230391 2021-09-17 00:20:57 -0700 DFG strength reduction on % operator should handle an INT_MIN divisor. 2021-09-29 22:27:56 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 1214wjllz mark.lam bfulgham ews-watchlist keith_miller mark.lam msaboff product-security rmorisset saam tzagallo webkit-bug-importer oldest_to_newest 1794360 0 1214wjllz 2021-09-17 00:20:57 -0700 Hi, I want to report a bug to u. This is the first time I try to report a bug. So if anything is wrong, I will sorry about this. The bug at |DFGStrengthReductionPhase|, when it deal ArithMod instruction(https://github.com/WebKit/WebKit/blob/main/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp#L191): case ArithMod: // On Integers // In: ArithMod(ArithMod(x, const1), const2) // Out: Identity(ArithMod(x, const1)) // if const1 <= const2. if (m_node->binaryUseKind() == Int32Use && m_node->child2()->isInt32Constant() && m_node->child1()->op() == ArithMod && m_node->child1()->binaryUseKind() == Int32Use && m_node->child1()->child2()->isInt32Constant() && std::abs(m_node->child1()->child2()->asInt32()) <= std::abs(m_node->child2()->asInt32())) { convertToIdentityOverChild1(); } break; the optimize is so simple, like this: ```c++ let x1 = n % 10; // [+] @a let x2 = x1 % 14; // [+] @b ``` at here, @a we could ensure x1 < 10, then we know 10 < 14, so we think we could remove @b. However, the wrong part is this: `` std::abs(m_node->child1()->child2()->asInt32()) ``` assume |m_node->child1()->child2()->asInt32()| value is |INT_MIN|, |@x: "-2147483648"|, we should got |@y: "2147483648"|, @y > INT_MAX. so interger overflow will happend. ## poc part My poc like this, It could trigger in safari newest version(14.1.2). ``` js let hot_count = 0x1000000; function jit(num){ num |= 0; // [+] without this, num will be (SpecNonBoolInt32 | SpecNonIntAsDouble), which won't got this let x1 = num % -2147483648; let x2 = x1 % 5; // [+] here is emmmmm... if(x2 > 9){ // [+] shold be here... print("[+] magic happend, sir!"); return x2; // [+] I am already calc } return x1 + x2; } for(let i = 0; i < hot_count; i++){ jit(-(i % 10)); } let MAGIC_INT = 10; // [+] if |0x80000000| be thought as a INT, which should be INT_MIN let res = jit(MAGIC_INT); print("[+] the result is: " + res); // [+] should be 0x80000000, error output -2147483648 ``` if u run the poc, you could see x2 is |10|, obviously it should be 0(10 % 5 == 0). ## exploit part I am so sorry, I don't archive exploit part. I try to use this bug to eliminate boundCheck, but Finally I don't find a way. The DFGInterger range analysis part use |executeNode| to determine value's range, but ArithMod aren't be here. I did some source code review, and found seems, if we have a code like this: ```js let x = n % 100; ``` Seems jsc can't aware that x will be: (x > -100 %% x < 100). But the bug seems as this two bug(and another v8's bug), So I decide to report it as a security vulnerablity: - @1: https://googleprojectzero.blogspot.com/2020/09/jitsploitation-one.html - @2: https://bugs.webkit.org/show_bug.cgi?id=229869 @2 seems is found by apple self, seems It is hard to found it by fuzz, I have no idea How can Convert it to a security issue, maybe the bug report know that. But I have not ability to access it. ## another I am sorry for my bad English, sorry.... 1794361 1 webkit-bug-importer 2021-09-17 00:21:13 -0700 <rdar://problem/83229740> 1794362 2 1214wjllz 2021-09-17 00:28:49 -0700 The js code has some commit in it... which is wrong, I just changed another bug's poc, and forget delete it. I am so sorry for that part. But the bug is so simple(maybe...), hope it won't confuse u. 1794384 3 1214wjllz 2021-09-17 02:32:29 -0700 By the way, the patch for the bug is simple, add a check like this(https://github.com/WebKit/WebKit/blob/main/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp#L166). if(m_node->child1()->child2()->asInt32() == INT_MIN){ break; // [+] don't optimize it, otherwise it will trigger integer overflow } 1796321 4 1214wjllz 2021-09-22 19:07:42 -0700 hi. nobody care about this? 1796322 5 bfulgham 2021-09-22 19:23:21 -0700 (In reply to wjllz from comment #4) > hi. nobody care about this? We are looking into it and will respond soon. I apologize for the delay. 1796369 6 1214wjllz 2021-09-22 22:15:03 -0700 (In reply to Brent Fulgham from comment #5) > (In reply to wjllz from comment #4) > > hi. nobody care about this? > > We are looking into it and will respond soon. I apologize for the delay. It's ok, It's my wrong. This is my first time try to report bug to safari, so I don't know I find the right way to report it. So I ask this question(comment 4)... I don't find any useful information about webkit's bounty system... so It make me confusion. Thanks for your reply. 1797992 7 mark.lam 2021-09-28 12:20:46 -0700 I'm currently investigating this issue. I'm not sure it's really a security issue yet, but will find out soon. 1798461 8 mark.lam 2021-09-29 11:12:43 -0700 This is not a security issue because there's no way to use the resultant integer to access memory. Any memory access based on the resultant integer thereafter will still do the needed bounds checks. 1798571 9 mark.lam 2021-09-29 14:33:15 -0700 Thanks for the bug report. Fix coming soon. 1798574 10 439662 mark.lam 2021-09-29 14:40:26 -0700 Created attachment 439662 proposed patch. 1798638 11 439674 mark.lam 2021-09-29 15:58:51 -0700 Created attachment 439674 proposed patch. 1798640 12 439675 mark.lam 2021-09-29 16:00:37 -0700 Created attachment 439675 proposed patch. 1798645 13 439675 rmorisset 2021-09-29 16:02:58 -0700 Comment on attachment 439675 proposed patch. r=me 1798755 14 439675 mark.lam 2021-09-29 22:11:23 -0700 Comment on attachment 439675 proposed patch. Thanks for the review. Landing now. 1798758 15 ews-feeder 2021-09-29 22:27:54 -0700 Committed r283300 (242325@main): <https://commits.webkit.org/242325@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 439675. 439662 2021-09-29 14:40:26 -0700 2021-09-29 15:46:16 -0700 proposed patch. bug-230391.patch text/plain 3368 mark.lam SW5kZXg6IEpTVGVzdHMvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIEpTVGVzdHMvQ2hhbmdlTG9n CShyZXZpc2lvbiAyODMyNjMpCisrKyBKU1Rlc3RzL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpA QCAtMSwzICsxLDEzIEBACisyMDIxLTA5LTI5ICBNYXJrIExhbSAgPG1hcmsubGFtQGFwcGxlLmNv bT4KKworICAgICAgICBERkcgc3RyZW5ndGggcmVkdWN0aW9uIG9uICUgb3BlcmF0b3Igc2hvdWxk IGhhbmRsZSBhbiBJTlRfTUlOIGRpdmlzb3IuCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQu b3JnL3Nob3dfYnVnLmNnaT9pZD0yMzAzOTEKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzgzMjI5 NzQwPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgICog c3RyZXNzL2RmZy1zdHJlbmd0aC1yZWR1Y3Rpb24tb24tbW9kLXNob3VsZC1oYW5kbGUtSU5UX01J Ti5qczogQWRkZWQuCisKIDIwMjEtMDktMjkgIFNhYW0gQmFyYXRpICA8c2JhcmF0aUBhcHBsZS5j b20+CiAKICAgICAgICAgQ29kZSBpbnNpZGUgc3RyZW5ndGggcmVkdWN0aW9uIGNhbiBpbmNvcnJl Y3RseSBwcm92ZSB0aGF0IHdlIGtub3cgd2hhdCBsYXN0SW5kZXggaXMKSW5kZXg6IEpTVGVzdHMv c3RyZXNzL2RmZy1zdHJlbmd0aC1yZWR1Y3Rpb24tb24tbW9kLXNob3VsZC1oYW5kbGUtSU5UX01J Ti5qcwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09Ci0tLSBKU1Rlc3RzL3N0cmVzcy9kZmctc3RyZW5ndGgtcmVkdWN0aW9u LW9uLW1vZC1zaG91bGQtaGFuZGxlLUlOVF9NSU4uanMJKG5vbmV4aXN0ZW50KQorKysgSlNUZXN0 cy9zdHJlc3MvZGZnLXN0cmVuZ3RoLXJlZHVjdGlvbi1vbi1tb2Qtc2hvdWxkLWhhbmRsZS1JTlRf TUlOLmpzCSh3b3JraW5nIGNvcHkpCkBAIC0wLDAgKzEsMTEgQEAKK2Z1bmN0aW9uIGZvbyhudW0p IHsKKyAgICBudW0gfD0gMDsKKyAgICBsZXQgeDEgPSBudW0gJSAtMjE0NzQ4MzY0ODsKKyAgICBs ZXQgeDIgPSB4MSAlIDU7CisKKyAgICBpZiAoeDIgPiA1KQorICAgICAgICB0aHJvdyAiRXJyb3Ii OworfQorCitmb3IgKGxldCBpID0gMDsgaSA8IDEwMDAwOyBpKyspCisgICAgZm9vKGkpOwpJbmRl eDogU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2Uv SmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCShyZXZpc2lvbiAyODMyNjEpCisrKyBTb3VyY2UvSmF2 YVNjcmlwdENvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTQgQEAKKzIw MjEtMDktMjkgIE1hcmsgTGFtICA8bWFyay5sYW1AYXBwbGUuY29tPgorCisgICAgICAgIERGRyBz dHJlbmd0aCByZWR1Y3Rpb24gb24gJSBvcGVyYXRvciBzaG91bGQgaGFuZGxlIGFuIElOVF9NSU4g ZGl2aXNvci4KKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lk PTIzMDM5MQorICAgICAgICA8cmRhcjovL3Byb2JsZW0vODMyMjk3NDA+CisKKyAgICAgICAgUmV2 aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgKiBkZmcvREZHU3RyZW5ndGhSZWR1 Y3Rpb25QaGFzZS5jcHA6CisgICAgICAgIChKU0M6OkRGRzo6U3RyZW5ndGhSZWR1Y3Rpb25QaGFz ZTo6aGFuZGxlTm9kZSk6CisKIDIwMjEtMDktMjkgIFl1c3VrZSBTdXp1a2kgIDx5c3V6dWtpQGFw cGxlLmNvbT4KIAogICAgICAgICBbSlNDXSBSZW1vdmUgQ29kZUJsb2NrOjptX2xsaW50RXhlY3V0 ZUNvdW50ZXIKSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHU3RyZW5ndGhSZWR1 Y3Rpb25QaGFzZS5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9E RkdTdHJlbmd0aFJlZHVjdGlvblBoYXNlLmNwcAkocmV2aXNpb24gMjgzMjYxKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL2RmZy9ERkdTdHJlbmd0aFJlZHVjdGlvblBoYXNlLmNwcAkod29ya2lu ZyBjb3B5KQpAQCAtMSw1ICsxLDUgQEAKIC8qCi0gKiBDb3B5cmlnaHQgKEMpIDIwMTMtMjAxOSBB cHBsZSBJbmMuIEFsbCByaWdodHMgcmVzZXJ2ZWQuCisgKiBDb3B5cmlnaHQgKEMpIDIwMTMtMjAy MSBBcHBsZSBJbmMuIEFsbCByaWdodHMgcmVzZXJ2ZWQuCiAgKgogICogUmVkaXN0cmlidXRpb24g YW5kIHVzZSBpbiBzb3VyY2UgYW5kIGJpbmFyeSBmb3Jtcywgd2l0aCBvciB3aXRob3V0CiAgKiBt b2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQgcHJvdmlkZWQgdGhhdCB0aGUgZm9sbG93aW5nIGNv bmRpdGlvbnMKQEAgLTE5Nyw4ICsxOTcsMTUgQEAgcHJpdmF0ZToKICAgICAgICAgICAgICAgICAm JiBtX25vZGUtPmNoaWxkMigpLT5pc0ludDMyQ29uc3RhbnQoKQogICAgICAgICAgICAgICAgICYm IG1fbm9kZS0+Y2hpbGQxKCktPm9wKCkgPT0gQXJpdGhNb2QKICAgICAgICAgICAgICAgICAmJiBt X25vZGUtPmNoaWxkMSgpLT5iaW5hcnlVc2VLaW5kKCkgPT0gSW50MzJVc2UKLSAgICAgICAgICAg ICAgICAmJiBtX25vZGUtPmNoaWxkMSgpLT5jaGlsZDIoKS0+aXNJbnQzMkNvbnN0YW50KCkKLSAg ICAgICAgICAgICAgICAmJiBzdGQ6OmFicyhtX25vZGUtPmNoaWxkMSgpLT5jaGlsZDIoKS0+YXNJ bnQzMigpKSA8PSBzdGQ6OmFicyhtX25vZGUtPmNoaWxkMigpLT5hc0ludDMyKCkpKSB7CisgICAg ICAgICAgICAgICAgJiYgbV9ub2RlLT5jaGlsZDEoKS0+Y2hpbGQyKCktPmlzSW50MzJDb25zdGFu dCgpKSB7CisKKyAgICAgICAgICAgICAgICBpbnQzMl90IGNvbnN0MUFic29sdXRlVmFsdWUgPSBz dGQ6OmFicyhtX25vZGUtPmNoaWxkMSgpLT5jaGlsZDIoKS0+YXNJbnQzMigpKTsKKyAgICAgICAg ICAgICAgICBpbnQzMl90IGNvbnN0MkFic29sdXRlVmFsdWUgPSBzdGQ6OmFicyhtX25vZGUtPmNo aWxkMigpLT5hc0ludDMyKCkpOworCisgICAgICAgICAgICAgICAgaWYgKGNvbnN0MUFic29sdXRl VmFsdWUgPCAwIHx8IGNvbnN0MkFic29sdXRlVmFsdWUgPCAwKQorICAgICAgICAgICAgICAgICAg ICBicmVhazsgLy8gb3ZlcmZsb3cuCisKKyAgICAgICAgICAgICAgICBpZiAoY29uc3QxQWJzb2x1 dGVWYWx1ZSA8PSBjb25zdDJBYnNvbHV0ZVZhbHVlKQogICAgICAgICAgICAgICAgICAgICBjb252 ZXJ0VG9JZGVudGl0eU92ZXJDaGlsZDEoKTsKICAgICAgICAgICAgIH0KICAgICAgICAgICAgIGJy ZWFrOwo= 439674 2021-09-29 15:58:51 -0700 2021-09-29 15:59:26 -0700 proposed patch. bug-230391.patch text/plain 3368 mark.lam SW5kZXg6IEpTVGVzdHMvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIEpTVGVzdHMvQ2hhbmdlTG9n CShyZXZpc2lvbiAyODMyNjMpCisrKyBKU1Rlc3RzL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpA QCAtMSwzICsxLDEzIEBACisyMDIxLTA5LTI5ICBNYXJrIExhbSAgPG1hcmsubGFtQGFwcGxlLmNv bT4KKworICAgICAgICBERkcgc3RyZW5ndGggcmVkdWN0aW9uIG9uICUgb3BlcmF0b3Igc2hvdWxk IGhhbmRsZSBhbiBJTlRfTUlOIGRpdmlzb3IuCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQu b3JnL3Nob3dfYnVnLmNnaT9pZD0yMzAzOTEKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzgzMjI5 NzQwPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgICog c3RyZXNzL2RmZy1zdHJlbmd0aC1yZWR1Y3Rpb24tb24tbW9kLXNob3VsZC1oYW5kbGUtSU5UX01J Ti5qczogQWRkZWQuCisKIDIwMjEtMDktMjkgIFNhYW0gQmFyYXRpICA8c2JhcmF0aUBhcHBsZS5j b20+CiAKICAgICAgICAgQ29kZSBpbnNpZGUgc3RyZW5ndGggcmVkdWN0aW9uIGNhbiBpbmNvcnJl Y3RseSBwcm92ZSB0aGF0IHdlIGtub3cgd2hhdCBsYXN0SW5kZXggaXMKSW5kZXg6IEpTVGVzdHMv c3RyZXNzL2RmZy1zdHJlbmd0aC1yZWR1Y3Rpb24tb24tbW9kLXNob3VsZC1oYW5kbGUtSU5UX01J Ti5qcwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09Ci0tLSBKU1Rlc3RzL3N0cmVzcy9kZmctc3RyZW5ndGgtcmVkdWN0aW9u LW9uLW1vZC1zaG91bGQtaGFuZGxlLUlOVF9NSU4uanMJKG5vbmV4aXN0ZW50KQorKysgSlNUZXN0 cy9zdHJlc3MvZGZnLXN0cmVuZ3RoLXJlZHVjdGlvbi1vbi1tb2Qtc2hvdWxkLWhhbmRsZS1JTlRf TUlOLmpzCSh3b3JraW5nIGNvcHkpCkBAIC0wLDAgKzEsMTEgQEAKK2Z1bmN0aW9uIGZvbyhudW0p IHsKKyAgICBudW0gfD0gMDsKKyAgICBsZXQgeDEgPSBudW0gJSAtMjE0NzQ4MzY0ODsKKyAgICBs ZXQgeDIgPSB4MSAlIDU7CisKKyAgICBpZiAoeDIgPiA1KQorICAgICAgICB0aHJvdyAiRXJyb3Ii OworfQorCitmb3IgKGxldCBpID0gMDsgaSA8IDEwMDAwOyBpKyspCisgICAgZm9vKGkpOwpJbmRl eDogU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2Uv SmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCShyZXZpc2lvbiAyODMyNjEpCisrKyBTb3VyY2UvSmF2 YVNjcmlwdENvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTQgQEAKKzIw MjEtMDktMjkgIE1hcmsgTGFtICA8bWFyay5sYW1AYXBwbGUuY29tPgorCisgICAgICAgIERGRyBz dHJlbmd0aCByZWR1Y3Rpb24gb24gJSBvcGVyYXRvciBzaG91bGQgaGFuZGxlIGFuIElOVF9NSU4g ZGl2aXNvci4KKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lk PTIzMDM5MQorICAgICAgICA8cmRhcjovL3Byb2JsZW0vODMyMjk3NDA+CisKKyAgICAgICAgUmV2 aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgKiBkZmcvREZHU3RyZW5ndGhSZWR1 Y3Rpb25QaGFzZS5jcHA6CisgICAgICAgIChKU0M6OkRGRzo6U3RyZW5ndGhSZWR1Y3Rpb25QaGFz ZTo6aGFuZGxlTm9kZSk6CisKIDIwMjEtMDktMjkgIFl1c3VrZSBTdXp1a2kgIDx5c3V6dWtpQGFw cGxlLmNvbT4KIAogICAgICAgICBbSlNDXSBSZW1vdmUgQ29kZUJsb2NrOjptX2xsaW50RXhlY3V0 ZUNvdW50ZXIKSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHU3RyZW5ndGhSZWR1 Y3Rpb25QaGFzZS5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9E RkdTdHJlbmd0aFJlZHVjdGlvblBoYXNlLmNwcAkocmV2aXNpb24gMjgzMjYxKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL2RmZy9ERkdTdHJlbmd0aFJlZHVjdGlvblBoYXNlLmNwcAkod29ya2lu ZyBjb3B5KQpAQCAtMSw1ICsxLDUgQEAKIC8qCi0gKiBDb3B5cmlnaHQgKEMpIDIwMTMtMjAxOSBB cHBsZSBJbmMuIEFsbCByaWdodHMgcmVzZXJ2ZWQuCisgKiBDb3B5cmlnaHQgKEMpIDIwMTMtMjAy MSBBcHBsZSBJbmMuIEFsbCByaWdodHMgcmVzZXJ2ZWQuCiAgKgogICogUmVkaXN0cmlidXRpb24g YW5kIHVzZSBpbiBzb3VyY2UgYW5kIGJpbmFyeSBmb3Jtcywgd2l0aCBvciB3aXRob3V0CiAgKiBt b2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQgcHJvdmlkZWQgdGhhdCB0aGUgZm9sbG93aW5nIGNv bmRpdGlvbnMKQEAgLTE5Nyw4ICsxOTcsMTUgQEAgcHJpdmF0ZToKICAgICAgICAgICAgICAgICAm JiBtX25vZGUtPmNoaWxkMigpLT5pc0ludDMyQ29uc3RhbnQoKQogICAgICAgICAgICAgICAgICYm IG1fbm9kZS0+Y2hpbGQxKCktPm9wKCkgPT0gQXJpdGhNb2QKICAgICAgICAgICAgICAgICAmJiBt X25vZGUtPmNoaWxkMSgpLT5iaW5hcnlVc2VLaW5kKCkgPT0gSW50MzJVc2UKLSAgICAgICAgICAg ICAgICAmJiBtX25vZGUtPmNoaWxkMSgpLT5jaGlsZDIoKS0+aXNJbnQzMkNvbnN0YW50KCkKLSAg ICAgICAgICAgICAgICAmJiBzdGQ6OmFicyhtX25vZGUtPmNoaWxkMSgpLT5jaGlsZDIoKS0+YXNJ bnQzMigpKSA8PSBzdGQ6OmFicyhtX25vZGUtPmNoaWxkMigpLT5hc0ludDMyKCkpKSB7CisgICAg ICAgICAgICAgICAgJiYgbV9ub2RlLT5jaGlsZDEoKS0+Y2hpbGQyKCktPmlzSW50MzJDb25zdGFu dCgpKSB7CisKKyAgICAgICAgICAgICAgICBpbnQzMl90IGNvbnN0MUFic29sdXRlVmFsdWUgPSBz dGQ6OmFicyhtX25vZGUtPmNoaWxkMSgpLT5jaGlsZDIoKS0+YXNJbnQzMigpKTsKKyAgICAgICAg ICAgICAgICBpbnQzMl90IGNvbnN0MkFic29sdXRlVmFsdWUgPSBzdGQ6OmFicyhtX25vZGUtPmNo aWxkMigpLT5hc0ludDMyKCkpOworCisgICAgICAgICAgICAgICAgaWYgKGNvbnN0MUFic29sdXRl VmFsdWUgPCAwIHx8IGNvbnN0MkFic29sdXRlVmFsdWUgPCAwKQorICAgICAgICAgICAgICAgICAg ICBicmVhazsgLy8gb3ZlcmZsb3cuCisKKyAgICAgICAgICAgICAgICBpZiAoY29uc3QxQWJzb2x1 dGVWYWx1ZSA8PSBjb25zdDJBYnNvbHV0ZVZhbHVlKQogICAgICAgICAgICAgICAgICAgICBjb252 ZXJ0VG9JZGVudGl0eU92ZXJDaGlsZDEoKTsKICAgICAgICAgICAgIH0KICAgICAgICAgICAgIGJy ZWFrOwo= 439675 2021-09-29 16:00:37 -0700 2021-09-29 22:27:55 -0700 proposed patch. bug-230391.patch text/plain 3326 mark.lam SW5kZXg6IEpTVGVzdHMvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIEpTVGVzdHMvQ2hhbmdlTG9n CShyZXZpc2lvbiAyODMyNjMpCisrKyBKU1Rlc3RzL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpA QCAtMSwzICsxLDEzIEBACisyMDIxLTA5LTI5ICBNYXJrIExhbSAgPG1hcmsubGFtQGFwcGxlLmNv bT4KKworICAgICAgICBERkcgc3RyZW5ndGggcmVkdWN0aW9uIG9uICUgb3BlcmF0b3Igc2hvdWxk IGhhbmRsZSBhbiBJTlRfTUlOIGRpdmlzb3IuCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQu b3JnL3Nob3dfYnVnLmNnaT9pZD0yMzAzOTEKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzgzMjI5 NzQwPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgICog c3RyZXNzL2RmZy1zdHJlbmd0aC1yZWR1Y3Rpb24tb24tbW9kLXNob3VsZC1oYW5kbGUtSU5UX01J Ti5qczogQWRkZWQuCisKIDIwMjEtMDktMjkgIFNhYW0gQmFyYXRpICA8c2JhcmF0aUBhcHBsZS5j b20+CiAKICAgICAgICAgQ29kZSBpbnNpZGUgc3RyZW5ndGggcmVkdWN0aW9uIGNhbiBpbmNvcnJl Y3RseSBwcm92ZSB0aGF0IHdlIGtub3cgd2hhdCBsYXN0SW5kZXggaXMKSW5kZXg6IEpTVGVzdHMv c3RyZXNzL2RmZy1zdHJlbmd0aC1yZWR1Y3Rpb24tb24tbW9kLXNob3VsZC1oYW5kbGUtSU5UX01J Ti5qcwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09Ci0tLSBKU1Rlc3RzL3N0cmVzcy9kZmctc3RyZW5ndGgtcmVkdWN0aW9u LW9uLW1vZC1zaG91bGQtaGFuZGxlLUlOVF9NSU4uanMJKG5vbmV4aXN0ZW50KQorKysgSlNUZXN0 cy9zdHJlc3MvZGZnLXN0cmVuZ3RoLXJlZHVjdGlvbi1vbi1tb2Qtc2hvdWxkLWhhbmRsZS1JTlRf TUlOLmpzCSh3b3JraW5nIGNvcHkpCkBAIC0wLDAgKzEsMTEgQEAKK2Z1bmN0aW9uIGZvbyhudW0p IHsKKyAgICBudW0gfD0gMDsKKyAgICBsZXQgeDEgPSBudW0gJSAtMjE0NzQ4MzY0ODsKKyAgICBs ZXQgeDIgPSB4MSAlIDU7CisKKyAgICBpZiAoeDIgPiA1KQorICAgICAgICB0aHJvdyAiRXJyb3Ii OworfQorCitmb3IgKGxldCBpID0gMDsgaSA8IDEwMDAwOyBpKyspCisgICAgZm9vKGkpOwpJbmRl eDogU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2Uv SmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCShyZXZpc2lvbiAyODMyNjEpCisrKyBTb3VyY2UvSmF2 YVNjcmlwdENvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTQgQEAKKzIw MjEtMDktMjkgIE1hcmsgTGFtICA8bWFyay5sYW1AYXBwbGUuY29tPgorCisgICAgICAgIERGRyBz dHJlbmd0aCByZWR1Y3Rpb24gb24gJSBvcGVyYXRvciBzaG91bGQgaGFuZGxlIGFuIElOVF9NSU4g ZGl2aXNvci4KKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lk PTIzMDM5MQorICAgICAgICA8cmRhcjovL3Byb2JsZW0vODMyMjk3NDA+CisKKyAgICAgICAgUmV2 aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgKiBkZmcvREZHU3RyZW5ndGhSZWR1 Y3Rpb25QaGFzZS5jcHA6CisgICAgICAgIChKU0M6OkRGRzo6U3RyZW5ndGhSZWR1Y3Rpb25QaGFz ZTo6aGFuZGxlTm9kZSk6CisKIDIwMjEtMDktMjkgIFl1c3VrZSBTdXp1a2kgIDx5c3V6dWtpQGFw cGxlLmNvbT4KIAogICAgICAgICBbSlNDXSBSZW1vdmUgQ29kZUJsb2NrOjptX2xsaW50RXhlY3V0 ZUNvdW50ZXIKSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHU3RyZW5ndGhSZWR1 Y3Rpb25QaGFzZS5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9E RkdTdHJlbmd0aFJlZHVjdGlvblBoYXNlLmNwcAkocmV2aXNpb24gMjgzMjYxKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL2RmZy9ERkdTdHJlbmd0aFJlZHVjdGlvblBoYXNlLmNwcAkod29ya2lu ZyBjb3B5KQpAQCAtMSw1ICsxLDUgQEAKIC8qCi0gKiBDb3B5cmlnaHQgKEMpIDIwMTMtMjAxOSBB cHBsZSBJbmMuIEFsbCByaWdodHMgcmVzZXJ2ZWQuCisgKiBDb3B5cmlnaHQgKEMpIDIwMTMtMjAy MSBBcHBsZSBJbmMuIEFsbCByaWdodHMgcmVzZXJ2ZWQuCiAgKgogICogUmVkaXN0cmlidXRpb24g YW5kIHVzZSBpbiBzb3VyY2UgYW5kIGJpbmFyeSBmb3Jtcywgd2l0aCBvciB3aXRob3V0CiAgKiBt b2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQgcHJvdmlkZWQgdGhhdCB0aGUgZm9sbG93aW5nIGNv bmRpdGlvbnMKQEAgLTE5Nyw4ICsxOTcsMTUgQEAgcHJpdmF0ZToKICAgICAgICAgICAgICAgICAm JiBtX25vZGUtPmNoaWxkMigpLT5pc0ludDMyQ29uc3RhbnQoKQogICAgICAgICAgICAgICAgICYm IG1fbm9kZS0+Y2hpbGQxKCktPm9wKCkgPT0gQXJpdGhNb2QKICAgICAgICAgICAgICAgICAmJiBt X25vZGUtPmNoaWxkMSgpLT5iaW5hcnlVc2VLaW5kKCkgPT0gSW50MzJVc2UKLSAgICAgICAgICAg ICAgICAmJiBtX25vZGUtPmNoaWxkMSgpLT5jaGlsZDIoKS0+aXNJbnQzMkNvbnN0YW50KCkKLSAg ICAgICAgICAgICAgICAmJiBzdGQ6OmFicyhtX25vZGUtPmNoaWxkMSgpLT5jaGlsZDIoKS0+YXNJ bnQzMigpKSA8PSBzdGQ6OmFicyhtX25vZGUtPmNoaWxkMigpLT5hc0ludDMyKCkpKSB7CisgICAg ICAgICAgICAgICAgJiYgbV9ub2RlLT5jaGlsZDEoKS0+Y2hpbGQyKCktPmlzSW50MzJDb25zdGFu dCgpKSB7CisKKyAgICAgICAgICAgICAgICBpbnQzMl90IGNvbnN0MSA9IG1fbm9kZS0+Y2hpbGQx KCktPmNoaWxkMigpLT5hc0ludDMyKCk7CisgICAgICAgICAgICAgICAgaW50MzJfdCBjb25zdDIg PSBtX25vZGUtPmNoaWxkMigpLT5hc0ludDMyKCk7CisKKyAgICAgICAgICAgICAgICBpZiAoY29u c3QxID09IElOVF9NSU4gfHwgY29uc3QyID09IElOVF9NSU4pCisgICAgICAgICAgICAgICAgICAg IGJyZWFrOyAvLyBzdGQ6OmFicyhJTlRfTUlOKSBpcyB1bmRlZmluZWQuCisKKyAgICAgICAgICAg ICAgICBpZiAoc3RkOjphYnMoY29uc3QxKSA8PSBzdGQ6OmFicyhjb25zdDIpKQogICAgICAgICAg ICAgICAgICAgICBjb252ZXJ0VG9JZGVudGl0eU92ZXJDaGlsZDEoKTsKICAgICAgICAgICAgIH0K ICAgICAgICAgICAgIGJyZWFrOwo=