69070 2004-10-26 14:30 0000 media-libs/gd: Integer overflows 2004-11-10 21:53:57 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://www.securityfocus.com/archive/1/379382 C2 [glsa] lewk P2 normal --- 1 lewk@gentoo.org security@gentoo.org krispykringle@gentoo.org muchar@gentoo.org lewk@gentoo.org 2004-10-26 14:30:00 0000 Subject: GD Graphics Library integer overflow leading to heap overflow. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Product Description: An ANSI C library for the dynamic creation of images. GD creates PNG, JPEG and GIF images, among other formats. It is the library used by PHP to manipulate images. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Vulnerable: Only the latest version was tested, gd-2.0.28. I would venture a guess that old versions are vulnerable as well, as I found no checking anywhere for the type of bugs found. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Summary: There is an integer overflow when allocating memory in the routine that handles loading PNG image files. This later leads to heap data structures being overwritten. If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Many programs use GD, such as ImageMagick, and more importantly it is also the image library used for PHP, and there is a Perl module as well. One possibile target would be PHP driven photo websites that let users upload images. Some of them will resize/compress the image when the user uploads them. If this is done using GD, this could be used to execute code on the server. There is a mitigating factor, in order to reach the vulnerable code, a large amount of memory needs to be allocated. My 128MB p2 crapped out one allocation before it reached the overflow. However, I think on a newer box with lots of memory and swap space, that won't be a problem. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Details: The vulnerable code occurs in the file gd_png.c, in the function gdImageCreateFromPngCtx(), which is called by gdImageCreateFromPng(). The function is used to load an image file into GD data structures. The problem occurs when allocating memory for the image rows, line 314 or so ( I added some comments so line number might be off). Two user supplied values are multiplied together (rowbytes * height), and used to allocate memory for an array of pointers. This pointer array is then passed to the png_read_image() function, which belongs to the libPNG library. In that function, the pointers are passed to the png_read_row() function. The data for the rows is decompressed using zLib function inflate(), and then passed to the png_combine_row() function, where the deflated data is memcpy()'d into the heap buffer. Exploitation would require using zLib functions to compress the payload. Successful exploitation would lead to executing arbitrary code. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Vendor: I spoke with author about a month ago, he told me that updates would be out within a couple weeks. I'm assuming they are. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Exploit: The start of my exploit is attached. I didn't pursue further b/c my box sucks ass, and doesn't have enough memory/swap. lewk@gentoo.org 2004-10-26 14:43:17 0000 I don't see any new version or fix for this issue anywhere. I sent an email upstream regarding this issue, and awaiting a response. lewk@gentoo.org 2004-10-26 15:11:02 0000 Reply from upstream: "2.0.29 will be out in the next few days. I apologize for the delay. (The bug, for what it's worth, is quite challenging to exploit.)" vapier@gentoo.org 2004-10-26 16:02:43 0000 depending on what the exploit is, php may be at risk also koon@gentoo.org 2004-10-27 13:07:53 0000 *** Bug 69156 has been marked as a duplicate of this bug. *** koon@gentoo.org 2004-10-30 09:35:50 0000 2.0.30 is out at boutell.com. vapier: please bump vapier@gentoo.org 2004-10-30 14:58:16 0000 looking at php-5.0.2's ext/gd/libgd/gd_png.c, i would venture to say that the exploit exists there too sample from the gd patch: --- gd-2.0.28/gd_png.c 2004-05-24 10:42:18.000000000 -0400 +++ gd-2.0.30/gd_png.c 2004-10-28 14:09:52.000000000 -0400 @@ -312,12 +312,21 @@ /* allocate space for the PNG image data */ rowbytes = png_get_rowbytes (png_ptr, info_ptr); + if (overflow2(rowbytes, height)) { + png_destroy_read_struct (&png_ptr, &info_ptr, NULL); + return NULL; + } if ((image_data = (png_bytep) gdMalloc (rowbytes * height)) == NULL) { snippet from php-5.0.2's gd_png.c: /* allocate space for the PNG image data */ rowbytes = png_get_rowbytes(png_ptr, info_ptr); image_data = (png_bytep) safe_emalloc(rowbytes, height, 0); vapier@gentoo.org 2004-10-30 15:01:36 0000 i'd suggest we fork php off to a sep bug so as to not hold back gd-2.0.30 i marked stable for the arches i maintain ... here's the current KEYWORDS: KEYWORDS="~alpha ~amd64 arm hppa ia64 ~mips ~ppc ~ppc64 s390 ~sparc x86" koon@gentoo.org 2004-10-31 02:37:08 0000 Arches, please mark stable hansmi@gentoo.org 2004-10-31 03:08:07 0000 Stable on ppc. kloeri@gentoo.org 2004-10-31 04:53:45 0000 Stable on alpha. weeve@gentoo.org 2004-10-31 08:18:12 0000 Stable on sparc vapier@gentoo.org 2004-10-31 18:38:11 0000 ok, 1.8.4 also has this problem ... i forward ported a patch (1.8.4-png-overflows.patch) and added to cvs ... i contacted upstream to see what their take is on 1.x ... if they dont plan on updating their 1.8.4, i might just remove it from the tree koon@gentoo.org 2004-11-02 05:58:47 0000 amd64, ppc64, please mark stable koon@gentoo.org 2004-11-02 09:09:05 0000 *** Bug 69850 has been marked as a duplicate of this bug. *** koon@gentoo.org 2004-11-02 09:10:32 0000 That would be CAN-2004-0990 eradicator@gentoo.org 2004-11-02 12:24:32 0000 stable amd64 corsair@gentoo.org 2004-11-02 13:42:15 0000 stable on ppc64 vapier@gentoo.org 2004-11-02 16:39:36 0000 i e-mailed upstream about two bugs ... (1) he released 2.0.32 in response to a compile failure (2) he removed 1.x completely :) i'll do the same for us manuel@mclure.org 2004-11-03 09:39:24 0000 Ack! Please return 1.8.4 to the tree - otherwise www-apps/nut-2.0.0 breaks! manuel@mclure.org 2004-11-03 11:01:57 0000 It seems that the www-apps/nut ebuild breaks, but if you change the ebuild it will build against gd-2. I'll enter a bug for nut to make the ebuild work with gd-2. koon@gentoo.org 2004-11-03 13:41:01 0000 GLSA 200411-08 mips: mark stable to benefit from GLSA vapier@gentoo.org 2004-11-03 15:26:04 0000 yeah, gd-1.x isnt coming back ;) nut will have to be fixed/removed hardave@gentoo.org 2004-11-05 03:35:51 0000 Stable on mips. solar@gentoo.org 2004-11-10 21:53:57 0000 Created an attachment (id=43704) gd-1.8.4-security.patch For those of you that need gd-1.8.4 still this patch resolves CAN-2004-0941 and CAN-2004-0990 43704 2004-11-10 21:53 0000 gd-1.8.4-security.patch gd-1.8.4-security.patch text/plain LS0tIGdkLTEuOC40L2dkX3BuZy5jLnNlY3VyaXR5CTIwMDEtMDItMDYgMjA6NDQ6MDIuMDAwMDAw MDAwICswMTAwCisrKyBnZC0xLjguNC9nZF9wbmcuYwkyMDA0LTExLTA0IDE3OjIxOjEwLjAwMDAw MDAwMCArMDEwMApAQCAtMzQyLDExICszNDIsMjAgQEAKIAogICAgIC8qIGFsbG9jYXRlIHNwYWNl IGZvciB0aGUgUE5HIGltYWdlIGRhdGEgKi8KICAgICByb3dieXRlcyA9IHBuZ19nZXRfcm93Ynl0 ZXMocG5nX3B0ciwgaW5mb19wdHIpOworICAgIGlmIChvdmVyZmxvdzIocm93Ynl0ZXMsIGhlaWdo dCkpIHsKKyAgICAgIHBuZ19kZXN0cm95X3JlYWRfc3RydWN0ICgmcG5nX3B0ciwgJmluZm9fcHRy LCBOVUxMKTsKKyAgICAgIHJldHVybiBOVUxMOworICAgIH0gIAogICAgIGlmICgoaW1hZ2VfZGF0 YSA9IChwbmdfYnl0ZXApZ2RNYWxsb2Mocm93Ynl0ZXMqaGVpZ2h0KSkgPT0gTlVMTCkgewogICAg ICAgICBmcHJpbnRmKHN0ZGVyciwgImdkLXBuZyBlcnJvcjogY2Fubm90IGFsbG9jYXRlIGltYWdl IGRhdGFcbiIpOwogICAgICAgICBwbmdfZGVzdHJveV9yZWFkX3N0cnVjdCgmcG5nX3B0ciwgJmlu Zm9fcHRyLCBOVUxMKTsKICAgICAgICAgcmV0dXJuIE5VTEw7CiAgICAgfQorICAgIGlmIChvdmVy ZmxvdzIoaGVpZ2h0LCBzaXplb2YgKHBuZ19ieXRlcCkpKSB7CisgICAgICBwbmdfZGVzdHJveV9y ZWFkX3N0cnVjdCAoJnBuZ19wdHIsICZpbmZvX3B0ciwgTlVMTCk7CisgICAgICBnZEZyZWUgKGlt YWdlX2RhdGEpOworICAgICAgcmV0dXJuIE5VTEw7CisgICAgfSAgICAKICAgICBpZiAoKHJvd19w b2ludGVycyA9IChwbmdfYnl0ZXBwKWdkTWFsbG9jKGhlaWdodCpzaXplb2YocG5nX2J5dGVwKSkp ID09IE5VTEwpIHsKICAgICAgICAgZnByaW50ZihzdGRlcnIsICJnZC1wbmcgZXJyb3I6IGNhbm5v dCBhbGxvY2F0ZSByb3cgcG9pbnRlcnNcbiIpOwogICAgICAgICBwbmdfZGVzdHJveV9yZWFkX3N0 cnVjdCgmcG5nX3B0ciwgJmluZm9fcHRyLCBOVUxMKTsKQEAgLTU3NywxNSArNTg2LDIwIEBACiAg ICAgICogaW50ZXJsYWNlZCBpbWFnZXMsIGJ1dCBpbnRlcmxhY2luZyBjYXVzZXMgc29tZSBzZXJp b3VzIGNvbXBsaWNhdGlvbnMuICovCiAgICAgaWYgKHJlbWFwKSB7CiAgICAgICAgIHBuZ19ieXRl cCAqcm93X3BvaW50ZXJzOworICAgICAgICBpZiAob3ZlcmZsb3cyKHNpemVvZiAocG5nX2J5dGVw KSwgaGVpZ2h0KSkgeworICAgICAgICAgIHJldHVybjsKKyAgICAgICAgfQogCXJvd19wb2ludGVy cyA9IGdkTWFsbG9jKHNpemVvZihwbmdfYnl0ZXApICogaGVpZ2h0KTsKICAgICAgICAgaWYgKHJv d19wb2ludGVycyA9PSBOVUxMKSB7CiAgICAgICAgICAgICBmcHJpbnRmKHN0ZGVyciwgImdkLXBu ZyBlcnJvcjogdW5hYmxlIHRvIGFsbG9jYXRlIHJvd19wb2ludGVyc1xuIik7CisgICAgICAgICAg ICByZXR1cm47CiAgICAgICAgIH0KICAgICAgICAgZm9yIChqID0gMDsgIGogPCBoZWlnaHQ7ICAr K2opIHsKICAgICAgICAgICAgIGlmICgocm93X3BvaW50ZXJzW2pdID0gKHBuZ19ieXRlcClnZE1h bGxvYyh3aWR0aCkpID09IE5VTEwpIHsKICAgICAgICAgICAgICAgICBmcHJpbnRmKHN0ZGVyciwg ImdkLXBuZyBlcnJvcjogdW5hYmxlIHRvIGFsbG9jYXRlIHJvd3NcbiIpOwogICAgICAgICAgICAg ICAgIGZvciAoaSA9IDA7ICBpIDwgajsgICsraSkKICAgICAgICAgICAgICAgICAgICAgZ2RGcmVl KHJvd19wb2ludGVyc1tpXSk7CisJICAgICAgICBnZEZyZWUocm93X3BvaW50ZXJzKTsKICAgICAg ICAgICAgICAgICByZXR1cm47CiAgICAgICAgICAgICB9CiAgICAgICAgICAgICBmb3IgKGkgPSAw OyAgaSA8IHdpZHRoOyAgKytpKQotLS0gL2Rldi9udWxsCTIwMDQtMTEtMDQgMTQ6NTY6MjEuNjEz NTgzNTEyICswMTAwCisrKyBnZC0xLjguNC9nZF9zZWN1cml0eS5jCTIwMDQtMTEtMDQgMTc6MTA6 MTkuMDAwMDAwMDAwICswMTAwCkBAIC0wLDAgKzEsMzMgQEAKKy8qCisgICAqIGdkX3NlY3VyaXR5 LmMKKyAgICoKKyAgICogSW1wbGVtZW50cyBidWZmZXIgb3ZlcmZsb3cgY2hlY2sgcm91dGluZXMu CisgICAqCisgICAqIFdyaXR0ZW4gMjAwNCwgUGhpbCBLbmlyc2NoLgorICAgKiBCYXNlZCBvbiBu ZXRwYm0gZml4ZXMgYnkgQWxhbiBDb3guCisgICAqCisgKi8KKworI2lmZGVmIEhBVkVfQ09ORklH X0gKKyNpbmNsdWRlICJjb25maWcuaCIKKyNlbmRpZgorCisjaW5jbHVkZSA8c3RkaW8uaD4KKyNp bmNsdWRlIDxzdGRsaWIuaD4KKyNpbmNsdWRlIDxsaW1pdHMuaD4KKyNpbmNsdWRlICJnZC5oIgor CitpbnQgb3ZlcmZsb3cyKGludCBhLCBpbnQgYikKK3sKKwlpZihhIDwgMCB8fCBiIDwgMCkgewor CQlmcHJpbnRmKHN0ZGVyciwgImdkIHdhcm5pbmc6IG9uZSBwYXJhbWV0ZXIgdG8gYSBtZW1vcnkg YWxsb2NhdGlvbiBtdWx0aXBsaWNhdGlvbiBpcyBuZWdhdGl2ZSwgZmFpbGluZyBvcGVyYXRpb24g Z3JhY2VmdWxseVxuIik7CisJCXJldHVybiAxOworCX0KKwlpZihiID09IDApCisJCXJldHVybiAw OworCWlmKGEgPiBJTlRfTUFYIC8gYikgeworCQlmcHJpbnRmKHN0ZGVyciwgImdkIHdhcm5pbmc6 IHByb2R1Y3Qgb2YgbWVtb3J5IGFsbG9jYXRpb24gbXVsdGlwbGljYXRpb24gd291bGQgZXhjZWVk IElOVF9NQVgsIGZhaWxpbmcgb3BlcmF0aW9uIGdyYWNlZnVsbHlcbiIpOworCQlyZXR1cm4gMTsK Kwl9CisJcmV0dXJuIDA7Cit9Ci0tLSBnZC0xLjguNC93Ym1wLmMuc2VjdXJpdHkJMjAwMS0wMi0w NiAyMDo0NDowMi4wMDAwMDAwMDAgKzAxMDAKKysrIGdkLTEuOC40L3dibXAuYwkyMDA0LTExLTA0 IDE3OjU1OjAxLjAwMDAwMDAwMCArMDEwMApAQCAtMTA4LDYgKzEwOCwxNiBAQAogICAgIGlmICgg KHdibXAgPSAoV2JtcCAqKSBnZE1hbGxvYyggc2l6ZW9mKFdibXApICkpID09IE5VTEwpCiAgICAg ICAgIHJldHVybiAoTlVMTCk7CiAKKyAgICBpZiAob3ZlcmZsb3cyKHNpemVvZihpbnQpLCB3aWR0 aCkpCisgICAgeworICAgICAgICBnZEZyZWUoIHdibXAgKTsKKyAgICAgICAgcmV0dXJuIChOVUxM KTsKKyAgICB9CisgICAgaWYgKG92ZXJmbG93MihzaXplb2YoaW50KSp3aWR0aCwgaGVpZ2h0KSkK KyAgICB7CisgICAgICAgIGdkRnJlZSggd2JtcCApOworICAgICAgICByZXR1cm4gKE5VTEwpOwor ICAgIH0KICAgICBpZiAoICh3Ym1wLT5iaXRtYXAgPSAoaW50ICopIGdkTWFsbG9jKCBzaXplb2Yo aW50KSp3aWR0aCpoZWlnaHQgKSkgPT0gTlVMTCkKICAgICB7CiAgICAgICAgIGdkRnJlZSggd2Jt cCApOwpAQCAtMTY3LDcgKzE3Nyw5IEBACiAJcHJpbnRmKCJXOiAlZCwgSDogJWRcbiIsIHdibXAt PndpZHRoLCB3Ym1wLT5oZWlnaHQpOwkKIAkjZW5kaWYKIAotCWlmICggKHdibXAtPmJpdG1hcCA9 IChpbnQgKikgZ2RNYWxsb2MoIHNpemVvZihpbnQpKndibXAtPndpZHRoKndibXAtPmhlaWdodCAp KSA9PSBOVUxMKQorCWlmICggb3ZlcmZsb3cyKHNpemVvZiAoaW50KSwgd2JtcC0+d2lkdGgpIHx8 CisgICAgICAgICAgICAgb3ZlcmZsb3cyKHNpemVvZiAoaW50KSAqIHdibXAtPndpZHRoLCB3Ym1w LT5oZWlnaHQpIHx8CisgICAgICAgICAgICAgKHdibXAtPmJpdG1hcCA9IChpbnQgKikgZ2RNYWxs b2MoIHNpemVvZihpbnQpKndibXAtPndpZHRoKndibXAtPmhlaWdodCApKSA9PSBOVUxMKQogCXsK IAkJZ2RGcmVlKCB3Ym1wICk7CiAJCXJldHVybiAoLTEpOwotLS0gZ2QtMS44LjQvZ2QuYy5zZWN1 cml0eQkyMDAxLTAyLTA2IDIwOjQ0OjAxLjAwMDAwMDAwMCArMDEwMAorKysgZ2QtMS44LjQvZ2Qu YwkyMDA0LTExLTA0IDE4OjA0OjA4LjAwMDAwMDAwMCArMDEwMApAQCAtNjIsNiArNjIsMTEgQEAK IAlpbnQgaTsKIAlnZEltYWdlUHRyIGltOwogCWltID0gKGdkSW1hZ2UgKikgZ2RNYWxsb2Moc2l6 ZW9mKGdkSW1hZ2UpKTsKKwlpZiAob3ZlcmZsb3cyKHNpemVvZiAodW5zaWduZWQgY2hhciAqKSwg c3kpKQorCXsKKwkJZ2RGcmVlKGltKTsKKwkJcmV0dXJuIE5VTEw7CisJfQogCS8qIE5PVyBST1ct TUFKT1IgSU4gR0QgMS4zICovCiAJaW0tPnBpeGVscyA9ICh1bnNpZ25lZCBjaGFyICoqKSBnZE1h bGxvYyhzaXplb2YodW5zaWduZWQgY2hhciAqKSAqIHN5KTsKIAlpbS0+cG9seUludHMgPSAwOwpA QCAtMTI0MCw2ICsxMjQ1LDkgQEAKIAkvKiBXZSBvbmx5IG5lZWQgdG8gdXNlIGZsb2F0aW5nIHBv aW50IHRvIGRldGVybWluZSB0aGUgY29ycmVjdAogCQlzdHJldGNoIHZlY3RvciBmb3Igb25lIGxp bmUncyB3b3J0aC4gKi8KIAlkb3VibGUgYWNjdW07CisJaWYgKG92ZXJmbG93MihzaXplb2YgKGlu dCksIHNyY1cpIHx8IG92ZXJmbG93MihzaXplb2YgKGludCksIHNyY0gpKSB7CisJCXJldHVybjsK Kwl9CiAJc3R4ID0gKGludCAqKSBnZE1hbGxvYyhzaXplb2YoaW50KSAqIHNyY1cpOwogCXN0eSA9 IChpbnQgKikgZ2RNYWxsb2Moc2l6ZW9mKGludCkgKiBzcmNIKTsKIAlhY2N1bSA9IDA7CkBAIC0x MzcxLDYgKzEzNzksOSBAQAogCX0KIAlieXRlcyA9ICh3ICogaCAvIDgpICsgMTsKIAlpbSA9IGdk SW1hZ2VDcmVhdGUodywgaCk7CisJaWYoIWltKSB7CisJCXJldHVybiAwOworCX0KIAlnZEltYWdl Q29sb3JBbGxvY2F0ZShpbSwgMjU1LCAyNTUsIDI1NSk7CiAJZ2RJbWFnZUNvbG9yQWxsb2NhdGUo aW0sIDAsIDAsIDApOwogCXggPSAwOwpAQCAtMTQ2Miw2ICsxNDczLDkgQEAKIAkJcmV0dXJuOwog CX0KIAlpZiAoIWltLT5wb2x5QWxsb2NhdGVkKSB7CisJCWlmIChvdmVyZmxvdzIoc2l6ZW9mIChp bnQpLCBuKSkgeworCQkJcmV0dXJuOworCQl9CiAJCWltLT5wb2x5SW50cyA9IChpbnQgKikgZ2RN YWxsb2Moc2l6ZW9mKGludCkgKiBuKTsKIAkJaW0tPnBvbHlBbGxvY2F0ZWQgPSBuOwogCX0JCQpA QCAtMTQ2OSw2ICsxNDgzLDkgQEAKIAkJd2hpbGUgKGltLT5wb2x5QWxsb2NhdGVkIDwgbikgewog CQkJaW0tPnBvbHlBbGxvY2F0ZWQgKj0gMjsKIAkJfQkKKwkJaWYgKG92ZXJmbG93MihzaXplb2Yg KGludCksIGltLT5wb2x5QWxsb2NhdGVkKSkgeworCQkJcmV0dXJuOworCQl9CiAJCWltLT5wb2x5 SW50cyA9IChpbnQgKikgZ2RSZWFsbG9jKGltLT5wb2x5SW50cywKIAkJCXNpemVvZihpbnQpICog aW0tPnBvbHlBbGxvY2F0ZWQpOwogCX0KQEAgLTE1MzQsNiArMTU1MSw5IEBACiAJaWYgKGltLT5z dHlsZSkgewogCQlnZEZyZWUoaW0tPnN0eWxlKTsKIAl9CisJaWYgKG92ZXJmbG93MihzaXplb2Yg KGludCksIG5vT2ZQaXhlbHMpKSB7CisJCXJldHVybjsKKwl9CiAJaW0tPnN0eWxlID0gKGludCAq KSAKIAkJZ2RNYWxsb2Moc2l6ZW9mKGludCkgKiBub09mUGl4ZWxzKTsKIAltZW1jcHkoaW0tPnN0 eWxlLCBzdHlsZSwgc2l6ZW9mKGludCkgKiBub09mUGl4ZWxzKTsKLS0tIGdkLTEuOC40L2dkaGVs cGVycy5oLnNlY3VyaXR5CTIwMDEtMDItMDYgMjA6NDQ6MDIuMDAwMDAwMDAwICswMTAwCisrKyBn ZC0xLjguNC9nZGhlbHBlcnMuaAkyMDA0LTExLTA0IDE4OjA0OjUyLjAwMDAwMDAwMCArMDEwMApA QCAtMTMsNSArMTMsMTIgQEAKIHZvaWQgKmdkTWFsbG9jKHNpemVfdCBzaXplKTsKIHZvaWQgKmdk UmVhbGxvYyh2b2lkICpwdHIsIHNpemVfdCBzaXplKTsKIAorLyogUmV0dXJucyBub256ZXJvIGlm IG11bHRpcGx5aW5nIHRoZSB0d28gcXVhbnRpdGllcyB3aWxsCisgICAgICByZXN1bHQgaW4gaW50 ZWdlciBvdmVyZmxvdy4gQWxzbyByZXR1cm5zIG5vbnplcm8gaWYgCisgICAgICBlaXRoZXIgcXVh bnRpdHkgaXMgbmVnYXRpdmUuIEJ5IFBoaWwgS25pcnNjaCBiYXNlZCBvbgorICAgICAgbmV0cGJt IGZpeGVzIGJ5IEFsYW4gQ294LiAqLworCitpbnQgb3ZlcmZsb3cyKGludCBhLCBpbnQgYik7CisK ICNlbmRpZiAvKiBHREhFTFBFUlNfSCAqLwogCi0tLSBnZC0xLjguNC9nZF9pb19kcC5jLnNlY3Vy aXR5CTIwMDEtMDItMDYgMjA6NDQ6MDIuMDAwMDAwMDAwICswMTAwCisrKyBnZC0xLjguNC9nZF9p b19kcC5jCTIwMDQtMTEtMDQgMTg6MTQ6MDYuMDAwMDAwMDAwICswMTAwCkBAIC0xNjUsNiArMTY1 LDkgQEAKIAogICBieXRlc05lZWRlZCA9IHBvczsKICAgaWYgKGJ5dGVzTmVlZGVkID4gZHAtPnJl YWxTaXplKSB7CisgICAgaWYgKG92ZXJmbG93MihkcC0+cmVhbFNpemUsIDIpKSB7CisgICAgICBy ZXR1cm4gRkFMU0U7CisgICAgfQogICAgIGlmICghZ2RSZWFsbG9jRHluYW1pYyhkcCxkcC0+cmVh bFNpemUqMikpIHsKICAgICAgIGRwLT5kYXRhR29vZCA9IEZBTFNFOwogICAgICAgcmV0dXJuIEZB TFNFOwpAQCAtMzExLDYgKzMxNCw5IEBACiAgIGJ5dGVzTmVlZGVkID0gZHAtPnBvcyArIHNpemU7 CiAKICAgaWYgKGJ5dGVzTmVlZGVkID4gZHAtPnJlYWxTaXplKSB7CisgICAgaWYgKG92ZXJmbG93 MihieXRlc05lZWRlZCwgMikpIHsKKyAgICAgIHJldHVybiBGQUxTRTsKKyAgICB9CiAgICAgaWYg KCFnZFJlYWxsb2NEeW5hbWljKGRwLGJ5dGVzTmVlZGVkKjIpKSB7CiAgICAgICBkcC0+ZGF0YUdv b2QgPSBGQUxTRTsKICAgICAgIHJldHVybiBGQUxTRTsKLS0tIGdkLTEuOC40L2dkX2dkLmMuc2Vj dXJpdHkJMjAwMS0wMi0wNiAyMDo0NDowMS4wMDAwMDAwMDAgKzAxMDAKKysrIGdkLTEuOC40L2dk X2dkLmMJMjAwNC0xMS0wNCAxODoxNDo1My4wMDAwMDAwMDAgKzAxMDAKQEAgLTc1LDcgKzc1LDkg QEAKICAgICAgICAgR0QyX0RCRyhwcmludGYoIkltYWdlIGlzICVkeCVkXG4iLCAqc3gsICpzeSkp OwogCiAgICAgICAgIGltID0gZ2RJbWFnZUNyZWF0ZSgqc3gsICpzeSk7Ci0KKwlpZiAoIWltKSB7 CisJCWdvdG8gZmFpbDE7CisJfQogICAgICAgICBpZiAoIV9nZEdldENvbG9ycyhpbiwgaW0pKSB7 CiAgICAgICAgICAgICAgICAgZ290byBmYWlsMjsKICAgICAgICAgfQotLS0gZ2QtMS44LjQvZ2R4 cG0uYy5zZWN1cml0eQkyMDAxLTAyLTA2IDIwOjQ0OjAyLjAwMDAwMDAwMCArMDEwMAorKysgZ2Qt MS44LjQvZ2R4cG0uYwkyMDA0LTExLTA0IDE4OjE2OjA4LjAwMDAwMDAwMCArMDEwMApAQCAtNDEs NiArNDEsOSBAQAogCSAgICByZXR1cm4gMDsKIAogCW51bWJlciA9IGltYWdlLm5jb2xvcnM7CisJ aWYgKG92ZXJmbG93MihzaXplb2YgKGludCksIG51bWJlcikpIHsKKwkJcmV0dXJuIDA7CisJfQog CWNvbG9ycyA9IChpbnQqKWdkTWFsbG9jKHNpemVvZihpbnQpICogbnVtYmVyKTsKIAlpZiAoY29s b3JzID09IE5VTEwpCiAJCXJldHVybigwKTsKQEAgLTEyNCwxMSArMTI3LDYgQEAKIAkJCWZwcmlu dGYoc3RkZXJyLCJBUlJSR0hcbiIpOwogCQl9CiAKLQlhcGl4ZWwgPSAoY2hhciAqKWdkTWFsbG9j KGltYWdlLmNwcCsxKTsKLQlpZiAoYXBpeGVsID09IE5VTEwpCi0JCXJldHVybigwKTsKLQlhcGl4 ZWxbaW1hZ2UuY3BwXSA9ICdcMCc7Ci0KIAlwb2ludGVyID0gaW1hZ2UuZGF0YTsKIAlmb3IoaT0w O2k8aW1hZ2UuaGVpZ2h0O2krKykKIAkJewpAQCAtMTM4LDcgKzEzNiw2IEBACiAJCQlnZEltYWdl U2V0UGl4ZWwoaW0saixpLGNvbG9yc1trXSk7CiAJCQl9CiAJCX0KLQlnZEZyZWUoYXBpeGVsKTsK IAlnZEZyZWUoY29sb3JzKTsKIAlyZXR1cm4oaW0pOwogCX0KLS0tIGdkLTEuOC40L01ha2VmaWxl LnNlY3VyaXR5CTIwMDQtMTEtMDQgMTc6MTM6MDQuMDAwMDAwMDAwICswMTAwCisrKyBnZC0xLjgu NC9NYWtlZmlsZQkyMDA0LTExLTA0IDE3OjEyOjQxLjAwMDAwMDAwMCArMDEwMApAQCAtMTM4LDE0 ICsxMzgsMTQgQEAKIGdkdGVzdHR0ZjogZ2R0ZXN0dHRmLm8gbGliZ2QuYQogCSQoQ0MpIC0tdmVy Ym9zZSBnZHRlc3R0dGYubyAtbyBnZHRlc3R0dGYgJChMSUJESVJTKSAkKExJQlMpCiAKLWxpYmdk LmE6IGdkLm8gZ2RfZ2QubyBnZF9nZDIubyBnZF9pby5vIGdkX2lvX2RwLm8gZ2RfaW9fZmlsZS5v IGdkX3NzLm8gXAorbGliZ2QuYTogZ2QubyBnZF9nZC5vIGdkX2dkMi5vIGdkX2lvLm8gZ2RfaW9f ZHAubyBnZF9pb19maWxlLm8gZ2Rfc2VjdXJpdHkubyBnZF9zcy5vIFwKIAlnZF9pb19zcy5vIGdk X3BuZy5vIGdkX2pwZWcubyBnZHhwbS5vIGdkZm9udHQubyBnZGZvbnRzLm8gZ2Rmb250bWIubyBn ZGZvbnRsLm8gXAogCWdkZm9udGcubyBnZHRhYmxlcy5vIGdkZnQubyBnZHR0Zi5vIGdkY2FjaGUu byBnZGthbmppLm8gd2JtcC5vIFwKIAlnZF93Ym1wLm8gZ2RoZWxwZXJzLm8gZ2QuaCBnZGZvbnR0 LmggZ2Rmb250cy5oIGdkZm9udG1iLmggZ2Rmb250bC5oIFwKIAlnZGZvbnRnLmggZ2RoZWxwZXJz LmgKIAlybSAtZiBsaWJnZC5hCiAJJChBUikgcmMgbGliZ2QuYSBnZC5vIGdkX2dkLm8gZ2RfZ2Qy Lm8gZ2RfaW8ubyBnZF9pb19kcC5vIFwKLQkJZ2RfaW9fZmlsZS5vIGdkX3NzLm8gZ2RfaW9fc3Mu byBnZF9wbmcubyBnZF9qcGVnLm8gZ2R4cG0ubyBcCisJCWdkX2lvX2ZpbGUubyBnZF9zZWN1cml0 eS5vIGdkX3NzLm8gZ2RfaW9fc3MubyBnZF9wbmcubyBnZF9qcGVnLm8gZ2R4cG0ubyBcCiAJCWdk Zm9udHQubyBnZGZvbnRzLm8gZ2Rmb250bWIubyBnZGZvbnRsLm8gZ2Rmb250Zy5vIFwKIAkJZ2R0 YWJsZXMubyBnZGZ0Lm8gZ2R0dGYubyBnZGNhY2hlLm8gZ2RrYW5qaS5vIHdibXAubyBcCiAJCWdk X3dibXAubyBnZGhlbHBlcnMubwo=