diff --git a/0001-Set-default-LCD-filter-to-FreeType-s-default.patch b/0001-Set-default-LCD-filter-to-FreeType-s-default.patch
new file mode 100644
index 0000000000000000000000000000000000000000..854eb0e1c448ae644141e57afbab4cc6b7c969d8
--- /dev/null
+++ b/0001-Set-default-LCD-filter-to-FreeType-s-default.patch
@@ -0,0 +1,56 @@
+From 12a5b7384f35d9a3f4c6b151fac4857444db3d6a Mon Sep 17 00:00:00 2001
+From: Nikolaus Waxweiler <madigens@gmail.com>
+Date: Sat, 10 Nov 2018 16:44:23 +0000
+Subject: [PATCH] Set default LCD filter to FreeType's default
+
+---
+ src/cairo-ft-font.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/cairo-ft-font.c b/src/cairo-ft-font.c
+index 325dd61b4..3c47dc12e 100644
+--- a/src/cairo-ft-font.c
++++ b/src/cairo-ft-font.c
+@@ -1404,7 +1404,7 @@ _render_glyph_outline (FT_Face                    face,
+ 		       cairo_image_surface_t	**surface)
+ {
+     int rgba = FC_RGBA_UNKNOWN;
+-    int lcd_filter = FT_LCD_FILTER_LEGACY;
++    int lcd_filter = FT_LCD_FILTER_DEFAULT;
+     FT_GlyphSlot glyphslot = face->glyph;
+     FT_Outline *outline = &glyphslot->outline;
+     FT_Bitmap bitmap;
+@@ -1439,13 +1439,13 @@ _render_glyph_outline (FT_Face                    face,
+ 	case CAIRO_LCD_FILTER_NONE:
+ 	    lcd_filter = FT_LCD_FILTER_NONE;
+ 	    break;
+-	case CAIRO_LCD_FILTER_DEFAULT:
+ 	case CAIRO_LCD_FILTER_INTRA_PIXEL:
+ 	    lcd_filter = FT_LCD_FILTER_LEGACY;
+ 	    break;
+ 	case CAIRO_LCD_FILTER_FIR3:
+ 	    lcd_filter = FT_LCD_FILTER_LIGHT;
+ 	    break;
++	case CAIRO_LCD_FILTER_DEFAULT:
+ 	case CAIRO_LCD_FILTER_FIR5:
+ 	    lcd_filter = FT_LCD_FILTER_DEFAULT;
+ 	    break;
+@@ -3416,7 +3416,6 @@ _cairo_ft_font_options_substitute (const cairo_font_options_t *options,
+ 	    case CAIRO_LCD_FILTER_NONE:
+ 		lcd_filter = FT_LCD_FILTER_NONE;
+ 		break;
+-	    case CAIRO_LCD_FILTER_DEFAULT:
+ 	    case CAIRO_LCD_FILTER_INTRA_PIXEL:
+ 		lcd_filter = FT_LCD_FILTER_LEGACY;
+ 		break;
+@@ -3424,6 +3423,7 @@ _cairo_ft_font_options_substitute (const cairo_font_options_t *options,
+ 		lcd_filter = FT_LCD_FILTER_LIGHT;
+ 		break;
+ 	    default:
++	    case CAIRO_LCD_FILTER_DEFAULT:
+ 	    case CAIRO_LCD_FILTER_FIR5:
+ 		lcd_filter = FT_LCD_FILTER_DEFAULT;
+ 		break;
+-- 
+2.19.1
+
diff --git a/CVE-2018-19876.patch b/0002-ft-Use-FT_Done_MM_Var-instead-of-free-when-available.patch
similarity index 81%
rename from CVE-2018-19876.patch
rename to 0002-ft-Use-FT_Done_MM_Var-instead-of-free-when-available.patch
index 484a07c0ca0b63039c216b7bfc4aa995169800ca..3709c5a90f8093b53b3e89df0e950bcb6a1f355a 100644
--- a/CVE-2018-19876.patch
+++ b/0002-ft-Use-FT_Done_MM_Var-instead-of-free-when-available.patch
@@ -1,6 +1,6 @@
 From 90e85c2493fdfa3551f202ff10282463f1e36645 Mon Sep 17 00:00:00 2001
 From: Carlos Garcia Campos <cgarcia@igalia.com>
-Date: Thu, 17 Sep 2020 15:55:42 -0400
+Date: Mon, 19 Nov 2018 12:33:07 +0100
 Subject: [PATCH] ft: Use FT_Done_MM_Var instead of free when available in
  cairo_ft_apply_variations
 
@@ -10,7 +10,7 @@ Fixes a crash when using freetype >= 2.9
  1 file changed, 4 insertions(+)
 
 diff --git a/src/cairo-ft-font.c b/src/cairo-ft-font.c
-index 325dd61..b63258d 100644
+index 325dd61b4..981973f78 100644
 --- a/src/cairo-ft-font.c
 +++ b/src/cairo-ft-font.c
 @@ -2393,7 +2393,11 @@ skip:
@@ -18,7 +18,7 @@ index 325dd61..b63258d 100644
          free (coords);
          free (current_coords);
 +#if HAVE_FT_DONE_MM_VAR
-+	FT_Done_MM_Var (face->glyph->library, ft_mm_var);
++        FT_Done_MM_Var (face->glyph->library, ft_mm_var);
 +#else
          free (ft_mm_var);
 +#endif
@@ -26,5 +26,5 @@ index 325dd61..b63258d 100644
  }
  
 -- 
-2.23.0
+2.19.2
 
diff --git a/0003-cairo-composite_color_glyphs.patch b/0003-cairo-composite_color_glyphs.patch
new file mode 100644
index 0000000000000000000000000000000000000000..fe8860e784314170a1a34db0ec19bc7cbfb72e2c
--- /dev/null
+++ b/0003-cairo-composite_color_glyphs.patch
@@ -0,0 +1,56 @@
+From 79ad01724161502e8d9d2bd384ff1f0174e5df6e Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Thu, 30 May 2019 07:30:55 -0400
+Subject: [PATCH] Fix a thinko in composite_color_glyphs
+
+We can't just move around the contents of the
+passed-in string, we need to make a copy. This
+was showing up as memory corruption in pango.
+
+See https://gitlab.gnome.org/GNOME/pango/issues/346
+---
+ src/cairo-surface.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/cairo-surface.c b/src/cairo-surface.c
+index c30f84087..e112b660a 100644
+--- a/src/cairo-surface.c
++++ b/src/cairo-surface.c
+@@ -2820,6 +2820,7 @@ _cairo_surface_show_text_glyphs (cairo_surface_t	    *surface,
+ 				 const cairo_clip_t		*clip)
+ {
+     cairo_int_status_t status;
++    char *utf8_copy = NULL;
+ 
+     TRACE ((stderr, "%s\n", __FUNCTION__));
+     if (unlikely (surface->status))
+@@ -2847,6 +2848,10 @@ _cairo_surface_show_text_glyphs (cairo_surface_t	    *surface,
+     status = CAIRO_INT_STATUS_UNSUPPORTED;
+ 
+     if (_cairo_scaled_font_has_color_glyphs (scaled_font)) {
++        utf8_copy = malloc (sizeof (char) * utf8_len);
++        memcpy (utf8_copy, utf8, sizeof (char) * utf8_len);
++        utf8 = utf8_copy;
++
+         status = composite_color_glyphs (surface, op,
+                                          source,
+                                          (char *)utf8, &utf8_len,
+@@ -2861,6 +2866,8 @@ _cairo_surface_show_text_glyphs (cairo_surface_t	    *surface,
+         if (num_glyphs == 0)
+             goto DONE;
+     }
++    else
++      utf8_copy = NULL;
+ 
+     /* The logic here is duplicated in _cairo_analysis_surface show_glyphs and
+      * show_text_glyphs.  Keep in synch. */
+@@ -2918,6 +2925,9 @@ _cairo_surface_show_text_glyphs (cairo_surface_t	    *surface,
+ 	surface->serial++;
+     }
+ 
++    if (utf8_copy)
++        free (utf8_copy);
++
+     return _cairo_surface_set_error (surface, status);
+ }
+ 
diff --git a/0004-cff-Allow-empty-array-of-operands-for-certain-operat.patch b/0004-cff-Allow-empty-array-of-operands-for-certain-operat.patch
new file mode 100644
index 0000000000000000000000000000000000000000..ac9784b409089ccd10be07d375f114a321131a3b
--- /dev/null
+++ b/0004-cff-Allow-empty-array-of-operands-for-certain-operat.patch
@@ -0,0 +1,116 @@
+From ef959bc76e65ea0b0d4ba3ee50dfbce31c3484ad Mon Sep 17 00:00:00 2001
+From: Marek Kasik <mkasik@redhat.com>
+Date: Fri, 27 Mar 2020 19:39:46 +0100
+Subject: [PATCH] cff: Allow empty array of operands for certain operators
+
+Operators BlueValues, OtherBlues, FamilyBlues, FamilyOtherBlues,
+StemSnapH and StemSnapV have operands of type delta which can be
+a number or an array of delta-encoded numbers. This array can be
+empty according to freetype developers.
+This commit checks whether current operator is among those listed
+and permits empty operand in such case.
+---
+ src/cairo-cff-subset.c | 78 ++++++++++++++++++++++++++----------------
+ 1 file changed, 49 insertions(+), 29 deletions(-)
+
+diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
+index 37727eddb..fce4195e9 100644
+--- a/src/cairo-cff-subset.c
++++ b/src/cairo-cff-subset.c
+@@ -56,30 +56,36 @@
+ 
+ /* CFF Dict Operators. If the high byte is 0 the command is encoded
+  * with a single byte. */
+-#define BASEFONTNAME_OP  0x0c16
+-#define CIDCOUNT_OP      0x0c22
+-#define CHARSET_OP       0x000f
+-#define CHARSTRINGS_OP   0x0011
+-#define COPYRIGHT_OP     0x0c00
+-#define DEFAULTWIDTH_OP  0x0014
+-#define ENCODING_OP      0x0010
+-#define FAMILYNAME_OP    0x0003
+-#define FDARRAY_OP       0x0c24
+-#define FDSELECT_OP      0x0c25
+-#define FONTBBOX_OP      0x0005
+-#define FONTMATRIX_OP    0x0c07
+-#define FONTNAME_OP      0x0c26
+-#define FULLNAME_OP      0x0002
+-#define LOCAL_SUB_OP     0x0013
+-#define NOMINALWIDTH_OP  0x0015
+-#define NOTICE_OP        0x0001
+-#define POSTSCRIPT_OP    0x0c15
+-#define PRIVATE_OP       0x0012
+-#define ROS_OP           0x0c1e
+-#define UNIQUEID_OP      0x000d
+-#define VERSION_OP       0x0000
+-#define WEIGHT_OP        0x0004
+-#define XUID_OP          0x000e
++#define BASEFONTNAME_OP     0x0c16
++#define CIDCOUNT_OP         0x0c22
++#define CHARSET_OP          0x000f
++#define CHARSTRINGS_OP      0x0011
++#define COPYRIGHT_OP        0x0c00
++#define DEFAULTWIDTH_OP     0x0014
++#define ENCODING_OP         0x0010
++#define FAMILYNAME_OP       0x0003
++#define FDARRAY_OP          0x0c24
++#define FDSELECT_OP         0x0c25
++#define FONTBBOX_OP         0x0005
++#define FONTMATRIX_OP       0x0c07
++#define FONTNAME_OP         0x0c26
++#define FULLNAME_OP         0x0002
++#define LOCAL_SUB_OP        0x0013
++#define NOMINALWIDTH_OP     0x0015
++#define NOTICE_OP           0x0001
++#define POSTSCRIPT_OP       0x0c15
++#define PRIVATE_OP          0x0012
++#define ROS_OP              0x0c1e
++#define UNIQUEID_OP         0x000d
++#define VERSION_OP          0x0000
++#define WEIGHT_OP           0x0004
++#define XUID_OP             0x000e
++#define BLUEVALUES_OP       0x0006
++#define OTHERBLUES_OP       0x0007
++#define FAMILYBLUES_OP      0x0008
++#define FAMILYOTHERBLUES_OP 0x0009
++#define STEMSNAPH_OP        0x0c0c
++#define STEMSNAPV_OP        0x0c0d
+ 
+ #define NUM_STD_STRINGS 391
+ 
+@@ -615,13 +621,27 @@ cff_dict_create_operator (int            operator,
+ 	return _cairo_error (CAIRO_STATUS_NO_MEMORY);
+ 
+     _cairo_dict_init_key (op, operator);
+-    op->operand = _cairo_malloc (size);
+-    if (unlikely (op->operand == NULL)) {
+-        free (op);
+-	return _cairo_error (CAIRO_STATUS_NO_MEMORY);
++    if (size != 0) {
++	op->operand = _cairo_malloc (size);
++	if (unlikely (op->operand == NULL)) {
++	    free (op);
++	    return _cairo_error (CAIRO_STATUS_NO_MEMORY);
++	}
++	memcpy (op->operand, operand, size);
++    } else {
++	op->operand = NULL;
++	/* Delta-encoded arrays can be empty. */
++	if (operator != BLUEVALUES_OP &&
++	    operator != OTHERBLUES_OP &&
++	    operator != FAMILYBLUES_OP &&
++	    operator != FAMILYOTHERBLUES_OP &&
++	    operator != STEMSNAPH_OP &&
++	    operator != STEMSNAPV_OP) {
++	    free (op);
++	    return _cairo_error (CAIRO_STATUS_NO_MEMORY);
++	}
+     }
+ 
+-    memcpy (op->operand, operand, size);
+     op->operand_length = size;
+     op->operand_offset = -1;
+ 
+-- 
+2.26.0
+
diff --git a/cairo-1.15.14.tar.xz b/cairo-1.16.0.tar.xz
similarity index 83%
rename from cairo-1.15.14.tar.xz
rename to cairo-1.16.0.tar.xz
index 91138102302947f2258079cf60193edc80314a3e..5617883b5092fdd5eaa1db2ff57039c4246e5e59 100644
Binary files a/cairo-1.15.14.tar.xz and b/cairo-1.16.0.tar.xz differ
diff --git a/cairo.spec b/cairo.spec
index 64e725e46677b40a7ebfc46780d1adbb99f1775d..8b334e2fd4b21f18863e96f63d184182d500d484 100644
--- a/cairo.spec
+++ b/cairo.spec
@@ -1,16 +1,19 @@
 %global cairogl --disable-gl
 
 Name:           cairo
-Version:        1.15.14
-Release:        6
+Version:        1.16.0
+Release:        1
 Summary:        A 2D graphics library
 License:        LGPLv2 or MPLv1.1
 URL:            http://cairographics.org
 Source0:        http://cairographics.org/releases/%{name}-%{version}.tar.xz
 
-Patch1:         CVE-2018-19876.patch
-Patch2:         CVE-2019-6461.patch
-Patch3:         CVE-2019-6462.patch
+Patch0001:	0001-Set-default-LCD-filter-to-FreeType-s-default.patch         
+Patch0002:	0002-ft-Use-FT_Done_MM_Var-instead-of-free-when-available.patch  
+Patch0003:	0003-cairo-composite_color_glyphs.patch                          
+Patch0004:	0004-cff-Allow-empty-array-of-operands-for-certain-operat.patch
+Patch0005:	CVE-2019-6461.patch
+Patch0006:	CVE-2019-6462.patch
 
 BuildRequires:  pkgconfig glib2-devel librsvg2-devel
 BuildRequires:  libXrender-devel libX11-devel libpng-devel libxml2-devel
@@ -80,6 +83,9 @@ find $RPM_BUILD_ROOT -name '*.la' -delete
 %{_bindir}/cairo-trace
 
 %changelog
+* Sat Oct 31 2020 chengguipeng <chengguipeng1@huawei.com> - 1.16.0-1
+- update to 1.16.0
+
 * Sun Sep 27 2020 wangye <wangye70@huawei.com> - 1.15.14-6
 - fix source URL