Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1waDwI-001cLx-1x for pgsql-bugs@arkaria.postgresql.org; Thu, 18 Jun 2026 14:41:54 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1waDwG-00BxCe-0z for pgsql-bugs@arkaria.postgresql.org; Thu, 18 Jun 2026 14:41:52 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1waDwF-00BxCW-2a for pgsql-bugs@lists.postgresql.org; Thu, 18 Jun 2026 14:41:52 +0000 Received: from mail-yw1-x1129.google.com ([2607:f8b0:4864:20::1129]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1waDw8-00000000zCx-4BeZ for pgsql-bugs@lists.postgresql.org; Thu, 18 Jun 2026 14:41:45 +0000 Received: by mail-yw1-x1129.google.com with SMTP id 00721157ae682-7e0aa486af8so20509617b3.1 for ; Thu, 18 Jun 2026 07:41:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1781793704; cv=none; d=google.com; s=arc-20240605; b=doKg5AluUU0bAc0mHgjlHO0MWyknl0yepzqkoUjaXcc5IhACwwj42FY1vtnL/OyXl4 YKSGryXEWKiFt1xyJ/btjqTJQFkIf9HkG8M7EflrVdJVBGK4Q1H6PwLx6bkWef5/LN4n UqrbTNvaNlsxbuQ38x/VYpaWE4/39H82PrOtxRUAOV+qakXTIW0K0jwqq5h4wVTRUuS+ qPkMFc8utsBjHSe+0wkrjlbafMycgDPT5MPjtTHG6dAHeE8JZRra3EjxORuTr1q7jsHp y5ijhgZ9+Eh99ej+/b/pQnEIG4cpJ8SRNBPsYSO2ASVdG0YCAw377WqOO2KFoCgPLfsz BaIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=H2/4tdoxwBV7KNKW0ywvhc0//8xhRV7CRqLgUBuLY70=; fh=X9l14yCYZVDsR10jSAVg+DL2Aw7gewWDKQIxG7Qm+IE=; b=Y1mTQWbROknOoqKcv9SD5ygIxEaPe8WCFfMmJlfzwTP6dUI36Sqi934NTI9PzkT8QZ IcCydThhOvInBDdHDUPCBbOKTwrOGhrh7osdUfjjX0RXFhgyWFZ5bdm7saUBiYZ5BKk9 l4VbPOSru0P8BYeS8QWF5riIX7iPn7E1OH2EpQpUZyGU5zB67/b1bODaArXuEQ5e6/nE 18cHDIG20Fb9HeQ8/Eep7LVOE4kuLhYezDcwmUKHB/lwVkNOiTkmQXDfJNEy9fiYwmDw PN7Z/R+zKIclMS1RyJWJ8ZHTIvht18GB5gIJu9kzezC9o54FODo8MTfpbeKzqEVjacuN LoqQ==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1781793704; x=1782398504; darn=lists.postgresql.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=H2/4tdoxwBV7KNKW0ywvhc0//8xhRV7CRqLgUBuLY70=; b=LiDyMQpWk9hwfr46OUayXtKpdWybgxi2qygWdIGQn/S9hKPPPIGS+RdbmPPAOfUtZ2 4G4nPZDdygSM1X8Zr28a88sbhs7vqhEiZXf/8Egmf9nRasS626FUFQWRtjZE/r8BCTwH CQW8UCKbdG12n/+yX2li6Juuje3gx1pvaTniV+f2VmRzUneY/oBgi6/5+QBjtn6OBwi2 LLcUzuRIadgHljCUVSoSq/wsxLJwvD/H2nXtMwbdB2u7yoJx2ohUNZ+h6rP5wb8i59K1 8ssdWu+ljXQLk9sA9KCddC+JrCayh0zcrhvNyVoMfK1oNP+xSgVwsWEREZKLhvSudoFM uafQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781793704; x=1782398504; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=H2/4tdoxwBV7KNKW0ywvhc0//8xhRV7CRqLgUBuLY70=; b=T9AS904w+jOTW+I31vLx6tHeJz1Dk38cuqdglBPg42eeapR2lepwbji9eHX2Kw8GVN 1HPJLtq3SHql7VdcIaw2lYn57ggVoU/Kz0y6YaMFKTkqSaumLukLHGIFQLoUPmM7QcQN KFgZQWXY1asZz24kfTuFW8wZrwMTlOGoMLhjeZkFle+0aj/Uvwr972DlMsk0MpU3xefF PuoPnkJX1Q6kbM3MHmadb3GopgDZuTMtS7f6XD6L/SNmipS8VQvOLDtyxulqbCwJGb46 QHKLBvMTy4EPd0RvMGhcwRpK9lH/miUBMoxEUOheRVqnvWGifd9k/H7clumGqadTJmEV bOSQ== X-Forwarded-Encrypted: i=1; AFNElJ/hep1UZy673CyCgY5lSb9A35IDjsHsrZ0/ivG7mz8VO8UH0ytNFYTT6CAzi0WYAdkTtqyzr7bmIb3G@lists.postgresql.org X-Gm-Message-State: AOJu0YywlhG2Yj7sA8L8RStiRpS+Xiwi5qMQCGRQV6zuBysBWSHwk7/D 07FtevywKryZRmwTq5KXunSqurXn+2rsUomSCytDOjFApTpUonEf54cvVxRzikkTt/J4sCi32da RsofypXQQi2FDsc05dGpSUxaEJc2YYUQ= X-Gm-Gg: AfdE7cmIWCUR+ldFkc5JMxKHP0bIXDnVFhFXU1qt1zg0YhXavVvMtNF9+S9qv7WQHT7 NnH2pUDwenUAB9VZBi0TZnImLgXK7bm1zg2tKtiZEOaR9ZiKFBpPXdpetEf4AM9pj6qdxTuQpcI 6LT/b4lo+9TY/1F0gU0QXx7arYHBHfY+X63sPuOKkdXPE/viEQWRysmC+XvGM74eKrkVL2LqkwA Qov+LJSjqSpatK705CThV8y1zc8Gktz3aICrw5SzSvRlRCtaT3va8ag3o8S4Dp5ni5fVCWOp1LU loLMLkA= X-Received: by 2002:a05:690c:6c08:b0:79a:b49a:cb4e with SMTP id 00721157ae682-7ffa10899ffmr41717917b3.6.1781793703851; Thu, 18 Jun 2026 07:41:43 -0700 (PDT) MIME-Version: 1.0 References: <19525-b0be8e4eb7dbaf07@postgresql.org> In-Reply-To: <19525-b0be8e4eb7dbaf07@postgresql.org> From: Ayush Tiwari Date: Thu, 18 Jun 2026 20:11:32 +0530 X-Gm-Features: AVVi8CdxiGhLSC-G2saQQrx0m-gBrY1l5iSQE_pguBVJkKos5AIng5JUfGMxh2Q Message-ID: Subject: Re: BUG #19525: In `contrib/dict_int`, handling a token whose first byte is a null byte causes `pnstrdup()` . To: 3020001251@tju.edu.cn, pgsql-bugs@lists.postgresql.org Content-Type: multipart/mixed; boundary="000000000000c82d150654882cc1" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000c82d150654882cc1 Content-Type: multipart/alternative; boundary="000000000000c82d130654882cbf" --000000000000c82d130654882cbf Content-Type: text/plain; charset="UTF-8" Hi, On Thu, 18 Jun 2026 at 18:54, PG Bug reporting form wrote: > The following bug has been logged on the website: > > Bug reference: 19525 > Logged by: Yuelin Wang > Email address: 3020001251@tju.edu.cn > PostgreSQL version: 19beta1 > Operating system: Linux (Ubuntu 24.04, x86_64) > Description: > > **Component**: `contrib/dict_int/dict_int.c`, function `dintdict_lexize()` > (line 109) > > Requires a `SQL_ASCII`-encoded database (to bypass null-byte encoding > checks) and superuser to install the extension and create a helper function > that passes a `bytea` token directly to the lexize callback. Once the > dictionary is created, any role granted `EXECUTE` on the helper can trigger > the crash. > > ```sql > -- 1. Create SQL_ASCII database (null bytes are not rejected) > CREATE DATABASE vuln_ascii ENCODING 'SQL_ASCII' TEMPLATE template0; > \c vuln_ascii > > -- 2. Install extension and create an intdict dictionary with > REJECTLONG=false > CREATE EXTENSION dict_int; > CREATE TEXT SEARCH DICTIONARY intdict_test ( > TEMPLATE = intdict_template, > MAXLEN = 8192, > REJECTLONG = false > ); > > -- 3. Create a C helper (raw_lexize.so) that invokes the lexize callback > with > -- a raw bytea token, bypassing the text encoding layer. > CREATE FUNCTION raw_lexize(dict regdictionary, token bytea) > RETURNS text[] AS 'raw_lexize', 'raw_lexize' LANGUAGE C STRICT; > > -- 4. Trigger: null byte at position 0 causes pnstrdup to allocate 1 byte, > -- but txt[8192] = '\0' writes 8191 bytes past the end of the > allocation. > SELECT raw_lexize('intdict_test', > decode('00' || repeat('78', 10000), 'hex')); > -- Server closes connection; ASan reports heap-buffer-overflow WRITE of > size > 1 > -- at dict_int.c:109 in dintdict_lexize. > ``` > > ASan confirmation (server killed the backend; connection dropped): > ``` > ==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x525000052880 > WRITE of size 1 at 0x525000052880 thread T0 > #0 in dintdict_lexize > /data/ylwang/Projects/postgres/contrib/dict_int/dict_int.c:109 > #1 in FunctionCall4Coll .../src/backend/utils/fmgr/fmgr.c:1215 > #2 in raw_lexize /tmp/raw_lexize.c:37 > SUMMARY: AddressSanitizer: heap-buffer-overflow > .../contrib/dict_int/dict_int.c:109 in dintdict_lexize > Thanks for the report and repro! `pnstrdup(ptr, len)` uses `strnlen(ptr, len)` internally, so when the token > begins with a null byte it allocates only 1 byte. The variable `len` is not > updated to reflect this and retains the original token length, so the guard > at line 98 (`if (len > d->maxlen)`) passes, and line 109 writes `'\0'` at > offset `d->maxlen` (e.g., 8192) into a 1-byte allocation. > > The fix is to recompute the effective length from the allocated buffer > after > the `pnstrdup` call, for example by replacing the `if (len > d->maxlen)` > check with `if (strlen(txt) > d->maxlen)`. This ensures the truncation > offset is always within the bounds of what `pnstrdup` actually allocated. > Your analysis seems right to me. While looking around I think dict_xsyn may have a related issue: in dxsyn_lexize() the token is copied with pnstrdup() and the original length is then handed to str_tolower(), which reads that many bytes and so could read past the shorter copy. Attaching a patch that fixes both the above issues. Regards, Ayush --000000000000c82d130654882cbf Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

On Thu, 18 Jun 2026 = at 18:54, PG Bug reporting form <noreply@postgresql.org> wrote:
The following bug has been logge= d on the website:

Bug reference:=C2=A0 =C2=A0 =C2=A0 19525
Logged by:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Yuelin Wang
Email address:=C2=A0 =C2=A0 =C2=A0 3020001251@tju.edu.cn
PostgreSQL version: 19beta1
Operating system:=C2=A0 =C2=A0Linux (Ubuntu 24.04, x86_64)
Description:=C2=A0 =C2=A0 =C2=A0 =C2=A0

**Component**: `contrib/dict_int/dict_int.c`, function `dintdict_lexize()`<= br> (line 109)

Requires a `SQL_ASCII`-encoded database (to bypass null-byte encoding
checks) and superuser to install the extension and create a helper function=
that passes a `bytea` token directly to the lexize callback. Once the
dictionary is created, any role granted `EXECUTE` on the helper can trigger=
the crash.

```sql
-- 1. Create SQL_ASCII database (null bytes are not rejected)
CREATE DATABASE vuln_ascii ENCODING 'SQL_ASCII' TEMPLATE template0;=
\c vuln_ascii

-- 2. Install extension and create an intdict dictionary with
REJECTLONG=3Dfalse
CREATE EXTENSION dict_int;
CREATE TEXT SEARCH DICTIONARY intdict_test (
=C2=A0 =C2=A0 TEMPLATE =3D intdict_template,
=C2=A0 =C2=A0 MAXLEN =3D 8192,
=C2=A0 =C2=A0 REJECTLONG =3D false
);

-- 3. Create a C helper (raw_lexize.so) that invokes the lexize callback with
--=C2=A0 =C2=A0 a raw bytea token, bypassing the text encoding layer.
CREATE FUNCTION raw_lexize(dict regdictionary, token bytea)
=C2=A0 =C2=A0 RETURNS text[] AS 'raw_lexize', 'raw_lexize' = LANGUAGE C STRICT;

-- 4. Trigger: null byte at position 0 causes pnstrdup to allocate 1 byte,<= br> --=C2=A0 =C2=A0 but txt[8192] =3D '\0' writes 8191 bytes past the e= nd of the allocation.
SELECT raw_lexize('intdict_test',
=C2=A0 =C2=A0 decode('00' || repeat('78', 10000), 'hex&= #39;));
-- Server closes connection; ASan reports heap-buffer-overflow WRITE of siz= e
1
-- at dict_int.c:109 in dintdict_lexize.
```

ASan confirmation (server killed the backend; connection dropped):
```
=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on address 0x5250000528= 80
WRITE of size 1 at 0x525000052880 thread T0
=C2=A0 =C2=A0 #0 in dintdict_lexize
/data/ylwang/Projects/postgres/contrib/dict_int/dict_int.c:109
=C2=A0 =C2=A0 #1 in FunctionCall4Coll .../src/backend/utils/fmgr/fmgr.c:121= 5
=C2=A0 =C2=A0 #2 in raw_lexize /tmp/raw_lexize.c:37
SUMMARY: AddressSanitizer: heap-buffer-overflow
.../contrib/dict_int/dict_int.c:109 in dintdict_lexize

Thanks for the report and repro!=C2=A0

`pnstrdup(ptr, len)` uses `strnlen(ptr, len)` internally, so when the token=
begins with a null byte it allocates only 1 byte. The variable `len` is not=
updated to reflect this and retains the original token length, so the guard=
at line 98 (`if (len > d->maxlen)`) passes, and line 109 writes `'= ;\0'` at
offset `d->maxlen` (e.g., 8192) into a 1-byte allocation.

The fix is to recompute the effective length from the allocated buffer afte= r
the `pnstrdup` call, for example by replacing the `if (len > d->maxle= n)`
check with `if (strlen(txt) > d->maxlen)`. This ensures the truncatio= n
offset is always within the bounds of what `pnstrdup` actually allocated.

Your analysis seems right to me.

While looki= ng around I think dict_xsyn may have a related issue: in
dxsyn_lexize() = the token is copied with pnstrdup() and the original
length is then hand= ed to str_tolower(), which reads that many bytes and
so could read past = the shorter copy.

Attaching a patch that fixes both the above issues= .

Regards,
Ayush=C2=A0
--000000000000c82d130654882cbf-- --000000000000c82d150654882cc1 Content-Type: application/x-patch; name="0001-Fix-out-of-bounds-access-on-embedded-null-tokens-in-.patch" Content-Disposition: attachment; filename="0001-Fix-out-of-bounds-access-on-embedded-null-tokens-in-.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_mqjlqjh90 RnJvbSAzODJjNzM2YjU5OTI5MjQ3MGIwNTBlMTEyYjY2OTQ1YzQ2YTVhN2U3IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBBeXVzaCBUaXdhcmkgPGF5dXNodGl3YXJpLnNsZzAxQGdtYWls LmNvbT4KRGF0ZTogVGh1LCAxOCBKdW4gMjAyNiAxOTo1NDo1NCArMDUzMApTdWJqZWN0OiBbUEFU Q0hdIEZpeCBvdXQtb2YtYm91bmRzIGFjY2VzcyBvbiBlbWJlZGRlZCBudWxsIHRva2VucyBpbiBk aWN0X2ludAogYW5kIGRpY3RfeHN5bgoKcG5zdHJkdXAoKSBzdG9wcyBhdCB0aGUgZmlyc3QgbnVs bCBieXRlLCBzbyBhIHRva2VuIGJlZ2lubmluZyB3aXRoIGEgbnVsbAppcyBjb3BpZWQgYXMgYSAx LWJ5dGUgc3RyaW5nLiAgQm90aCBkaWN0aW9uYXJpZXMgdGhlbiByZXVzZWQgdGhlIG9yaWdpbmFs CnRva2VuIGxlbmd0aCBhZ2FpbnN0IHRoYXQgc2hvcnRlciBjb3B5LgoKZGludGRpY3RfbGV4aXpl KCkgKGRpY3RfaW50KSB1c2VkIGl0IGZvciB0aGUgImxlbiA+IG1heGxlbiIgY2hlY2sgYW5kIHRo ZW4Kd3JvdGUgdHh0W21heGxlbl0gPSAnXDAnIHBhc3QgdGhlIGVuZCBvZiB0aGUgMS1ieXRlIGFs bG9jYXRpb247IHJlY29tcHV0ZQpsZW4gZnJvbSB0aGUgY29weS4gIGR4c3luX2xleGl6ZSgpIChk aWN0X3hzeW4pIHBhc3NlZCB0aGUgb3JpZ2luYWwgbGVuZ3RoCnRvIHN0cl90b2xvd2VyKCksIHdo aWNoIHRoZW4gcmVhZCBwYXN0IHRoZSBjb3B5OyBwYXNzIHRoZSB0b2tlbiBkaXJlY3RseQppbnN0 ZWFkLCBkcm9wcGluZyB0aGUgbmVlZGxlc3MgY29weS4KClJlYWNoaW5nIGVpdGhlciBwYXRoIG5l ZWRzIGEgdG9rZW4gd2l0aCBhIG51bGwgYnl0ZSwgd2hpY2ggdGhlIG5vcm1hbAp0ZXh0LXNlYXJj aCBpbnB1dCBwYXRoIGRvZXMgbm90IHByb2R1Y2UgKGl0IHJlcXVpcmVzIFNRTF9BU0NJSSBhbmQg YQpjYWxsZXIgcGFzc2luZyByYXcgYnl0ZXMgdG8gdGhlIGxleGl6ZSBtZXRob2QpLgoKUmVwb3J0 ZWQtYnk6IFl1ZWxpbiBXYW5nIDwzMDIwMDAxMjUxQHRqdS5lZHUuY24+CkJ1ZzogIzE5NTI1Ci0t LQogY29udHJpYi9kaWN0X2ludC9kaWN0X2ludC5jICAgfCAgNiArKysrKysKIGNvbnRyaWIvZGlj dF94c3luL2RpY3RfeHN5bi5jIHwgMTUgKysrKysrKy0tLS0tLS0tCiAyIGZpbGVzIGNoYW5nZWQs IDEzIGluc2VydGlvbnMoKyksIDggZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvY29udHJpYi9k aWN0X2ludC9kaWN0X2ludC5jIGIvY29udHJpYi9kaWN0X2ludC9kaWN0X2ludC5jCmluZGV4IGFh ZmNlODk0OTc3Li5iNDQxM2NmZGU5OSAxMDA2NDQKLS0tIGEvY29udHJpYi9kaWN0X2ludC9kaWN0 X2ludC5jCisrKyBiL2NvbnRyaWIvZGljdF9pbnQvZGljdF9pbnQuYwpAQCAtOTUsNiArOTUsMTIg QEAgZGludGRpY3RfbGV4aXplKFBHX0ZVTkNUSU9OX0FSR1MpCiAJZWxzZQogCQl0eHQgPSBwbnN0 cmR1cChpbiwgbGVuKTsKIAorCS8qCisJICogcG5zdHJkdXAoKSBzdG9wcyBhdCB0aGUgZmlyc3Qg bnVsbCBieXRlLCBzbyByZWNvbXB1dGUgbGVuIGZyb20gdGhlIGNvcHk7CisJICogb3RoZXJ3aXNl IHRoZSB0cnVuY2F0aW9uIGJlbG93IGNvdWxkIHdyaXRlIHBhc3QgdGhlIGFsbG9jYXRpb24uCisJ ICovCisJbGVuID0gc3RybGVuKHR4dCk7CisKIAlpZiAobGVuID4gZC0+bWF4bGVuKQogCXsKIAkJ aWYgKGQtPnJlamVjdGxvbmcpCmRpZmYgLS1naXQgYS9jb250cmliL2RpY3RfeHN5bi9kaWN0X3hz eW4uYyBiL2NvbnRyaWIvZGljdF94c3luL2RpY3RfeHN5bi5jCmluZGV4IDllMzc4NGUwZjQ3Li5i Mzc1ZThmNzM4NyAxMDA2NDQKLS0tIGEvY29udHJpYi9kaWN0X3hzeW4vZGljdF94c3luLmMKKysr IGIvY29udHJpYi9kaWN0X3hzeW4vZGljdF94c3luLmMKQEAgLTIxMSwxNCArMjExLDEzIEBAIGR4 c3luX2xleGl6ZShQR19GVU5DVElPTl9BUkdTKQogCWlmICghbGVuZ3RoIHx8IGQtPmxlbiA9PSAw KQogCQlQR19SRVRVUk5fUE9JTlRFUihOVUxMKTsKIAotCS8qIENyZWF0ZSBzZWFyY2ggcGF0dGVy biAqLwotCXsKLQkJY2hhcgkgICAqdGVtcCA9IHBuc3RyZHVwKGluLCBsZW5ndGgpOwotCi0JCXdv cmQua2V5ID0gc3RyX3RvbG93ZXIodGVtcCwgbGVuZ3RoLCBERUZBVUxUX0NPTExBVElPTl9PSUQp OwotCQlwZnJlZSh0ZW1wKTsKLQkJd29yZC52YWx1ZSA9IE5VTEw7Ci0JfQorCS8qCisJICogUGFz cyB0aGUgdG9rZW4gZGlyZWN0bHkgdG8gc3RyX3RvbG93ZXIoKTsgY29weWluZyBpdCBmaXJzdCB3 aXRoCisJICogcG5zdHJkdXAoKSBhbmQgcmV1c2luZyB0aGUgb3JpZ2luYWwgbGVuZ3RoIHdvdWxk IHJlYWQgcGFzdCB0aGUgY29weSBpZgorCSAqIHRoZSB0b2tlbiBjb250YWlucyBhIG51bGwgYnl0 ZS4KKwkgKi8KKwl3b3JkLmtleSA9IHN0cl90b2xvd2VyKGluLCBsZW5ndGgsIERFRkFVTFRfQ09M TEFUSU9OX09JRCk7CisJd29yZC52YWx1ZSA9IE5VTEw7CiAKIAkvKiBMb29rIGZvciBtYXRjaGlu ZyBzeW4gKi8KIAlmb3VuZCA9IChTeW4gKikgYnNlYXJjaCgmd29yZCwgZC0+c3luLCBkLT5sZW4s IHNpemVvZihTeW4pLCBjb21wYXJlX3N5bik7Ci0tIAoyLjM0LjEKCg== --000000000000c82d150654882cc1--