216659 2020-09-17 12:18:30 -0700 Crash in FontCascade::fontMetrics 2021-01-21 01:51:19 -0800 1 1 1 Unclassified WebKit CSS WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 ajuma fred.wang bfulgham cgarcia ews-feeder fred.wang gpoo koivisto mmaxfield product-security rbuis rniwa rohitrao simon.fraser svillar webkit-bug-importer zalan oldest_to_newest 1689547 0 409055 ajuma 2020-09-17 12:18:30 -0700 Created attachment 409055 Minimized test case Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug. Crash stack: ================================================================= ==97273==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000060 (pc 0x000110d986f5 bp 0x7ffeec6f3e00 sp 0x7ffeec6f3dd0 T0) ==97273==The signal is caused by a READ memory access. ==97273==Hint: address points to the zero page. ==97273==WARNING: invalid path to external symbolizer! ==97273==WARNING: Failed to use and restart external symbolizer! #0 0x110d986f4 in WebCore::FontCascadeFonts::primaryFont(WebCore::FontCascadeDescription const&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1966f4) #1 0x114684178 in WebCore::FontCascade::fontMetrics() const (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3a82178) #2 0x113bfe974 in WebCore::CSSPrimitiveValue::computeNonCalcLengthDouble(WebCore::CSSToLengthConversionData const&, WebCore::CSSUnitType, double) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ffc974) #3 0x113b06e2b in WTF::Vector<double, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> WTF::Vector<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::DumbPtrTraits<WebCore::CSSCalcExpressionNode> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::map<WebCore::CSSCalcOperationNode::computeLengthPx(WebCore::CSSToLengthConversionData const&) const::$_1, double>(WebCore::CSSCalcOperationNode::computeLengthPx(WebCore::CSSToLengthConversionData const&) const::$_1) const (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f04e2b) #4 0x113b06c6d in WebCore::CSSCalcOperationNode::computeLengthPx(WebCore::CSSToLengthConversionData const&) const (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f04c6d) #5 0x113b0b73f in WebCore::CSSCalcValue::computeLengthPx(WebCore::CSSToLengthConversionData const&) const (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f0973f) #6 0x113bfe788 in float WebCore::CSSPrimitiveValue::computeLength<float>(WebCore::CSSToLengthConversionData const&) const (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ffc788) #7 0x1129b7dc6 in WebCore::Style::BuilderConverter::convertSpacing(WebCore::Style::BuilderState&, WebCore::CSSValue const&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1db5dc6) #8 0x112913c7c in WebCore::Style::BuilderCustom::applyValueLetterSpacing(WebCore::Style::BuilderState&, WebCore::CSSValue&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d11c7c) #9 0x115ebc942 in WebCore::Style::Builder::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue&, WebCore::SelectorChecker::LinkMatchMask) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52ba942) #10 0x115ec9c9b in WebCore::Style::Builder::applyCascadeProperty(WebCore::Style::PropertyCascade::Property const&)::'lambda'(WebCore::SelectorChecker::LinkMatchMask)::operator()(WebCore::SelectorChecker::LinkMatchMask) const (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52c7c9b) #11 0x115ebcc49 in WebCore::Style::Builder::applyCascadeProperty(WebCore::Style::PropertyCascade::Property const&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52bac49) #12 0x115ebcdfe in void WebCore::Style::Builder::applyPropertiesImpl<(WebCore::Style::Builder::CustomPropertyCycleTracking)1>(int, int) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52badfe) #13 0x115ebbcfb in WebCore::Style::Builder::applyHighPriorityProperties() (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52b9cfb) #14 0x115ef1e5e in WebCore::Style::Resolver::applyMatchedProperties(WebCore::Style::Resolver::State&, WebCore::Style::MatchResult const&, WebCore::Style::Resolver::UseMatchedDeclarationsCache) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52efe5e) #15 0x115ef01cc in WebCore::Style::Resolver::styleForElement(WebCore::Element const&, WebCore::RenderStyle const*, WebCore::RenderStyle const*, WebCore::RuleMatchingBehavior, WebCore::SelectorFilter const*) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52ee1cc) #16 0x115f1805f in WebCore::Style::TreeResolver::styleForElement(WebCore::Element&, WebCore::RenderStyle const&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x531605f) #17 0x115f185f6 in WebCore::Style::TreeResolver::resolveElement(WebCore::Element&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x53165f6) #18 0x115f1ac06 in WebCore::Style::TreeResolver::resolveComposedTree() (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x5318c06) #19 0x115f1bf66 in WebCore::Style::TreeResolver::resolve() (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x5319f66) #20 0x113ea61f5 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x32a41f5) #21 0x113ea715b in WebCore::Document::updateStyleIfNeeded() (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x32a515b) #22 0x113ecc7a6 in WebCore::Document::finishedParsing() (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x32ca7a6) #23 0x114797b7a in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b95b7a) #24 0x114c3d6b8 in WebCore::DocumentWriter::end() (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x403b6b8) #25 0x114c3c1cc in WebCore::DocumentLoader::finishedLoading() (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x403a1cc) #26 0x114c3bb33 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4039b33) #27 0x114de82ff in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x41e62ff) #28 0x114de418b in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x41e218b) #29 0x114d60ed7 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x415eed7) #30 0x1070400a6 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x197e0a6) #31 0x107719216 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/ajuma/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x2057216) #32 0x107718823 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x2056823) #33 0x10700417a in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x194217a) #34 0x105745f8e in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x83f8e) #35 0x105746c08 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/ajuma/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x84c08) #36 0x10574776d in IPC::Connection::dispatchOneIncomingMessage() (/Users/ajuma/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x8576d) #37 0x12dc6aa0c in WTF::RunLoop::performWork() (/Users/ajuma/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc7a0c) #38 0x12dc6dd75 in WTF::RunLoop::performWork(void*) (/Users/ajuma/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xcad75) #39 0x7fff34b86d51 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x83d51) #40 0x7fff34b86cf0 in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x83cf0) #41 0x7fff34b86b0a in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x83b0a) #42 0x7fff34b85839 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x82839) #43 0x7fff34b84e3d in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x81e3d) #44 0x7fff372201c7 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x601c7) #45 0x7fff372d2c6e in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x112c6e) #46 0x7fff6ee824e9 in _xpc_objc_main.cold.4 (/usr/lib/system/libxpc.dylib:x86_64+0x164e9) #47 0x7fff6ee8242f in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x1642f) #48 0x7fff6ee81f62 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x15f62) #49 0x1060bfac4 in WebKit::XPCServiceMain(int, char const**) (/Users/ajuma/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x9fdac4) #50 0x7fff6ec34cc8 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8) ==97273==Register values: rax = 0x0000100000000000 rbx = 0x0000000000000000 rcx = 0x00001c1e000034f2 rdx = 0x0000000000000000 rdi = 0x0000000000000000 rsi = 0x000060f00001a738 rbp = 0x00007ffeec6f3e00 rsp = 0x00007ffeec6f3dd0 r8 = 0x0000200000000000 r9 = 0x00000fffffffffff r10 = 0x0000000000000000 r11 = 0xffffffffffffffff r12 = 0x000010000000000c r13 = 0x00001fffdd8de7cc r14 = 0x0000000000000060 r15 = 0x000060300016efb0 1689548 1 webkit-bug-importer 2020-09-17 12:18:44 -0700 <rdar://problem/69087507> 1719274 2 417528 fred.wang 2021-01-13 06:26:53 -0800 Created attachment 417528 Further reduction This reduces to letter-spacing: -webkit-calc(1ex); text-rendering: geometricPrecision; 1719290 3 417533 fred.wang 2021-01-13 08:09:58 -0800 Created attachment 417533 Patch 1719396 4 rniwa 2021-01-13 13:02:01 -0800 I guess there is no security implication here? 1720844 5 fred.wang 2021-01-20 01:52:01 -0800 (In reply to Ryosuke Niwa from comment #4) > I guess there is no security implication here? So basically CSSPrimitiveValue::computeNonCalcLengthDouble may need to call conversionData.style()->fontMetrics() which will in turn calls FontCascade::primaryFont() and hits a null pointer m_fonts ; so I'm not a security expert but my understanding is that there is no way to exploit this. 1721056 6 417533 rniwa 2021-01-20 17:47:13 -0800 Comment on attachment 417533 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=417533&action=review > Source/WebCore/style/StyleBuilderCustom.h:-657 > - if (is<CSSPrimitiveValue>(value) && downcast<CSSPrimitiveValue>(value).isFontRelativeLength()) Okay, I was initially concerned that isFontRelativeLength will do out-of-bound memory access in release builds but m_primitiveUnitType is a member of CSSValue so this should be fine. 1721106 7 ews-feeder 2021-01-21 01:51:16 -0800 Committed r271688: <https://trac.webkit.org/changeset/271688> All reviewed patches have been landed. Closing bug and clearing flags on attachment 417533. 409055 2020-09-17 12:18:30 -0700 2020-09-17 12:18:30 -0700 Minimized test case fontCascadefonts.html text/html 527 ajuma PHN0eWxlIHhtbDpsYW5nPSJlbiIgdHlwZT0idGV4dC9jc3MiPg0KLkNMQVNTMTB7LXdlYmtpdC1j b2x1bW4tY291bnQ6YXV0bzstd2Via2l0LWxpbmUtYm94LWNvbnRhaW46aW5saW5lLWJveCAhaW1w b3J0YW50Oy13ZWJraXQtbWFyZ2luLXRvcC1jb2xsYXBzZTppbmhlcml0O2xldHRlci1zcGFjaW5n Oi13ZWJraXQtY2FsYygzLjFleCk7cGFkZGluZzppbmhlcml0O2NvbnRlbnQ6YXR0cihjb2xvci1y ZW5kZXJpbmcpO3RleHQtYWxpZ246bGVmdCAnRi5cRH5EfTprL1xcIEwufCs3KkgqbkJaUzh8ZGZf QCxdKkcyelJ9VTskYlwoMWB9VXpkfUo/TG1BRSAuZE4yIjx5LkIrLFxEIDZcOXRbIy0zcmRcRFxc XCgtXURvczxrXCc3WkF+VkFnLDE+bHhjXFwjIm0te1xBd1QuZlMlY1xcOVwpTSA7M1BeNnhQOWdy Rm9PMEpcKSc7dGV4dC1yZW5kZXJpbmc6Z2VvbWV0cmljUHJlY2lzaW9uOy13ZWJraXQtdGV4dC1z dHJva2Utd2lkdGg6Ny41ZW07Y2xlYXI6Ym90aDt9DQo8L3N0eWxlPjxvcHRpb24gY2xhc3M9IkNM QVNTMTAgQ0xBU1MzIj4= 417528 2021-01-13 06:26:53 -0800 2021-01-13 06:26:53 -0800 Further reduction fontCascadefonts.html text/html 112 fred.wang PHN0eWxlPgogIGJvZHl7CiAgICAgIGxldHRlci1zcGFjaW5nOiAtd2Via2l0LWNhbGMoMWV4KTsK ICAgICAgdGV4dC1yZW5kZXJpbmc6IGdlb21ldHJpY1ByZWNpc2lvbjsKICB9Cjwvc3R5bGU+Cg== 417533 2021-01-13 08:09:58 -0800 2021-01-21 01:51:17 -0800 Patch 0001-Bug-216659.patch text/plain 4663 fred.wang RnJvbSBkNTMwZjcwOTk2YmQzNmI4NTVjNmY4NTYwYmRiM2Y0MjE0NThhMGQ0IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiA9P1VURi04P3E/RnI9QzM9QTlkPUMzPUE5cmljPTIwV2FuZz89 IDxmd2FuZ0BpZ2FsaWEuY29tPgpEYXRlOiBXZWQsIDEzIEphbiAyMDIxIDE3OjA4OjUzICswMTAw ClN1YmplY3Q6IFtQQVRDSF0gQnVnIDIxNjY1OQoKLS0tCiBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cg ICAgICAgICAgICAgICAgICAgICAgICAgIHwgMTAgKysrKysrKysrKwogLi4udGgtZm9udC1yZWxh dGl2ZS1sZW5ndGhzLWNyYXNoLWV4cGVjdGVkLnR4dCB8ICAxICsKIC4uLi1jYWxjLXdpdGgtZm9u dC1yZWxhdGl2ZS1sZW5ndGhzLWNyYXNoLmh0bWwgfCAxMyArKysrKysrKysrKysrCiBTb3VyY2Uv V2ViQ29yZS9DaGFuZ2VMb2cgICAgICAgICAgICAgICAgICAgICAgIHwgMTggKysrKysrKysrKysr KysrKysrCiBTb3VyY2UvV2ViQ29yZS9zdHlsZS9TdHlsZUJ1aWxkZXJDdXN0b20uaCAgICAgIHwg IDcgKysrKystLQogNSBmaWxlcyBjaGFuZ2VkLCA0NyBpbnNlcnRpb25zKCspLCAyIGRlbGV0aW9u cygtKQogY3JlYXRlIG1vZGUgMTAwNjQ0IExheW91dFRlc3RzL2Zhc3QvY3NzL2xldHRlci1zcGFj aW5nLWNhbGMtd2l0aC1mb250LXJlbGF0aXZlLWxlbmd0aHMtY3Jhc2gtZXhwZWN0ZWQudHh0CiBj cmVhdGUgbW9kZSAxMDA2NDQgTGF5b3V0VGVzdHMvZmFzdC9jc3MvbGV0dGVyLXNwYWNpbmctY2Fs Yy13aXRoLWZvbnQtcmVsYXRpdmUtbGVuZ3Rocy1jcmFzaC5odG1sCgpkaWZmIC0tZ2l0IGEvTGF5 b3V0VGVzdHMvQ2hhbmdlTG9nIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCmluZGV4IDdkZjRjNWFi Y2EuLjlkMGJjNGY4MGEgMTAwNjQ0Ci0tLSBhL0xheW91dFRlc3RzL0NoYW5nZUxvZworKysgYi9M YXlvdXRUZXN0cy9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxMyBAQAorMjAyMS0wMS0xMyAgRnJlZGVy aWMgV2FuZyAgPGZ3YW5nQGlnYWxpYS5jb20+CisKKyAgICAgICAgVXBkYXRlIGZvbnQgd2hlbiBy ZXNvbHZpbmcgbGV0dGVyLXNwYWNpbmc6IGNhbGMoLi4uKSB2YWx1ZXMKKyAgICAgICAgaHR0cHM6 Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTIxNjY1OQorCisgICAgICAgIFJldmll d2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgICogZmFzdC9jc3MvbGV0dGVyLXNwYWNp bmctY2FsYy13aXRoLWZvbnQtcmVsYXRpdmUtbGVuZ3Rocy1jcmFzaC1leHBlY3RlZC50eHQ6IEFk ZGVkLgorICAgICAgICAqIGZhc3QvY3NzL2xldHRlci1zcGFjaW5nLWNhbGMtd2l0aC1mb250LXJl bGF0aXZlLWxlbmd0aHMtY3Jhc2guaHRtbDogQWRkZWQuCisKIDIwMjEtMDEtMTIgIFBlbmcgTGl1 ICA8cGVuZy5saXU2QGFwcGxlLmNvbT4KIAogICAgICAgICBSRUdSRVNTSU9OIChyMjcxMzQxKTog bWVkaWEvbW9kZXJuLW1lZGlhLWNvbnRyb2xzL21lZGlhLWNvbnRyb2xsZXIvbWVkaWEtY29udHJv bGxlci1pbmxpbmUtdG8tZnVsbHNjcmVlbi10by1pbmxpbmUuaHRtbCBpcyB0aW1pbmcgb3V0CmRp ZmYgLS1naXQgYS9MYXlvdXRUZXN0cy9mYXN0L2Nzcy9sZXR0ZXItc3BhY2luZy1jYWxjLXdpdGgt Zm9udC1yZWxhdGl2ZS1sZW5ndGhzLWNyYXNoLWV4cGVjdGVkLnR4dCBiL0xheW91dFRlc3RzL2Zh c3QvY3NzL2xldHRlci1zcGFjaW5nLWNhbGMtd2l0aC1mb250LXJlbGF0aXZlLWxlbmd0aHMtY3Jh c2gtZXhwZWN0ZWQudHh0Cm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAwMDAuLjY1 NGRkZjdmMTcKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9mYXN0L2Nzcy9sZXR0ZXIt c3BhY2luZy1jYWxjLXdpdGgtZm9udC1yZWxhdGl2ZS1sZW5ndGhzLWNyYXNoLWV4cGVjdGVkLnR4 dApAQCAtMCwwICsxIEBACitUaGlzIHRlc3QgcGFzc2VzIGlmIGl0IGRvZXMgbm90IGNyYXNoLgpk aWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvZmFzdC9jc3MvbGV0dGVyLXNwYWNpbmctY2FsYy13aXRo LWZvbnQtcmVsYXRpdmUtbGVuZ3Rocy1jcmFzaC5odG1sIGIvTGF5b3V0VGVzdHMvZmFzdC9jc3Mv bGV0dGVyLXNwYWNpbmctY2FsYy13aXRoLWZvbnQtcmVsYXRpdmUtbGVuZ3Rocy1jcmFzaC5odG1s Cm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAwMDAuLjA1YjcyZWI3NTkKLS0tIC9k ZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9mYXN0L2Nzcy9sZXR0ZXItc3BhY2luZy1jYWxjLXdp dGgtZm9udC1yZWxhdGl2ZS1sZW5ndGhzLWNyYXNoLmh0bWwKQEAgLTAsMCArMSwxMyBAQAorPCFk b2N0eXBlPgorPHN0eWxlPgorICBib2R5IHsKKyAgICAgIHRleHQtcmVuZGVyaW5nOiBvcHRpbWl6 ZUxlZ2liaWxpdHk7CisgICAgICBsZXR0ZXItc3BhY2luZzogY2FsYygxZXggKyAxY2gpOworICB9 Cis8L3N0eWxlPgorPHNjcmlwdD4KKyAgICBpZiAod2luZG93LmludGVybmFscykgeworICAgICAg ICB0ZXN0UnVubmVyLmR1bXBBc1RleHQoKTsKKyAgICB9Cis8L3NjcmlwdD4KKzxwPlRoaXMgdGVz dCBwYXNzZXMgaWYgaXQgZG9lcyBub3QgY3Jhc2guPC9wPgpkaWZmIC0tZ2l0IGEvU291cmNlL1dl YkNvcmUvQ2hhbmdlTG9nIGIvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCmluZGV4IGJlYTNiMmE1 NzguLjczODg3YWE0ODMgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZworKysg Yi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKQEAgLTEsMyArMSwyMSBAQAorMjAyMS0wMS0xMyAg RnJlZGVyaWMgV2FuZyAgPGZ3YW5nQGlnYWxpYS5jb20+CisKKyAgICAgICAgVXBkYXRlIGZvbnQg d2hlbiByZXNvbHZpbmcgbGV0dGVyLXNwYWNpbmc6IGNhbGMoLi4uKSB2YWx1ZXMKKyAgICAgICAg aHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTIxNjY1OQorCisgICAgICAg IFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIEluIGJ1ZyAxNzYyMTUsIG1h eWJlVXBkYXRlRm9udEZvckxldHRlclNwYWNpbmcgd2FzIGFkZGVkIHRvIGVuc3VyZSBhIGZvbnQg aXMgYXZhaWxhYmxlIGZvcgorICAgICAgICByZXNvbHV0aW9uIG9mIGxldHRlci1zcGFjaW5nIHZh bHVlcyB0aGF0IHJlbHkgb24gcmVsYXRpdmUgZm9udCBsZW5ndGhzLiBIb3dldmVyLCB0aGlzIGRv ZXMKKyAgICAgICAgbm90IHRha2UgaW50byBhY2NvdW50IHRoZSBjYXNlIHdoZW4gdGhlc2UgbGVu Z3RocyBhcmUgcGFydCBvZiBhIGNhbGMgZXhwcmVzc2lvbi4gSW4gb3JkZXIgdG8KKyAgICAgICAg a2VlcCB0aGluZ3Mgc2ltcGxlLCB0aGlzIHBhdGNoIHVuY29uZGl0aW9uYWxseSB1cGRhdGVzIHRo ZSBmb250IHdoZW4gbGV0dGVyLXNwYWNpbmcgaXMgYQorICAgICAgICBjYWxjIGV4cHJlc3Npb24u CisKKyAgICAgICAgVGVzdDogZmFzdC9jc3MvbGV0dGVyLXNwYWNpbmctY2FsYy13aXRoLWZvbnQt cmVsYXRpdmUtbGVuZ3Rocy1jcmFzaC5odG1sCisKKyAgICAgICAgKiBzdHlsZS9TdHlsZUJ1aWxk ZXJDdXN0b20uaDoKKyAgICAgICAgKFdlYkNvcmU6OlN0eWxlOjptYXliZVVwZGF0ZUZvbnRGb3JM ZXR0ZXJTcGFjaW5nKToKKwogMjAyMS0wMS0xMiAgSmVyIE5vYmxlICA8amVyLm5vYmxlQGFwcGxl LmNvbT4KIAogICAgICAgICBbQ29jb2FdIFN1cHBvcnQga2V5IHJvdGF0aW9uIHdpdGggSExTLWJh Y2tlZCBlbmNyeXB0ZWQgbWVkaWEgc3RyZWFtcwpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUv c3R5bGUvU3R5bGVCdWlsZGVyQ3VzdG9tLmggYi9Tb3VyY2UvV2ViQ29yZS9zdHlsZS9TdHlsZUJ1 aWxkZXJDdXN0b20uaAppbmRleCBhMWE3MmFiNzRlLi4yOTBkZTQ1MzVmIDEwMDY0NAotLS0gYS9T b3VyY2UvV2ViQ29yZS9zdHlsZS9TdHlsZUJ1aWxkZXJDdXN0b20uaAorKysgYi9Tb3VyY2UvV2Vi Q29yZS9zdHlsZS9TdHlsZUJ1aWxkZXJDdXN0b20uaApAQCAtNjU0LDggKzY1NCwxMSBAQCB2b2lk IG1heWJlVXBkYXRlRm9udEZvckxldHRlclNwYWNpbmcoQnVpbGRlclN0YXRlJiBidWlsZGVyU3Rh dGUsIENTU1ZhbHVlJiB2YWx1ZQogICAgIC8vIGFjdHVhbGx5IGEgZm9udC1yZWxhdGl2ZSB1bml0 IHBhc3NlZCB0byBsZXR0ZXItc3BhY2luZywgYW5kIDIuIHVwZGF0ZUZvbnQoKSBpbnRlcm5hbGx5 IGhhcyBsb2dpYwogICAgIC8vIHRvIG9ubHkgZG8gd29yayBpZiB0aGUgZm9udCBpcyBhY3R1YWxs eSBkaXJ0eS4KIAotICAgIGlmIChpczxDU1NQcmltaXRpdmVWYWx1ZT4odmFsdWUpICYmIGRvd25j YXN0PENTU1ByaW1pdGl2ZVZhbHVlPih2YWx1ZSkuaXNGb250UmVsYXRpdmVMZW5ndGgoKSkKLSAg ICAgICAgYnVpbGRlclN0YXRlLnVwZGF0ZUZvbnQoKTsKKyAgICBpZiAoaXM8Q1NTUHJpbWl0aXZl VmFsdWU+KHZhbHVlKSkgeworICAgICAgICBhdXRvJiBwcmltaXRpdmVWYWx1ZSA9IGRvd25jYXN0 PENTU1ByaW1pdGl2ZVZhbHVlPih2YWx1ZSk7CisgICAgICAgIGlmIChwcmltaXRpdmVWYWx1ZS5p c0ZvbnRSZWxhdGl2ZUxlbmd0aCgpIHx8IHByaW1pdGl2ZVZhbHVlLmlzQ2FsY3VsYXRlZCgpKQor ICAgICAgICAgICAgYnVpbGRlclN0YXRlLnVwZGF0ZUZvbnQoKTsKKyAgICB9CiB9CiAKIGlubGlu ZSB2b2lkIEJ1aWxkZXJDdXN0b206OmFwcGx5VmFsdWVMZXR0ZXJTcGFjaW5nKEJ1aWxkZXJTdGF0 ZSYgYnVpbGRlclN0YXRlLCBDU1NWYWx1ZSYgdmFsdWUpCi0tIAoyLjI5LjIKCg==