diff --git a/bnc704612_othersubr.diff b/bnc704612_othersubr.diff
new file mode 100644
index 0000000..1f1f095
--- /dev/null
+++ b/bnc704612_othersubr.diff
@@ -0,0 +1,99 @@
+--- freetype-2.4.4/src/psaux/t1decode.c.orig	2011-07-21 16:44:40.000000000 +0000
++++ freetype-2.4.4/src/psaux/t1decode.c	2011-07-21 17:00:05.000000000 +0000
+@@ -28,6 +28,8 @@
+ 
+ #include "psauxerr.h"
+ 
++/* ensure proper sign extension */
++#define Fix2Int( f )  ( (FT_Int)(FT_Short)( (f) >> 16 ) )
+ 
+   /*************************************************************************/
+   /*                                                                       */
+@@ -662,7 +664,7 @@
+         if ( large_int )
+           FT_TRACE4(( " %ld", value ));
+         else
+-          FT_TRACE4(( " %ld", (FT_Int32)( value >> 16 ) ));
++          FT_TRACE4(( " %ld", Fix2Int( value ) ));
+ #endif
+ 
+         *top++       = value;
+@@ -684,8 +686,8 @@
+ 
+         top -= 2;
+ 
+-        subr_no = (FT_Int)( top[1] >> 16 );
+-        arg_cnt = (FT_Int)( top[0] >> 16 );
++        subr_no = Fix2Int( top[1] );
++        arg_cnt = Fix2Int( top[0] );
+ 
+         /***********************************************************/
+         /*                                                         */
+@@ -862,7 +864,7 @@
+             if ( arg_cnt != 1 || blend == NULL )
+               goto Unexpected_OtherSubr;
+ 
+-            idx = (FT_Int)( top[0] >> 16 );
++            idx = Fix2Int( top[0] );
+ 
+             if ( idx < 0                                           ||
+                  idx + blend->num_designs > decoder->len_buildchar )
+@@ -930,7 +932,7 @@
+             if ( arg_cnt != 2 || blend == NULL )
+               goto Unexpected_OtherSubr;
+ 
+-            idx = (FT_Int)( top[1] >> 16 );
++            idx = Fix2Int( top[1] );
+ 
+             if ( idx < 0 || (FT_UInt) idx >= decoder->len_buildchar )
+               goto Unexpected_OtherSubr;
+@@ -951,7 +953,7 @@
+             if ( arg_cnt != 1 || blend == NULL )
+               goto Unexpected_OtherSubr;
+ 
+-            idx = (FT_Int)( top[0] >> 16 );
++            idx = Fix2Int( top[0] );
+ 
+             if ( idx < 0 || (FT_UInt) idx >= decoder->len_buildchar )
+               goto Unexpected_OtherSubr;
+@@ -1009,11 +1011,15 @@
+           break;
+ 
+         default:
+-          FT_ERROR(( "t1_decoder_parse_charstrings:"
+-                     " unknown othersubr [%d %d], wish me luck\n",
+-                     arg_cnt, subr_no ));
+-          unknown_othersubr_result_cnt = arg_cnt;
+-          break;
++          if ( arg_cnt >= 0 && subr_no >= 0 )
++          {
++            FT_ERROR(( "t1_decoder_parse_charstrings:"
++                       " unknown othersubr [%d %d], wish me luck\n",
++                       arg_cnt, subr_no ));
++            unknown_othersubr_result_cnt = arg_cnt;
++            break;
++          }
++          /* fall through */
+ 
+         Unexpected_OtherSubr:
+           FT_ERROR(( "t1_decoder_parse_charstrings:"
+@@ -1139,8 +1145,8 @@
+                                   top[0],
+                                   top[1],
+                                   top[2],
+-                                  (FT_Int)( top[3] >> 16 ),
+-                                  (FT_Int)( top[4] >> 16 ) );
++                                  Fix2Int( top[3] ),
++                                  Fix2Int( top[4] ) );
+ 
+         case op_sbw:
+           FT_TRACE4(( " sbw" ));
+@@ -1324,7 +1330,7 @@
+ 
+             FT_TRACE4(( " callsubr" ));
+ 
+-            idx = (FT_Int)( top[0] >> 16 );
++            idx = Fix2Int( top[0] );
+             if ( idx < 0 || idx >= (FT_Int)decoder->num_subrs )
+             {
+               FT_ERROR(( "t1_decoder_parse_charstrings:"
diff --git a/freetype2.changes b/freetype2.changes
index ddd8083..bdbc6b1 100644
--- a/freetype2.changes
+++ b/freetype2.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Fri Jul 22 13:41:02 CEST 2011 - ke@suse.de
+
+- added bnc704612_othersubr.diff, CVE-2011-0226, bnc#704612.
+
 -------------------------------------------------------------------
 Thu Jul  7 13:16:05 UTC 2011 - idonmez@novell.com
 
diff --git a/freetype2.spec b/freetype2.spec
index 5f1f88a..1b40871 100644
--- a/freetype2.spec
+++ b/freetype2.spec
@@ -39,6 +39,7 @@ Patch9:         fix-build.patch
 Patch10:        freetype2-no_rpath.patch
 Patch308961:    bugzilla-308961-cmex-workaround.patch
 Patch200:       freetype2-subpixel.patch
+Patch1018:      bnc704612_othersubr.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -86,6 +87,7 @@ It also contains a small tutorial for using that library.
 %if %{enable_subpixel_rendering}
 %patch200 -p 1 -b .subpixel
 %endif
+%patch1018 -p 1 -b .othersubr
 
 rm docs/reference/.gitignore
 
diff --git a/ft2demos.changes b/ft2demos.changes
index ca27207..d999a5b 100644
--- a/ft2demos.changes
+++ b/ft2demos.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Fri Jul 22 13:41:52 CEST 2011 - ke@suse.de
+
+- added bnc704612_othersubr.diff, CVE-2011-0226, bnc#704612.
+
 -------------------------------------------------------------------
 Thu Jul  7 13:20:45 UTC 2011 - idonmez@novell.com
 
diff --git a/ft2demos.spec b/ft2demos.spec
index c3e3939..4359356 100644
--- a/ft2demos.spec
+++ b/ft2demos.spec
@@ -39,6 +39,7 @@ Source1004:     bnc629447_sigsegv31.ttf
 Source1013:     bnc633938_badbdf.0
 Source1015:     bug-641580_CVE-2010-3311.cff
 Source1016:     bug-647375_tt2.ttf
+Patch1018:      bnc704612_othersubr.diff
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
@@ -56,6 +57,7 @@ popd
 %if %{enable_subpixel_rendering}
 %patch200 -p 1 -b .subpixel
 %endif
+%patch1018 -p 1 -b .othersubr
 
 %build
 %configure --without-bzip2