From: Dmitry Shulga Date: March 5 2011 8:55am Subject: bzr commit into mysql-5.1 branch (Dmitry.Shulga:3611) Bug#11764168 List-Archive: http://lists.mysql.com/commits/132515 X-Bug: 11764168 Message-Id: <201103050857.p258v0YF002066@acsinet15.oracle.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5590246789676620751==" --===============5590246789676620751== MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline #At file:///Users/shulga/projects/mysql/mysql-5.1-bug56976/ based on revid:build@stripped 3611 Dmitry Shulga 2011-03-05 Fixed Bug#11764168 "56976: SEVERE DENIAL OF SERVICE IN PREPARED STATEMENTS". The problem was that server didn't check resulting size of prepared statement argument which was set using mysql_send_long_data() API. By calling mysql_send_long_data() several times it was possible to create overly big string and thus force server to allocate memory for it. There was no way to limit this allocation. The solution is to add check for size of result string against value of max_long_data_size start-up parameter. When intermediate string exceeds max_long_data_size value an appropriate error message is emitted. We can't use existing max_allowed_packet parameter for this purpose since its value is limited by 1GB and therefore using it as a limit for data set through mysql_send_long_data() API would have been an incompatible change. Newly introduced max_long_data_size parameter gets value from max_allowed_packet parameter unless its value is specified explicitly. This new parameter is marked as deprecated and will be eventually replaced by max_allowed_packet parameter. Value of max_long_data_size parameter can be set only at server startup. @ mysql-test/t/variables.test Added checking for new start-up parameter max_long_data_size. @ sql/item.cc Added call to my_message() when accumulated string exceeds max_long_data_size value. my_message() calls error handler that was installed in mysql_stmt_get_longdata before call to Item_param::set_longdata. The error handler then sets state, last_error and last_errno fields for current statement to values which correspond to error which was caught. @ sql/mysql_priv.h Added max_long_data_size variable declaration. @ sql/mysqld.cc Added support for start-up parameter 'max_long_data_size'. This parameter limits size of data which can be sent from client to server using mysql_send_long_data() API. @ sql/set_var.cc Added variable 'max_long_data_size' into list of variables displayed by command 'show variables'. @ sql/sql_prepare.cc Added error handler class Set_longdata_error_handler. This handler is used to catch any errors that can be generated during execution of Item_param::set_longdata(). Source code snippet that makes checking for statement's state during statement execution is moved from Prepared_statement::execute() to Prepared_statement::execute_loop() in order not to call set_parameters() when statement has failed during set_long_data() execution. If this hadn't been done the call to set_parameters() would have failed. @ tests/mysql_client_test.c A testcase for the bug #56976 was added. modified: mysql-test/r/variables.result mysql-test/t/variables.test sql/item.cc sql/mysql_priv.h sql/mysqld.cc sql/set_var.cc sql/sql_prepare.cc tests/mysql_client_test.c === modified file 'mysql-test/r/variables.result' --- a/mysql-test/r/variables.result 2010-11-25 03:11:05 +0000 +++ b/mysql-test/r/variables.result 2011-03-05 08:54:56 +0000 @@ -1540,6 +1540,9 @@ ERROR HY000: Cannot drop default keycach SET @@global.key_cache_block_size=0; Warnings: Warning 1292 Truncated incorrect key_cache_block_size value: '0' +select @@max_long_data_size; +@@max_long_data_size +1048576 SET @@global.max_binlog_cache_size=DEFAULT; SET @@global.max_join_size=DEFAULT; SET @@global.key_buffer_size=@kbs; === modified file 'mysql-test/t/variables.test' --- a/mysql-test/t/variables.test 2011-02-02 17:05:28 +0000 +++ b/mysql-test/t/variables.test 2011-03-05 08:54:56 +0000 @@ -1293,6 +1293,11 @@ SET @@global.max_join_size=0; SET @@global.key_buffer_size=0; SET @@global.key_cache_block_size=0; +# +# Bug#56976: added new start-up parameter +# +select @@max_long_data_size; + # cleanup SET @@global.max_binlog_cache_size=DEFAULT; SET @@global.max_join_size=DEFAULT; === modified file 'sql/item.cc' --- a/sql/item.cc 2011-02-22 21:03:32 +0000 +++ b/sql/item.cc 2011-03-05 08:54:56 +0000 @@ -2742,6 +2742,16 @@ bool Item_param::set_longdata(const char (here), and first have to concatenate all pieces together, write query to the binary log and only then perform conversion. */ + if (str_value.length() + length > max_long_data_size) + { + my_message(ER_UNKNOWN_ERROR, + "Parameter of prepared statement which is set through " + "mysql_send_long_data() is longer than " + "'max_long_data_size' bytes", + MYF(0)); + DBUG_RETURN(true); + } + if (str_value.append(str, length, &my_charset_bin)) DBUG_RETURN(TRUE); state= LONG_DATA_VALUE; === modified file 'sql/mysql_priv.h' --- a/sql/mysql_priv.h 2011-02-22 21:03:32 +0000 +++ b/sql/mysql_priv.h 2011-03-05 08:54:56 +0000 @@ -1965,6 +1965,7 @@ extern my_bool relay_log_purge, opt_inno extern uint test_flags,select_errors,ha_open_options; extern uint protocol_version, mysqld_port, dropping_tables; extern uint delay_key_write_options; +extern ulong max_long_data_size; #endif /* MYSQL_SERVER */ #if defined MYSQL_SERVER || defined INNODB_COMPATIBILITY_HOOKS extern MYSQL_PLUGIN_IMPORT uint lower_case_table_names; === modified file 'sql/mysqld.cc' --- a/sql/mysqld.cc 2011-02-04 04:47:46 +0000 +++ b/sql/mysqld.cc 2011-03-05 08:54:56 +0000 @@ -409,6 +409,7 @@ TYPELIB log_output_typelib= {array_eleme /* the default log output is log tables */ static bool lower_case_table_names_used= 0; +static bool max_long_data_size_used= false; static bool volatile select_thread_in_use, signal_thread_in_use; static bool volatile ready_to_exit; static my_bool opt_debugging= 0, opt_external_locking= 0, opt_console= 0; @@ -574,6 +575,11 @@ ulong delayed_insert_errors,flush_time; ulong specialflag=0; ulong binlog_cache_use= 0, binlog_cache_disk_use= 0; ulong max_connections, max_connect_errors; +/* + Maximum length of parameter value which can be set through + mysql_send_long_data() call. +*/ +ulong max_long_data_size; uint max_user_connections= 0; /** Limit of the total number of prepared statements in the server. @@ -5800,7 +5806,8 @@ enum options_mysqld OPT_SLOW_QUERY_LOG_FILE, OPT_IGNORE_BUILTIN_INNODB, OPT_BINLOG_DIRECT_NON_TRANS_UPDATE, - OPT_DEFAULT_CHARACTER_SET_OLD + OPT_DEFAULT_CHARACTER_SET_OLD, + OPT_MAX_LONG_DATA_SIZE }; @@ -6880,6 +6887,13 @@ thread is in the relay logs.", &global_system_variables.max_length_for_sort_data, &max_system_variables.max_length_for_sort_data, 0, GET_ULONG, REQUIRED_ARG, 1024, 4, 8192*1024L, 0, 1, 0}, + {"max_long_data_size", OPT_MAX_LONG_DATA_SIZE, + "The maximum size of prepared statement parameter which can be provided " + "through mysql_send_long_data() API call. " + "Deprecated option; use max_allowed_packet instead.", + &max_long_data_size, + &max_long_data_size, 0, GET_ULONG, + REQUIRED_ARG, 1024*1024L, 1024, UINT_MAX32, MALLOC_OVERHEAD, 1, 0}, {"max_prepared_stmt_count", OPT_MAX_PREPARED_STMT_COUNT, "Maximum number of prepared statements in the server.", &max_prepared_stmt_count, &max_prepared_stmt_count, @@ -8688,6 +8702,10 @@ mysqld_get_one_option(int optid, } break; #endif /* defined(ENABLED_DEBUG_SYNC) */ + case OPT_MAX_LONG_DATA_SIZE: + max_long_data_size_used= true; + WARN_DEPRECATED(NULL, VER_CELOSIA, "--max_long_data_size", "--max_allowed_packet"); + break; } return 0; } @@ -8849,6 +8867,14 @@ static int get_options(int *argc,char ** else pool_of_threads_scheduler(&thread_scheduler); /* purecov: tested */ #endif + + /* + If max_long_data_size is not specified explicitly use + value of max_allowed_packet. + */ + if (!max_long_data_size_used) + max_long_data_size= global_system_variables.max_allowed_packet; + return 0; } === modified file 'sql/set_var.cc' --- a/sql/set_var.cc 2011-02-18 13:12:36 +0000 +++ b/sql/set_var.cc 2011-03-05 08:54:56 +0000 @@ -394,6 +394,12 @@ static sys_var_thd_ulong sys_max_seeks_f &SV::max_seeks_for_key); static sys_var_thd_ulong sys_max_length_for_sort_data(&vars, "max_length_for_sort_data", &SV::max_length_for_sort_data); +static sys_var_const sys_max_long_data_size(&vars, + "max_long_data_size", + OPT_GLOBAL, SHOW_LONG, + (uchar*) + &max_long_data_size); + #ifndef TO_BE_DELETED /* Alias for max_join_size */ static sys_var_thd_ha_rows sys_sql_max_join_size(&vars, "sql_max_join_size", &SV::max_join_size, === modified file 'sql/sql_prepare.cc' --- a/sql/sql_prepare.cc 2011-02-22 21:03:32 +0000 +++ b/sql/sql_prepare.cc 2011-03-05 08:54:56 +0000 @@ -2730,6 +2730,32 @@ void mysql_sql_stmt_close(THD *thd) } } + +class Set_longdata_error_handler : public Internal_error_handler +{ +public: + Set_longdata_error_handler(Prepared_statement *statement) + : stmt(statement) + { } + +public: + bool handle_error(uint sql_errno, + const char *message, + MYSQL_ERROR::enum_warning_level level, + THD *) + { + stmt->state= Query_arena::ERROR; + stmt->last_errno= sql_errno; + strncpy(stmt->last_error, message, MYSQL_ERRMSG_SIZE); + + return TRUE; + } + +private: + Prepared_statement *stmt; +}; + + /** Handle long data in pieces from client. @@ -2786,16 +2812,19 @@ void mysql_stmt_get_longdata(THD *thd, c param= stmt->param_array[param_number]; + Set_longdata_error_handler err_handler(stmt); + /* + Install handler that will catch any errors that can be generated + during execution of Item_param::set_longdata() and propagate + them to Statement::last_error. + */ + thd->push_internal_handler(&err_handler); #ifndef EMBEDDED_LIBRARY - if (param->set_longdata(packet, (ulong) (packet_end - packet))) + param->set_longdata(packet, (ulong) (packet_end - packet)); #else - if (param->set_longdata(thd->extra_data, thd->extra_length)) + param->set_longdata(thd->extra_data, thd->extra_length); #endif - { - stmt->state= Query_arena::ERROR; - stmt->last_errno= ER_OUTOFMEMORY; - sprintf(stmt->last_error, ER(ER_OUTOFMEMORY), 0); - } + thd->pop_internal_handler(); general_log_print(thd, thd->command, NullS); @@ -3257,6 +3286,13 @@ Prepared_statement::execute_loop(String bool error; int reprepare_attempt= 0; + /* Check if we got an error when sending long data */ + if (state == Query_arena::ERROR) + { + my_message(last_errno, last_error, MYF(0)); + return TRUE; + } + if (set_parameters(expanded_query, packet, packet_end)) return TRUE; @@ -3497,12 +3533,6 @@ bool Prepared_statement::execute(String status_var_increment(thd->status_var.com_stmt_execute); - /* Check if we got an error when sending long data */ - if (state == Query_arena::ERROR) - { - my_message(last_errno, last_error, MYF(0)); - return TRUE; - } if (flags & (uint) IS_IN_USE) { my_error(ER_PS_NO_RECURSION, MYF(0)); === modified file 'tests/mysql_client_test.c' --- a/tests/mysql_client_test.c 2011-02-18 14:17:37 +0000 +++ b/tests/mysql_client_test.c 2011-03-05 08:54:56 +0000 @@ -18465,6 +18465,56 @@ static void test_bug58036() /* + Bug #56976: Severe Denial Of Service in prepared statements +*/ +static void test_bug56976() +{ + MYSQL_STMT *stmt; + MYSQL_BIND bind[1]; + int rc; + const char* query = "SELECT LENGTH(?)"; + char *long_buffer; + unsigned long i, packet_len = 256 * 1024L; + unsigned long dos_len = 2 * 1024 * 1024L; + + DBUG_ENTER("test_bug56976"); + myheader("test_bug56976"); + + stmt= mysql_stmt_init(mysql); + check_stmt(stmt); + + rc= mysql_stmt_prepare(stmt, query, strlen(query)); + check_execute(stmt, rc); + + memset(bind, 0, sizeof(bind)); + bind[0].buffer_type = MYSQL_TYPE_TINY_BLOB; + + rc= mysql_stmt_bind_param(stmt, bind); + check_execute(stmt, rc); + + long_buffer= (char*) my_malloc(packet_len, MYF(0)); + DIE_UNLESS(long_buffer); + + memset(long_buffer, 'a', packet_len); + + for (i= 0; i < dos_len / packet_len; i++) + { + rc= mysql_stmt_send_long_data(stmt, 0, long_buffer, packet_len); + check_execute(stmt, rc); + } + + my_free(long_buffer, MYF(0)); + rc= mysql_stmt_execute(stmt); + + DIE_UNLESS(rc && mysql_stmt_errno(stmt) == ER_UNKNOWN_ERROR); + + mysql_stmt_close(stmt); + + DBUG_VOID_RETURN; +} + + +/* Read and parse arguments and MySQL options from my.cnf */ @@ -18791,6 +18841,7 @@ static struct my_tests_st my_tests[]= { { "test_bug54041", test_bug54041 }, { "test_bug47485", test_bug47485 }, { "test_bug58036", test_bug58036 }, + { "test_bug56976", test_bug56976 }, { 0, 0 } }; --===============5590246789676620751== MIME-Version: 1.0 Content-Type: text/bzr-bundle; charset="us-ascii"; name="bzr/dmitry.shulga@stripped" Content-Transfer-Encoding: 7bit Content-Disposition: inline # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: dmitry.shulga@stripped\ # 9da3lfysmmd4i4wp # target_branch: file:///Users/shulga/projects/mysql/mysql-5.1-\ # bug56976/ # testament_sha1: 795abbe47b21a4291d6ebb7096d4a34fc859510e # timestamp: 2011-03-05 14:55:13 +0600 # base_revision_id: build@stripped # # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWTwOjmYACal/gECYQAB5//// /+//+r////pgFWdt3b7mvSFntj62+8+dOe31xXYtl1pd8ect7u58bPZeunp77333e3j5WZgyVrY2 n2p3ay23xmc+qAYoECMEngg0U2lP00SPSDymn6p6htI00ZMNR5TR6nqCUQAQAmRMSMiP1RoaNDQy DQAAABkGgCE0Q0JmoKbKaP1T0npD1AMgAAAA0AJERAgBTaE2psk1PJoT0maJtBDRpoaDEAAEUhBN TYk09U8jE0o20TEmQ0Bo0BppoaAAAJFCaaAEFPCBiNKnhoU0A9I0B6gAAA0sMAA5D1IEsOvxSCOK JYgG2kXxw16hpx2yMZhoyPQCCHO8hya5kPj7R8e0e73/xP/slVo20VhGNvP4l1aYtBybzaLWQ21x Ftnf2SS3fj2XY7nY+/CLu8YTIPXHrCtUY9peDVm0Ov+en9ZUfo2iBJ09u3ODlt4zqCot6IIrRJ70 SKOSHHKpqBaxlC+WayM45q+JwrE1SbljjGOIhoOqeer42zROo7cdX7/zNM+OWPRDnPOjcyv0DnIi KGhAZ9TDztCuY2AfdUI28kokaGJNjYJCRIEWzXX5BfF1LOrx3MEKs0nfI3C1wi2eTRfk7lKMGO2A YbYLzA0A8gG22NjbbaTbaFiqtIdwIs+zw5tlaJbpQGNzlQwkImhtvs49E7mE/2+VDTlAFLIBgaI6 1hKTKiMElEF1dxJytZB3rDCDM2oPUJWQKSMr3ttfdPXnvWNgaBfhuuaOhCO/B2zRiN/oQBUzoc/Q ga3b9Td1qhfl8VeWXjgGeldBrFAcK1V7VR2HDn1fLLkRgcrm6qhR/N+GJ1Qmnkxa1b/pmypcYrCs 78maRgaEjUez1q+w980XN/iwDuaQIwCSLmMlgSmhgDJaT5qpGEPEVgVONdAiJEDvFsCwYXtakY7c oEbHtyY2yjFfXcfJzx36ymykyeEMVshXDUmpBnv2RLp1HWSblyvbmUGLsz42blTxAUwtYK8uCijV 0IPa7zYJ47TyQVZ+exzdVGXAOclkbV7X0sBU3y50QKTsF3KU4q1+9u3HdfMobaPV0iVM5LFc83Qd VexjPoyAJ1JKkVCCX3KhL0nso7tzQpnnriwh+uuawikib8Ex3Z+x0ywTKpI7pkr48sjllW2Kokee f0tA8/1/YOoQbf19P4cGX1VDANRckB98Pu5QB/nXR1yZlp7HzrTq8yDcB8NxIYjjS2VCiF1bYKNI NpUg+hdMj6ordBGQ0PPTpZpe5Pm97kbvBYEp7TCYBI8oH2v7zenliT6Kh1bo1wr90hK08bAeaJ3X dE6Pf6JLomv6M40pqBDkB627zLQx83ZAcVgpodi3kxlY6NkEMq6XsyTcAJrCxjEjtHOwgXdDPzFe SbLq2+x9qg3jbwpsgrOiKP06OqTOpckLVkdTJFZ6GQAdjLyXsGs6gemMkkOtV2J8DHiBOYrIKiWp 3bO5sDsr0uyXLW/KIHIKqDK42PIYaWVmB6ZgIEMFzy87r7qZZY5m8G513vO2muFrq3Zze9ppaw81 AEd+cBCQlJFVWxUAwRon+pvltC5EhPEnR3QRCGFVYGayHICOI37X48S5ARYggwiwbS3OLJegQXNP 5QRLvQWolBciOJoJqgYkm1CI7aGVZKDEVlEjEwdKwAFYLlKMttnCU3XbZuBEY+UpF4kS1xSxiPRU ZCgIeZ9UDyjjUmgMVJpTH/NKF9pAzlAeb5iJLBiFYzGj1G2Zt+FzJd8tEM6kESCc8MlSpD0uo30M Eusw3GPReei8V2SlUw81p6a18/VnqlKIR3mDoFxujbEeTly54U32BxNJDcKJMQi4Hh15RyCqYoXj EaTNW3LesJczOLmlqN5Pi0WrRxPnb11mJcq17kETbJVAVc9ZXeaWG0Cj1HdBJG0rPVrVMKqi2OyF WVUMXWTd9QNYoSIKaR6aFJYXLUmhhSuRkhXUEgi5KvExqzCuOPVIUST0aWGzGWT5Cumj5cXCPUJS eRuag8KYl7DJ4wsjwansJGkUVMEQQb2cw1GsOzxj/jr4Heay8jlNatFtlrXZaNQAijHwRxc8tN1T +9Uiloxd41Oe4kctR3fxDGZb3NyLTSpRkzKK2RuI0Lxk9alPEvRmZkCY2dF+guL4Z7EbgR4o4mem 825QWThEMxmpTL3AWXhAI5jVCuLNlXG8lwljRq+M0IlqKromHfQoQoxFMJWlX7hNtlKEIEy/q0od gdFMUBsU0OBEwPRmUjaWKBiVnFW/+RYCO5QVq5U5rqCMI71eWlOC4qh8XRAo1TqEs4BBtml56hC8 +Qo3CxlqCbCJE+MEaCFN5YWzxL/Qm/DLQELUOs8HYIt623ZGNXTMmhZpigPSA1yjTIO1hIzTBKmo paPTZTNIpPp9ZALU5pwTwJBLa4sUznPRjTCKqMgwHAhmGt9q75DtgSmWZK7YCoQjKzHcWlRDsN5c sA3MLDI8M8x7jMWVgyUTQ4eUYjxxviYCKGoMImeAjO59jS8ccho8UtF9TvFp0TqQ1MUks0mFcd7t 4KlUB7tImRgRKomg0rceBChWO5pUoMHnYilTEV0YCxntiYloSvdw66RjKquSWSV2Ht28upPZfAQm GERouy5gIhOHGA1HkNJ3Fzpi8uO02nRTTVbW1jLc5TNb3MUqESAy01kI2QmFCgzYcuVd1CZSUeJc CFLiBUrW8pTPuxtdAYTVpgqbWsGvLYPZhOOLc2oJitcpU7yJpItKjCubtULsiygSjkrFG8mgpNlW CiRIILxahissoUbtheZ1uJrPMEU2sMjyW3FUx9izDBiFx5eKeujtb1riO4DGOFe0RrXjyQKxE3BE wjgwAYgHSTBCCJKHJKQELwyrQUibb7Eh24R6dXXmfmaXEyjBnRENau5Ba9rXD5YMO7GxvD1X8HMc Z4kDv6N0+xvDnecxM00miONtjRjApEogAauNXqAjt86Dr0UPgvPgL0dDGhHR83HxRu/WYD1d/j4f oe/+fbIAwzg+vQBaQkUAkl8hMJTVQYMqeGfvFDfW8c8IjDcmJIPkZso/rxwtYfAT5n0KxcXwkc91 N0TVf5x9yos2uw7aEiHBeWhw9AbW9RPpbg4NSxcNFk64FhldmV7laLIOL1UJnL4F1YVzhAnGus8n qkmehCbgHV0dzyPBHB4VAiRUoHiGB2hQ5BHOVdO0hvcjBE07Buri49YROdHLmldlFYHVFkbI0RXG Url1EwiIvUNDtL6UfJ3xDFFCUWl/PrCvlbgjXHt42zoTuHa5jlRxZgpFVXI5o3nKl6hoU0jN9O49 GPkGYTREtwHMPt27eLPTLeVKx7Am7O0sI0QkjoahHYonhof7EvaeT8xNHtH6ZQeFglKo2zpaigR9 Cti1VGFiXmoBAD93vlI8pRGGLiRLWQEoEWY7WFQPK1N4kVcU1mhcgwBDWGFEKDhcxJLcxLPHRB9/ 7SVk3ieogD0ek9VToBPY8vArMfKSCwxZn2mwmKcmgIgFqPy+tH0Nvdq5t4Bcg+d0aIFD9TheaBiO IRTSEmYkIuGaZuquGm0rAOsFyATtyHUlPuy+xHqaMgsgDAML953ibpikPHzFgBJtcGtrELWJeZpb GJaRpBbVCxbx75zorI7YIzLUFJKpqHikCqOL3WD4wueypu6KSxStcC5+LOPKIiQB1K07TXkn4bNe 33hTiA2Dt3MGsTmMiIaQ7tgO3f2DtGY/OHtFYYJxxkj9El6Pm2beVKdAnynMYxkuNtLRaTgjpMUQ 8fYkqNCKBvCz09m/SxTQTSpeapAiu4d7XdehvNegszrOseeGREyMEOxNQDkzZ0HDIwNoIziWW++E u83B4lNxiWJWO8KcoB2taVoLB5GQwhJM0J7LKIFG3amUzAA9uWnrkRdFYalqxUtc5iL9mcQtGLa0 vMZFibRKCgOEIL2h3ARLnNHBbHzOlvQ8NCo5l/2eHQPaCNxk5wMhLjSOmmkTQVFfHYVoFg0EmsQH WCN/wZ3BBgxttDBK8tMD1M6m+pG/MvPwBUx84kjaY6rAIdtNQ8rzIsPCCvs+CCzHdcuUkln9w0kB ABj65YghFNnT8DkEORZecymPfj0Z5nOU87FmTR/F38mP4aeka0vWjgBKtrooyR6qxGVTCyIMeBWu 07YStzBnwmxqpZZA5xxSlUUQKWBeV4nedxneHjDp4cu8l+6uxIWxKo2o8qdGeFId5I6aFq5q1UDt A0BhDSCWQBapStjUajG8kchRDTmMRKCGXW3t6OJZOwcHfqCOIsRpvM0hUvADjpIpA2jcLWFuYI4a +USiC5tN7NguI1iAbNTZmNVpGefWhpPgzbcdb0O3nvAeG5m0zEBJOM8NyGYoHmtCkFeeQoaYEI0K ZER3c99ElyX9Kzl2Mhtw4GyrtkpLZSQ5m05JV8UVd8ec5882I1fzqShHbhBBQ4bQ+y9Gbbrm2gjf 1xVJUQDYSiy5q+AhjEPY0Wg0qwBxmULpTkkaL80yZvyBwSwQGfYYZr3nzZ82k3F+tJHZ5nM5nSR0 R4FZxX0a6x9Ki8eC8B3zWshJJ3rR5RlCDIZcEwC4+PSg6JdEeaicf4Aa4ANLQDtVMgsTRyKitgZj Ld8mXBtdbvfWBPZd7nwIROORK15/HQaApbRgU2kxNzJZQnCBet48tNfJPFrc6ZtWbs7tJzpSd9de UJV/YRwK5aiLjH4EoIgnyyNTCW7nWmjEGarN4baYqCiRMYvqDZwV+tpYrPH5HDuiEmQTwV/O44VB qWr41oQ5d6qXHqZ8uQJbYxoiJdAx8gROfy7kLwet6WW1wTNX2kpxKX+L3c+5KLQFmEuSsFfqCpBo fc0PIVAA4GJYrQ6FwdVZvuUUhqGOxKRVlbAthVs1TxvWbkPc/X45XBg020F3ur4TZAG2NY7kjLPZ 7Jt2u+Pw2r7/EkApjPpWAv44OlBMNx343Ws3HfenU+LfMIrcMUnRXpeFjyvQpUYw+Hu4jB2tzlkY QdUVynM46QsiAZBdobFTYYKvKsXysCtNAnpmuHj92A/HrNlER+Iru0IILUCYGDSUh4uretzDA3wo JVJHSNWh8QRiqVjoMBrC+LG8hOqAcWM0d1jRsanJl/EYpJDd1YjUO2gbCMIpHZy4bKe6lRUms6yx vMtlJJkI7RWVSgVzZt0ZEw532fhCNb6Kv1q+noTtY+f1xg7wRmBhfIyAyaXbG8OyHMCVgA+9NeY7 6JLNfsTXwBI8vBK789V6GkCus51HwcmB2ubGGsfNjOFLZ0vjUWIloHKlng1Z28j0jJSbeooxkKld 8soFiPFzFlyuOu20QyVkAre5ijCroASA4IaS7FPiHQtViJGJtMaGCQ2Im5IwpxnZOVGhkrERR3TJ TX0wVqTaBOUMmCEYcXieW0vPdat+7tgWAluSRN7dED4bImsFlNei+jWeqtWJAa0g0488QSWE1cRq KW0CCr96+K1yY02xNI5IFmkRmzRqwwrLTZRXjbV47id4TDrPG/Yswh3LESR1gqBVjAOMuAGqopWF 3akcJESYic5EMIwaxeEwIQLROi6ZZPdog1PZTknTxJdNh2JLQcxPFU2y7Ym2aGRabhIhySTxTNWe V3S2ROsjDa1Phdz39jvTJ6npyfk9zVR4nYAu54aHUnTYyOMy6Ypk7XJgZbiUoIIYYIYxkQoG2wbb Q2QnDb2RCJQ+Vm5MmQbhxooAghISOkCF1y+tr4cqdHRjoKzv1EQOzma5mMKFQnnC+ke8xgdXCaGb C4WV2rjyCHukKal9gron1RREIjVU8haIskalfFVCDmELeCwIxQAmMxQwiIwJRtTihA4EhwQ83ByF pDo444rfQmtkqrKMbHb8ryk0JVqoohA5wO+L6+VyS7l79Vumd2MG4ddUQ39huA7DtaDQlE9Y5U9v Q+3M7HwOeq1DiA29KJrxL7XapYZwgQI6diONo7QIoaQNLzRERERERERERDcTiw7NuhDQTQyZXJUk kLgVgHDktAukkqkmRHaF59p8cwygvZdgrFEnezxJEORnUMwA2EQdSscVIuQWOsnWnEsDGJauwZq/ Q4gI3hMZO6EpqJUdbUMmYUWHYJEuxh+sKDUwDME4ckLB7ARPNILhiXz83KrcFfjWV4IcxDEygDkQ OXYARRFEVSBSgXhYYOUHIhq2Jkva2y1KOpTRJXiVVtGond4hrRy3809w6pdsQCXktnmGSVSOT5sI eEEr2fUifJh4SwPVjwCbfN+lnYdqokK3IaG+EB43wNSlGvJ7H2qt5A1mu7OqTjeQVHeoJPkY0M6V nPl0PO5khzMTo6S/WBdBHk7H1FOZco87AawNDAZdjhzEkea/GGBEQw06umM3gXxgUT3AVl4vl47g 2tJNF70O1xTFydqYNodOqRniBgI6ciIPl4SWDVNadgwK2AIOsrc1xItNOBsMp+mBiqFp4pADAdrK tYEnBZIkcAS8bXa9rN2vY9ZqdWietQMDJzsijv9ZmJs2Od2PYcRXDnZGlzUZgmZ8DwzGg6p8pQpO LY71GUKmjJ3tGTpajAba2WssZujhbuNYJaqEsMWw4sXUyteQBIYNbymN7hq1uYsb9bY8nkdLuDgQ xA+OX/i7kinChIHgdHMw --===============5590246789676620751==--