I am trying to audit our local patches to freetype2 in openSUSE to reduce the number of patches we apply. I noticed that fix for CVE-2010-3311 [0] is not applied to upstream freetype source. Attached is the fix for the issue with the demo CFF file.
It would be nice to get this fixed so we can drop this patch.