git-crash_in_tor-fudge_the_edge.patch	2012-11-10 14:18:02.000000000 +0000
@@ -0,0 +1,41 @@
+From 797441093a8346003552e0cf89aef2a644ff53ab Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Thu, 27 Sep 2012 14:21:42 +0000
+Subject: tor: Fudge the edge if it is projected into a point
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=54822
+Bug-Ubuntu: https://bugs.launchpad.net/rhythmbox/+bug/1074667
+
+If we generate an edge (through polygon-intersect) where its end-points
+lie outside the line definition then it is possible for that line to be
+degenerate under sample grid projection. Apply a fudge factor to prevent
+explosions as otherwise we reject an edge whose height is not strictly 0
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=54822
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+---
+Index: cairo/src/cairo-tor-scan-converter.c
+===================================================================
+--- cairo.orig/src/cairo-tor-scan-converter.c	2012-11-03 13:15:13.435503000 +0100
++++ cairo/src/cairo-tor-scan-converter.c	2012-11-10 15:14:49.989027435 +0100
+@@ -1504,7 +1504,7 @@
+     INPUT_TO_GRID_Y (edge->line.p1.y, e.line.p1.y);
+     INPUT_TO_GRID_Y (edge->line.p2.y, e.line.p2.y);
+     if (e.line.p1.y == e.line.p2.y)
+-	return;
++	e.line.p2.y++; /* little fudge to prevent a div-by-zero */
+ 
+     INPUT_TO_GRID_X (edge->line.p1.x, e.line.p1.x);
+     INPUT_TO_GRID_X (edge->line.p2.x, e.line.p2.x);
+Index: cairo/src/cairo-tor22-scan-converter.c
+===================================================================
+--- cairo.orig/src/cairo-tor22-scan-converter.c	2012-11-03 13:15:13.435503000 +0100
++++ cairo/src/cairo-tor22-scan-converter.c	2012-11-10 15:14:49.989027435 +0100
+@@ -1360,7 +1360,7 @@
+     INPUT_TO_GRID_Y (edge->line.p1.y, e.line.p1.y);
+     INPUT_TO_GRID_Y (edge->line.p2.y, e.line.p2.y);
+     if (e.line.p1.y == e.line.p2.y)
+-	return;
++	e.line.p2.y++; /* Fudge to prevent div-by-zero */
+ 
+     INPUT_TO_GRID_X (edge->line.p1.x, e.line.p1.x);
+     INPUT_TO_GRID_X (edge->line.p2.x, e.line.p2.x);
diff -Nru cairo-1.12.2/debian/patches/series cairo-1.12.2/debian/patches/series
--- cairo-1.12.2/debian/patches/series	2012-09-28 19:16:34.000000000 +0000
+++ cairo-1.12.2/debian/patches/series	2012-11-10 14:14:36.000000000 +0000
@@ -5,3 +5,5 @@
 06_hurd-map-noreserve.patch
 server_side_gradients.patch
 lp-#1030357.patch
+font-handling-fixes.patch
+git-crash_in_tor-fudge_the_edge.patch