From 80fd35198dca777538025a4c72be136ca975eda2 Mon Sep 17 00:00:00 2001
From: Dominik Stadler <centic@apache.org>
Date: Mon, 20 Jan 2025 18:40:32 +0000
Subject: [PATCH] Bug 66425: Avoid exceptions found via poi-fuzz

Prevent too deep nesting by throwing an exception
instead of just not parsing more nesting-levels as
this still caused OOMs.

Allow to adjust the limit via static setter as elsewhere
to give users a chance to parse very complicated files
if really necessary.

https://issues.oss-fuzz.com/issues/42528505

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1923277 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hdgf/streams/PointerContainingStream.java |  21 +++++++++++++-----
 ...nimized-POIHDGFFuzzer-6478389109981184.vsd | Bin 0 -> 3148 bytes
 test-data/spreadsheet/stress.xls              | Bin 72704 -> 73216 bytes
 3 files changed, 15 insertions(+), 6 deletions(-)
 create mode 100644 test-data/diagram/clusterfuzz-testcase-minimized-POIHDGFFuzzer-6478389109981184.vsd

diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hdgf/streams/PointerContainingStream.java b/poi-scratchpad/src/main/java/org/apache/poi/hdgf/streams/PointerContainingStream.java
index d783490f1f..69964427fa 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hdgf/streams/PointerContainingStream.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hdgf/streams/PointerContainingStream.java
@@ -30,7 +30,7 @@ import org.apache.poi.hdgf.pointers.PointerFactory;
 public class PointerContainingStream extends Stream { // TODO - instantiable superclass
     private static final Logger LOG = PoiLogManager.getLogger(PointerContainingStream.class);
 
-    private static final int MAX_CHILDREN_NESTING = 500;
+    private static int MAX_CHILDREN_NESTING = 500;
 
     private final Pointer[] childPointers;
     private Stream[] childStreams;
@@ -42,7 +42,7 @@ public class PointerContainingStream extends Stream { // TODO - instantiable sup
         super(pointer, store);
         this.chunkFactory = chunkFactory;
         this.pointerFactory = pointerFactory;
-        
+
         // Have the child pointers identified and created
         childPointers = pointerFactory.createContainerPointers(pointer, store.getContents());
     }
@@ -69,14 +69,15 @@ public class PointerContainingStream extends Stream { // TODO - instantiable sup
 
     private void findChildren(byte[] documentData, int nesting) {
         if (nesting > MAX_CHILDREN_NESTING) {
-            LOG.warn("Encountered too deep nesting, cannot fully process stream " +
-                    " with more than " + MAX_CHILDREN_NESTING + " nested children." +
-                    " Some data could not be parsed.");
-            return;
+            throw new IllegalArgumentException("Encountered too deep nesting, cannot process stream " +
+                    "with more than " + MAX_CHILDREN_NESTING + " nested children. " +
+                    "Some data could not be parsed. You can call setMaxChildrenNesting() to adjust " +
+                    "this limit.");
         }
 
         // For each pointer, generate the Stream it points to
         childStreams = new Stream[childPointers.length];
+
         for(int i=0; i<childPointers.length; i++) {
             Pointer ptr = childPointers[i];
             childStreams[i] = Stream.createStream(ptr, documentData, chunkFactory, pointerFactory);
@@ -95,4 +96,12 @@ public class PointerContainingStream extends Stream { // TODO - instantiable sup
             }
         }
     }
+
+    public static int getMaxChildrenNesting() {
+        return MAX_CHILDREN_NESTING;
+    }
+
+    public static void setMaxChildrenNesting(int maxChildrenNesting) {
+        MAX_CHILDREN_NESTING = maxChildrenNesting;
+    }
 }
diff --git a/test-data/diagram/clusterfuzz-testcase-minimized-POIHDGFFuzzer-6478389109981184.vsd b/test-data/diagram/clusterfuzz-testcase-minimized-POIHDGFFuzzer-6478389109981184.vsd
new file mode 100644
index 0000000000000000000000000000000000000000..fdca3439b1bd78eeec10f89ad0f91fa10b256b8e
GIT binary patch
literal 3148
zcmc&$OGuPa6h5PAX`1;U%PgmtI7PT<Q6w}%N)MZ`d_g$KpcVtoO!z=*qX-rl5fW`e
z7cC+eEi#i9K|(==8<Rv@Sd%?X6nB=T-oA7H$Nb~`<BJ|=JpVcOp7Y;x&$;J*{;&EI
z-{0;^8zH8N1d5Of(IJYYIT1tA>X?NEtl4Qj(JFOrP6)yFNHA0*vB{kLrqjKqv!Ror
zk%agj;^sHZSRzCtZxXxIa>&A{l-yJc_E8>P5$&R$JXB3ys*}FP$EY@#qA^V+N~Z`5
zN8wtq3|LGwc8KA5RI&-8{X!g%h&)!8hp2`w(lNv)I!iuJ4Y{xj-WkuRG&Mg!7UJ`{
zXtmcI!%7*S=%wlqg}i-KN%eF?+!Af#>P!)I4}LCvKiCa)%y1yG&!@gFdq_0tsm=1>
zjXJ|6VB&hsLUMzkmC$QKtX3s&F&4ZQ9EXy|L#_iSfY~>Z8e5;(_tU-?6-OR4w6{JR
za9UpX*Y>|18a(Wx=b!zV?+*Bn`^)`QSL&{H`|^C1^`2^P-KnO39+2)$BwtU>v1R9E
zJ93HZ)K*+(d0GHvIfQ-dWd5FRUP#%!kTJ*>8bnso>ab-MTk~pM4Q}tbcs`@@d?)^#
zPRl2!lTy^zW~H>?LXe2&W(SIFpePbf1i>|x7ts5&TI;LOKF^gapecr-YytE6XMn9>
z?v?G3JHR`^yTF;?Ij}h?O<%=EwGS;C2rLoE)aq=-3aQ|Yyp%?;O{(@43hgGW@bx9X
zrtLT&m1E5+cG%_}Yep1ZQjS$9$2uHah}Q~$SSSLZQyyy)QB<}Ni35yFN=eW2c~#K0
zY3Y(gzf$&4p~S|cGVC@TfB7hk_^aTMDgI)49e-&a{w8wzj3+E*h;R>fQ1S00gNZr*
zo>?*ePKS%HHr*P;TqgcHfc^{NZ?@gu*Y%ha0|oL{11b|dFyQY&c3leo<^Y1@C>VdS
z)L3Wpx31nVk9x+N+rM^R9=Y2ya;JN|rRPIO_vFo<(T@9rEymwa&}bs*55Qp{PiPWY
zI3<;WjQSuL8yG=!)3THwrrug?mbwFD#3pbWcr!R1%uvSv^E1F!u!OS3;Sio6_@$F=
zQ8?TS*M;Fwu9hsH+#Af{;Lw;^c-<c`%_!=_s=ySZo1re8^vYp9=nJT*>|}}KbjgYQ
tA`$lP$uyORynB`SzBB*U`3rYVX8vF9TIHW3Twwj$8mcK(nV@>SzX3L{Lzw^o

literal 0
HcmV?d00001

diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls
index 32e1be3637453d4a7a87902dc97ba2e6ae4f40cd..f000204abf3f4671925cd976815a0d4f64269df2 100644
GIT binary patch
delta 14422
zcmZ9T34B#Wmd5LbBm_wE5<+r;M<gJR03mE48xWGP?+_LjR1gs&wt_9#V~?W`aeCZa
z#u_@kj7>Z3OwX{$5(3H|HrZDNlub54P!k~ROQ!0(=hRER?q5HDRquTN^VO;4-dCn)
ze-Sx*ZRFf8aUTf!Pl6EdEi1^3Z8~w1?rA9czdCu!OS7iUm_GA&B0;=RE$7635Y@N7
z5V7S+aZh#Yl_f;~>62%?GJV#Rm!~|NHfzR=v}dPGc`0rBl$o=pO)u@3HhI$Y=`&`f
zz4Y>o$x~*|Oq)6D<tdY1j1*!}zkzZ_Vf*s=g|Ej&^%C2f30XNRt6pwiPWhw5i<&rt
z<;Ia6WnodHCOO@6^Rn{tyLQRX&+FPXuY0H8%zU=IY*JKI>(=5ek)pjQtNq&u(KA(u
z);)!&NfM%JoDiSHmv5W;m=jDIos99lt|A@v-@L?7J3>T=*$qSOdZM04s?&}Xks_&W
z==&%UC6a!dVtCOaTIBgd-zz&#UX0fk5%D@MLfkH&|6KN<xJ=c!uZp@rF<g0iX?k`H
z^(<6Du6UqYPDHd=s64ocT&S|Uf^`eEPTZFT%L2Zcq+A4Lj{Nm9H+bFjMTr*T2GJHN
zhaPRQ>T$(gidw8H;R<%J*mAJgI9Ln^ZySv!*AjWLA%CvP4=MNF06zy>Pm3Pz=Ri-D
zf#rd0M@8r%er}{owA3h<Sf-XhIZp<cyVJM`OH>hB2<9v?oTcDIkb|X`gQeiyQxQ7%
zQZu-vR(Y3Fd25#ka=0wZtg<XK%4L>vnWq$Te0dumOP52MBR?#6pMQ@^u^i^#CnL*^
z`EtvAIm~C1rrhI@rrcO4hXtPVa*%Hb8NVVWwH{Sr1wfIer59O}EMDOThY)-PWKlFL
zD~zEE7-CKZI8#Vd0Yh`hP=zs60Ygl#u*emLyi$|pkrlpT=B)&89`RNh-b$;+E5YM=
zU#WRAwW665D|0IX3A{R1QIve4A~X|UAVF_Azrr<vUm);|klQNS1i92-TBZKdIQbGz
zZYhWB)q4I?Ngq~~jK=C-t;ZwkQ;k=nQoICKTfEhVw;DWN6svo{3$KdRrc`Tyjv@3K
zpm|fR0lI@+ywaUEUd8E+wg#LAG?{A*XRXCqYgt?i&KMP;x5ipyaV;#S6L~Gj4Q1vk
zH?<M@S!elK2hIdJX_ecT{j9V6tTTSr!w+-TTYlDqGeE9c6;M-qTG8St-v-3-RBb?<
zI_TkhgYmrqzIT!D4R8=&-t&vH2p@wsdI{y})mhC35n!V+R|#`InYqTF&iG1$uLPb~
zTP5%ba>g3h@yWN>WaaQTo4jvmDmEGVW{*xo+Dt=|)oZ#vkx0RtP4E^3H>Th%2<A<*
z#hSM*#^4rf-nPI-l6-xwo64N6;P5)y3eFt4Y^@vQ+1~1@$j?^eXB+%9AwS!|Nj5DU
zE-FH=qix2|HuxE+`t=Ik1~QLyn<0Ot$q}N7EL`VL=ac0t1Nq8=eC0vpo9kR3o7oOC
zG4dbl0zsaG?TAaEVQe?ac3>DT8Q%eAB^lg-a&%BFz0-HVfvd7>^E<$6O1vG0w-dZ(
z#M{}!s_#w!+o}*<mz`!vJFR)z33PM$(Rw$?pk3h1BxAe4;RU(NaCTXx*#(ZDEbcNE
zcf(=}vbftT7Lj*b<lQo`!S{Tr`A$D<Q;E0R@b-ZB5b^ea$18IWcmq^~9`PRIbPt^J
z&fEj1EgkvS4JoN<1lkJ_FU`FGCCURE0_m;D!d_!xA1ttPAC%cLbz{KSnrQow;$c~`
z(RI?~w2l5?4w>3-Oznp$K8g23!3Xhvlj{I-wIS{S%jE&MEGF^+Lp}g9uf+qJoFf7>
zi~|OJ&_W*sn&<o=&^fYmrJK$(au62V66c`d9P&8w#Y%sAZ!&Ypm^lP9=`?^tV6>A<
zD&3Oy)b}+qS1P4m>R%(XUbT7~d<_n7gRi0PKn}h(4!(hd4B2Xv-<co_Ho56M_-~--
zNQ!Ta;xH**+vHE@^>WyFK5VU*!(g<O>ox_3^O<u5E_qKJG0G!Q@|kl4O5PJkO!lM5
zo+%SI`<*#5bF-Vyildg|s8M`NieGIGJsQ3>S--U={97<m<l@b4uoKnzJFCXu)v0m3
z_>OAa!n{}<L$=POJ!UPsW6&0>2))OS84t(cp`q&6vv>?1y2wde+#qv~gTpT<$HC$C
za@=r^gTw3PI5_QS{*Ie^oPfiw<nRQ@KU3}#AoGShA#ZN+nKgU@yl%uhVR$D!p3K}D
zTEi!er<3r+=f_DfvgC}dZols2;FMLPQ>MPUMyCwt6gcYVB5HIBoPMHw=hnH7{A@vj
zQzJiJkmOv~pYr3c_B!3=r0sr3Jwvy<(}s}hd#JK$1mBwxoW=;)&uOdHr{RZJ>uKZX
zH2m;hISq1-yuaN|&82ajvBq@<oJ84mha2Q-oPjEj{G2g<&cY9K&Vs{lP-m?fI&1u#
zg&#f=&w|WH;#osJr^!K)PZrNv7S91)r9yP+&l&VNpnDjNez^1`)8`EOJWMnBJjlGP
z&ReGCfSn2H*HyS)?dRe21|>aja6foB`TEW*AE*8Su|4I6oo=uf*|~s3l|;LML>-8B
z!3^O7hLCQe^biVY2p3Gwi^$oV$QP~RTm-q8$QR|fUA}bQu@~X1ka!mj??;a(-`^G5
z89y3NKYE@h+mB$hlY4f#sYTRx2@ZJXFTp_r>Fjo=@d~;G)g5wm$z;Ba%*?qA4o}8q
zYcehyKbPT$pIDbcE|zcZcAX;mr``U-29)I|qxcC5{R2zS<WErap(^}jyy(2H=qs=7
zE^fv(`q_N@3w=9$PnM5Qu3xAYAMJ62{iqgI7z3YxRTu+5eX5M3DmdaNLKQgu$x)Tb
zS&f_nh+GXazrIvk^IR<hdwtLIJXeD^ka*RGcg5mev7BB3kI(8W#_1Jn_OEy&R_|4N
zQ&I<!v8$G`s{qBx1AE=<w^c%2@~e;yCPP<^p=&V2oNM5yx2%1EAW!c#D2I^pno-tR
z${J5e*=pc`9}YEUC^go?sR3C#(5Fa^A?ppVjvh93-Kx@c3w_<7uUqKr7W%qD>(j$E
z<Qo?G2FSd2gEtKN2GCr|8>W)Ft~UW3O7n0NKz>oa3E(iQ+)cx~2_A3Eo8S#6g5Dyo
zP(1nR{$@e`rF6?^Z&}(~mi9KZBZzbxUU;$IhL@4#<+kD729F<>x5490aVOdX%EANw
zAP?h?k=}vS1VcKClIuH2SCp8RzKLWjcVQ(?Md)e2Yj}6T%T)ckuy?^5O@w=`E#N(j
zjgPx~0OrWM2Lc&mNO0eZzi&<SeZ)7ALk|XmoZx{K|G<iW;PF+2HvGUCegMP#AbkMC
z`a!Dg>nl`Oj3qa<;8mLM^iOFNptS<l8elDeyzy!Q99N!r=)(x-5jp=GzgZ8$;R|Hp
z)V)9!j(%J{N?G+?nkybNt-6!oINAfRFURm4i|1Iph-d&GmxYHzRw9fv!jeW<Qhm|r
zit%Kno^lpi5A|TBn95tv@alobCu%+Lo*+V`XJx!Rb=aTHM`omvMncLDiAYHG>#d#{
zeHZGACuQd&{%pQ6jxx$9D0x3bLCH(p%lV`XDkYz7(MA~!<x`X;8p;XOs!uuh)yY}k
zDC=9w`j#>V%89b&(X7;`i57#1Nz~HUfv%V+XQ&AF-2f5KP((wD*l@Hs$SQp~=ZeV`
z(a4&RMwpPcG$D<Q&qiKVX%#m@j%SGwYw=>i<NX;69$t)tYQ4uAU@U-q5XJ%+Pe6T{
z7cv+JAV1UNLO{ifGrTzPc)H>&gPQA#;1t5gTMpv^<fA{{0OJAF8&dE5cmVYp@&U#y
zpJmQxv3!Q*)2ycjzXSOI)9*kUm|y`D0Mu_o-gkPd@`6h+zyxE?i_%+vsyy*s`}ATm
zoM>Vb5zBAKiOAhkW*+kgIZI>M<}8hkvayw=F_ik3oz9sA*QKUa_un@qfyY}j$?%da
zCrMpAD}>OueXe-UwCWxcO#qCOH;)A-PNN8YQ4oqxw&o$(nula#AQ=YuF_Vn^%+q&?
zu6SO)cHAGt`K)F=#VAuOWeSwPA}9K`Q7KJJJD*7t=vq!(!*ea3Yw?-}Enrg&je$)8
z<hg2UfK379=SNcjUm#2R*3lI&npWM?HUlq_R!uYT<Oe4jnxCJ|fSOL?=0MFbEsf&6
z-W({dU2|itxv{2qQgiV164KW;u3(nmnn8aDt8jh;^8==Ll7{&;O!hsQ-jyrT!bG;P
z(zY;Z^^K=1UXt@qW~K7^lZtPDO~cZ6pE{zdPQ*i2L`#Y&JeB3+<<t@pDdlgT`Y@v8
zWkRK4RQ&prhC%V^nr5t~!7Bf&l{A3#*{-Y93aMU}Pn_`wagM5Cw=&9Bma>(l)OV$>
zU?;7u`nHA>=CwAw*5L6m+8Vr><m6#*i_YSv2b57~1KE5`J`91jtuItv!Le-+%L}EA
zw@~E7v#wFLG0FgxuTYkNWjg@n7`f!E+k@vW0OfBezAe=MWLkAMV_T?m#K-4Sa(D%`
zHF@<bgDY5>ZaGeevVoAJ&ZXqPO?x{X(pM>!e#Z#O+gY~Td2%`boZEw!OFO84OX~Je
z|Fdb;-J<QG9_h&Hb16OeG2b3?o+y1|>k5{4u#$T_X_zC6&Zp#u1p1Nj8s*D?{9jB<
zXXjrs8OYv2esn&N@j69xMEo13RX4sP;@iqo=iU4vRH=?ItB*CkG%_u9rd8-nsFP&p
zAKZzvO}zH{Cbc?2J;$`_=I-R>ro*9=S=F7es@Y8^&yD=c5B|QqBs+U~N!i&bJ44A%
zIz!1$y1>a>vg!wab_Y^+G0HAhPVZUA70}nJu6RopUhoIUP>s5(_+;^~G_I~HQ;Oht
z{m@nM^j$Y=db`27ew){|?FI^uw3|iA0_Ar^$pR&|4+*n?;U9@vW*Au*2Cup-1$4!~
z5u&>Xl$|g7v-vk-ccbhMB`>({Q1Wj?eY@(4w`K5R=wX{}l-W@7Hp_<c9m<*GDNRdH
zKTl!~#=x&~Ifj=59&fxH@ZKdt?jQ@8Yt=T_0_GZEu4ORSGbkth=nwKqpJ$ab&nWYt
z<Z|Xg$>r3yqON$4jOANS^1<UG=Nn!=cwFTCCIE7k^*f&{-j}{h#l8;+tFL5r-^5G)
zAV2kc8eC7{N@-2>1dWyYF4Ywu5~r89d?>OP>=mn)ek%7eyk6jGA9`{20`K?KD$uJt
z1S|lMr?LP*eyA51V1Z?@06=~v)mO41UT>>@y}{#G(%#^uYfrr`hrKO_g&t7OzwA$E
zD}}~Np=G7evr>Ng@}rI%btuv)k;R9SoYD9kgU_-0Gk2VVM&n-=3Q^?vP?#bl`bd3h
zOGQ>`i@egxi9fsfb4`TahW}2jVoP0Y)v?&Cqg?WHAcO0qe|Wfpv-Pp+)W@rntgVx+
z4~E9s`daF~mbx!x8~KadgBMX>YmW3qtt&oOpL(SIpyoZ(59&A}|Mp9Yk@tgKzq4sU
ze@osUa(*-J?<E(q`j?da>$EWYLw<u=11$Lf%liPx8_2?{(5uA&s3j#I2=#xMmOgse
z`#`AGGkR`S=ovi_a^BwFLBsMvR`NlRt7r80RiS6}Ajo+$4@UNRlzp&OxxtW6m7S|y
z^MWuK>V7oxAyEH;)I%)w5U3{zIlDT=yq*k!yo?0uQc?|;<wGs+Lm?j^<o@cEe10h#
z3i%&NuFox3{K>R*<@g8vFi$R9UJ1P$4TJj66h9p5znE6tx(|n1)%~R_p}G%;{69%B
z!jg}$ypMof)qUfYlpvp?BOw2T<oc25iocpx-3QJ{$oXg(X^w`GI2!c(w_da(!JAJl
zJ)a@osF0nY3LOQYkIvCi1~|$(YeoV1Hv*Pez>*M9@k%U%C5Bf5-g~q-O27-gPtDN^
zm@Gae{AdMCHtT$}0w#+ICQ`q%@Pl=<!la1*BHb8^G6oc$^D&_4e=(!$Ge((Fl%Q#9
z%-;z!7MRaWtFD=`!03xSjT!4<OiNSrRj~d}AG*ncDdQ|N<3M>J9_G-xV;YAsX-rH+
zf>8hB_-c~ee)S!>^lGG2t6Nd(D<R~v=aOW<Yf~fU3AyN+ztKYUI_j@|7nW5eI<4jT
zsY7J%nx9+EPEE#F-k&S0KR<31YAckJS3d0e-y?kgP2*KPYO(x}d~mb9^AFkXR)+Jx
za;*CNKRH`{E|81V=R$e(Rz~U~Qba?cm!uwdG_J1~%e32m=X2TXwm*Ndiqn7hQD5CW
zH&_4l{`^T#j4PH9BgSIH5M!=lER~DuFdA5lhF~lsMnj9y&|`dj$L}ncE$)PDG_nx-
zG<8KeA@m<~dzW8&D6wSYCB;}FKd8fqvl#l%vRzR@jChL?PmJ#sW2L-ThvBmr>QChr
zV-+zHEJgw`M&0#0U&t5khQ^X;F&cyMB{3RXjK;*+s2Ho|@w@(1o|Ytw(FBY&vdO(%
zXRRD|FT+_UUsa#$<!9=1gWRt^H_ChJvr@LZpX+RrPpi+(@{jj3oGo&T`rIn3)#tYI
z77t!<{t)4$CBCbW4{B>``F|g-%8YRKIpy!v7CO#X^R_z~&h~jV>T^e#y1U4Ac9uP+
z|FNrVuKGvmZW>Mi!_mk3dNnZtH5|Q`cs1z@4p;1<*tS+|+pySl#O|fobT787Q>2sX
z+ee-4sB^sPEZt9??Ja8iFslAJ=86Lp+rf(M5Eh$(*n<?Cf!IT3C$)pGsk0+>HjHvo
zoo~w8MXCB6E*q=<;X6Vhohjt^QBM2Pqtw~O>r^dWrY>QLyCU(o6x-E`?HU%_4YA)*
zY&S~wP_#06j5@QZbBO9JJx-n7Eo%2Ls(#yc#R-bdwqmoxV)c>Yijx$ZL&^4P2dAhr
zmpbog2j5d?o<+?IqvnHpnqu><*!-~A9*8|dvEH9z9x8jIzH)GuI(w3X1*)_39Ch}x
zsJ+6d1)!d%*a9oIAS_n@esIMP6x*AUb&63AE>LHo*STtZjPprE=|$=-vam&A*kWLR
zq}XCBwm2+S|6X^+C5r7s7A7=O7A{j~U+R2Mb(a1_o&79ozc6ZlP=BV_{#I=Nuvq=r
zcEv9gJAjhK$0`R^)H#qkd#KLRYU&(hQ3r)l2ZMTrVh3BXgTrF=^@c01QtS{)wq859
zMx8^c^OAN@L!HAc>aZ~Ca8R#P>~Je~cv$QR#NMFT5tM9toN{oJI!99HpH*k+E$SR)
zQAdSQOF+F%u_ab)Nm%S?#NMIU(Uk0=c;(<Ob&jFVA*!?V9(9hjsAI#Z<3PPnvE!`R
zabdBKAoc;pK0?X%Y6rE{`6zYX(GHXx?<9{|)W^c8kAtdS$q@Uv75jKttiCXJMFho;
zr(|#Vl!JQI`2=+?P@Scb)cK@EeKL&t6sS=Y`;-;?R9LKj5mx_a5sIBa$vPz{2lc6Q
zB6W^Wa9%8pq0Xl*>eFG=NuV~M*hyCGq_Eg$5ZjPqpJ4}y%0VOQoa}Y38lUKNidfmi
z$*&iyj@=?96rWCbBeJZ-b&|>+bDh|ju5&gvT=x7iN4AP=Qa0OlYMl4WUTNyQ74dHD
Lsyj`c=z9MT@$2@b

delta 14121
zcmZ9S34GK=mdESg<bou0LP-9ECQ2|NkZ^}2goGR<kZ_}@ASigOGO#*2i@NHn?cmJ1
z<1wN&PG-mTn4O(<RqhZ#?r;-sL<Pbn_oW1ca3@>!>-VZtJ$|OKUcdK!zxV3+|GVUk
z6=82I4V%>`_8me0ixc7x3kLO!>2UH<ZD}Khy!6DA&pkiw*<a82y@(T6ev&g|-VM);
zR9{sm#6Hqb&MEE|874$!dBsra&CjilE~$u>J?_tr${UbdD9V#X^?RdA+E*t(9v+^V
zDQ1c!6&j<+#c4w1qzJKXpb(!X2+{iiAr8f=>?&_wa&^hn364MUzC<lTyrv=?_0Pcg
z;MgNPVrHA*xRq!n5?hSJM3_kI8vH(7gp0(NlMF9HM2LaD;P*<FGcYPJ7M`}+&m$VE
zlc(iW#=fNncT_LFQjAV=(t-@{46=N!oLrGBKUm;;uNs^35{+`ng7lmyvdxBHlNvdm
z2r*k}bwQl1RJwxsvo&Abk?{*%e=|kSQFXiMm{u?coTrF0$8hF=)6>LgjtWG!IjYh?
zwz=wiS1@@l$gFTK$R81TuKZ$QN-`7X8p1pf9C>J=uUjtp&NC|JLB-q3uC>lXHSY-7
zxjL!LQDU@lK9c5;%ltt52sGb-<^#kHoexl>e7QQ^+ln{~5Sbw7RJ(D*iM9ZKVUFBe
zotFC~85hEFCZ$+tQY=IY4qeEhy%r^<gj0@cXk}1!ph5DnMea0ibTz`bP1UANi&Q#S
zFlP}sdeQ3+EV61|WCSg;rf^Y!EPq_&mPe4D8gO{RYQQO?!fFhs#^Tg~b4<v>nlvxB
zeQ`j7e744ozpenQl&r<d@g5~QLjJ8L*@=?NYtrL*CYJ!BX0o9sEtl(93P>j9UuyC%
zMgECY?NWqBIdb^oG%rj42BG8RYm42o408Mij;&RxdWU>tTDeSp?}|3mf@M}Kmw_``
zZeQ$9<Alp7VSuyDaF$z~<yI?~gELfl=-kUqDa)-^E(bYUj#}cT#E_m9;Ba48fRiA9
zyTtWxrMgxiDwgV6Vf3to9_FmH^sEeUNY6^6XC?Gh5P2oYmBx#A`6^AmOSC14tAOTJ
zyow~|EKSexlBiWi)M_1SB3C1l=X*6GXUg}Nx?W!Yt0BQ#U9+^x<K={F0zHwFmS=n7
z964)w(xiCOQfq0c1#uh|P;1JpMVY)XYLTNIX{|L{*FtN&bXH{NvhP~UcdhYV2j2uz
zu?{NQJ97GpeombHWQCi;U#+)FUQZ?OUg1vTuCGUmIFhs8q}X7k*Z>Z%_YHxjQ=uD7
zp&P9AwE^TrdGAX1nIw|B5u92TsgI70;OH%<ckD)RT*U}{r_X$sbZs=cHbGYh;%&0(
z+XP-$d1R%V!!6td70JZeWH_5G&Sr3C$gEZAUhd3hM0S)@R=H(9%D2Vp!xpO#TTCCe
zpbt~2$}Qk@lJi!%{uJWWfy0Zq4jkUEb%s+14)44=aPFc?>P#j2dso~|<gHdmwt^h5
zJoHJhRSsG0HHZCH@H!K3tKn_4c-z3^6JZ;8{G{Awlx~C4RMM~w<SugMYBz;-Z3l-}
z(DndFURv#D@Tt5VQTokIYu#@2?0}woWbZXTr&NwulkTL+->h-H_fWQ-AkUChYtqZO
z=R3hlr`mQJ)~*1HB6nGuc0p5-Y+mC|>1sUmD$F3xF2mUkPB-$}4Nk4H>6N=1oUUr5
zSM_ddRquwb?$TfDPRgX{J&5LGX%C_&t7zSYJ*LBZ&|yBP_JET`y7m}d-$GZWyj1IR
zhRWEr!E^gtMDXhQ)<o<@L=V!k7h2kzk$xLgFSF3H*J#-bExb?mg4~g`>^0=?G}$A1
z$dA|hGWdn%I|KR7f_xW%$U|%06c+QnH9g;>F$pq$UGTjA9#M%hZ(VxtT9r<>|A!Xs
zZ>vW7)zsBTi4vy2--m*G$uHOWCY4fY`;4l6P}PQ5`@ru_rR_7N?GG@NT@&|PI`<=g
zk-U4o>*r;(9~@pr`wiy+IDLq70GyvF_W^Kts~s>34?rO=^aCLGC4~nJxn7g~g3<Ms
z#QK0l<)YVEy+PLl&F4)$(ESKqZ_o!JI-5iv1esUwLDPIqmPs4prm5dW=+Z&p$|>nV
zgF9s54gtr<%^~1;0Uk0!4?*Z~A|C>|zkGj#JBei-whBIMaSj{KVQ_d;9R??d3O;NU
z9)ZGK>1^~l@iJwj8^<j=f`~k)x_sj-N2YC#bFRqL%?Zv`{V8KM?{IQu{pR3Li=!s<
zQDo+$?<hFxh4ij1Nht%Uvp-s${ShTxl=p6N{rSd2pH2fw@Q+6DF$iYPF>rWU9Rr7#
z)iERJ7zACVmL7wkMm5s&c+8NGYqDQ3`nc8Q<3RHp{BeUm4m68C4m68CZqO$nx`0YM
z0dg(LIRSDe$&pXh#ZAvJU+EqcQV&iT+)3aD5$>eb%ag#B67HlCdJ;l;^Phy!B1ayr
zOL7LuYjxRWyq{0uE8fqiOw!XxT1-h#BPp-t(@5G{KC{)G#_Q)aI5$biX~Q{Van69l
z6L<z3p1?Ck{27SnbKwlgCGw}OZVKx;3l2Ym&yt?hZLVMcXwoOySwxjmGtU}5=b&dW
z)pgEl<~ggG=Zv0nRx{6mTtwt^hJ0R={escwEs5uW<^^@$pw9!%lW`tso{aMbeF37&
zNc07Zd;w&B<C3}C<1#9!2N!@VC#4q*PWRsxL*z5tOVy)w-geg+A~$Uhu8E&589$r2
zi-@Zr85gbIU4)ESIcSGF?JdfG5u8fOf6;InEKUPBytW#^X{|i;c5N_?YOvNs1IWYV
z${lVB>$zlcE`gIPFYR#sypk><>K9^PGI}msdM;b-y&T|B%w?nJvZd#;MZRpvI+q(K
zSmG}Mw5-~hK9HOAi)oTxwpSo!IJNi+{Q2Gb3Z#s1KHQaLe#2ft^hom8XPzrK`YNLN
zd3F`i{PJ?u6mk`X@HW0`@${+bicv&w4D$R+Y9oN7X?7b8un|ChRyG32EApBJycTGO
zvgy*VQF(!xzh-#XzzY)eA?Y7On)G&e#aJ_Hc_Vinz*yy>m(q0uybfSbN_!mw?<K+w
zi+2M8d1>AN566{X0dE-K4FGwS-2m`D0_qbnDDb9L@l61Et=}}fo0h<vmcU!!`MKg-
z7VuV3p%Qq@0B-@vkLX(fzC-oj25=n7y$xQi`A)wza|dr5-fj7hJqcO&Q_LL@9x$Vp
zb8rWWX3FDx()|yTM-%+Vn^8;urhvcl&~w&gGB#N)X+j0e)3>Ism_WQ{RKTmgImqjx
zfXxQjYyq1C!0Io*eb3{6h)6=+j0W#_l^``LC1t|ldt%|}dt!dl3P&%`iA2y>tFB<4
z10FxL9Ps#w;256c2aq2L4uJZRp!bLez)5D*QlJMwJ)OFB9s~4%$NSL(9`7c7XX^^)
zwSquDulH5}^5eOc0k#70VG_{_z(;5lW&y*jio+~{VTKoG@xuHTP~X(LVlv^w0p!UI
z2T=b!)fI;uU^swNOpKnAM`;vc@gl(Ef+N85^GkY!0Y+FYjDWz$2pDMrBdv-f0c2jJ
z;YEVSlMo3W3ycaVd|WQsmz|QKYSZ%`1(zo%rM`-F#p5z^e|8EV+^ylEFEh2jzLeD-
z<M)^PIVu{qe<F`)tMX_F<&!Ad2#tnNeX{8eM<a*k>&sDBFe}C?I>utf_zf%uFn&Rc
z0j!kdXyHL%EP(noMJI~|kk?_X;l&zp0WUqxPZCexc)H>#^*K#{*%m-vH*EndrK;K*
zU|RtB?Y=Dp>bHAM&^NLHU|^(o9t-pa1j^<EZockSz(dQ?zh?C)&Wet+`W1)hA~~ks
z^>XgGKyLX$eRn5Tepc`1^W!QW-~5WW`tH>gQ_V=L;sd4~xUJ>I7SZjjXnnQnifI&`
zVD%^g(Xq1lU@&(AqNkI;zFG-Jw@360s=htte*a*47W*e!{)v`<BK&jZ5tWTQn22ou
zOxg6ct1F&1qn0OM5~AZ}??Y}r?}sErKSTcd^3@f;HX|L)yWXWr{fFEfUg<8P^~`m!
zB0E?!*MX|ssUr2V)_bIbiA=U4ldZ^Ps`u{0!JNq^vLhm&CAA$9$!oVGBD>0G54(?X
ztsN2h9Qo@DURQ9m57At!57B%e`OM1qVdXQ=$2@uDa7GS$cQW3c;LR(t6TJ28>VD~K
zVORV{<{imS;s5ZH0*@&2&=+^w<E<7RcUd0#qE&nRa3tGYVc!jpf2mGBs-Dm@2-VqY
zYUe;xX(Bosxt+~9p(m&_Kw4@l(l9I4YE&v%vBXL>tW?eN3tlIw2G#|z=Sf%>OIR1c
z#u2QGfpxLE-UX}|h;R>hFPf2FvAnzF?BjQt1$U2;kY<IXS@onrLTlN4+)a5)3DNbZ
zA@W}-g}z~S#f!4{37?-I1nEX<x;5qLh<u46yCU*sGitdtyCN_DNa$*KUBTm*lCI!Y
zkgg2B1<bH|nE~Jk<)J4t!vHe?Gzb7+AxZjj+ZF$2Mp_{MsOkn@Ce2MZ@cg<v-2fa;
znz{k_Dj~W9_?j8D1a=3IUrM?gf!!@$cko^(LZ-#bthA;s6F}aDnFg2%pzf8Hn+f0>
zG}71UuK2BtKIL<|%8XO#eom!tq}4a%*Tc%x!^+gdWa?pM>S1N-3EoWN^#qU4s-D5#
z>X+}H2H4Z;MbAJl<WHx3S^V(og;2d^baB0uf1-GklJrvkN#b=m=(I1N{d>b-|GL%w
zz2VPu*E`@((S0EJck<)Yz8qeceT=d`P{!-BkBW4~?<rD0%w6$2dH%G|&kL}xiR_C=
zUVwcO$-h$d&9f{1ojCohCiR1IK56<HUO(`7ul57)Eh1zGb_fHrty#<lkhgHQ0cHcp
zr*<}g|3Se1mcahtaclcqy#C-}hxE4;_O}$~0Qd*O=U5fz0LZ=1F#>bI<KE|h$Gy+B
zc)5N{VJ?6?CAkKe3m{KPE`U5Gc>umm0`sg6=7GmAoOy<q2i{b*$fETs%LDKodE>0l
z&&?WuQ2wu!15D@u6RINz1R^Q9e(7_?yJpn#{LBZhRHf9%UB2PvgU7Fn`RxIGj}ZEu
zRRQG}=Suzj23ioXkw<~mzXBxTpP~gONr9E5z{;Vose_^mEnZ=;fBK@N&;SdqE))XD
z0`>j2EB;6V2LZ?j$snr>gA8vFc<-ASy<2C|s0chi1B<K~E($7C0*ef=$P!p&2`mPX
zdBs-6#a0K44X?PprLY*lS=BFJ81G;Ul~~LYi&<i6EHTUyOJj+pu@t-y)Tdr%rQmTB
zOTpuVrc_q{oHC^oc@DPX1|yE&HU?Wd1{)oNq2nqYxr3pjkw#?!p6q?mm%}GfnTaez
zB)@HzA@V~~QjSO|{TF?HJ|fCZWH}=Fh$u%S9}z<Wk;EBd^>PSm;1gnq;SB+gPlzGl
z@d+_h-!Hl1PXrulHFGF{Ptm>{YJfv6fkOc-r>0bZ_mO<I!Iv|cA}dT}1tR%)u0Z6U
zDR(7Bu5R%8`KG_pL{=h_+gXXoDvBJ2$iJA8K3n*#8ipE}H_Y&cSxSb1_n$-<9s%HA
z<&;ao$LDYpI@~IMI6^<BP~Cl3{8i4o6nuP+Fp(n=$ultmk^e=JBN6$D8R;VU7tKg(
zb&fQ=k>I787=1K+N~2MMnPuQ8YpIL^&`a|($^b_Js1JX=wMIeUX9Uy>)fJz}&o2A?
z{MZ<6B1a?gZHgR?$aiR@7h9tEoH%2Yl0@@2O2;TAi9)XwopFq!Bnn<1V-zJx{Egzq
z1}TNgbu2JE&0~Sl)2uOLEzDS8{#%7ddE&%ndFe`mY`D_iY1IGbTvMMP%gt9Odb&GR
zrR^PGj83E;MT#=ksUFcd!AYH&lBiAe7lD<;=-@b9xelyef9>xc@83zO4tB-=$QN&R
zcm5$iznSIyuiU0SzmV6}=l{vHTUpMRa;*CNO1^r_m;bej(|`9QLS5W;RR0A2MpdLr
z=!)6Ij098nT^AUM8{e<xu3J85j=a!<5oIy-vE+)m#At0XS`(w>w$GU-AHE&b(Z*s#
zgE5~N(H0|`81oflf!x-D5o0m*f$WNf#E7*RvBc<n$LCbb!aG47Z7qggt*%%^46nuT
z5@VKP)X3Q_7;zRuzq7bvF)`vTMtp$rVUy2UB0Dt&Wwf&p`ZtOzmJ%YtLL`uk=M>``
z`EFC5vrMjU%5s*=2KBi@c52RYR?15Cxk^5-K3B`noAaDCa-aIF{V2}Ka@KxSs6N+y
z^egqbzUEKP)6U{BM?Ho&RF#A))5fZ&^&gw6{u1uwIh(6?=|8qqsq54{ZyiZWholiz
zqa&P@*sWyjs*Qj4IGtmgnwy*X|L-p8>v48EA3PW45hJQzQ2|r8Q9wq3qDHIKUd>R2
z>6OWAvm2VQoqW4lzTHB6yTf+}`F1CDO)8mpCmA!zm>KD$JhY39SupNaBds7SgxUkt
zJ>=WN^6e4gtIrcxd|UN-r0U(?s%`2I?{^g0I}lkF5#@CEeow|eWGsqOB7Y!bUouWt
z#;N<r*w0GbFC=j`67MJ9Y|A%0#J4|u50GzvO7^o>P*27jGIngO6dWXDu0_oaq2_^l
zh<x)b-@Fjt0q{Lcz5^)Prz)BE2pRLqSf>>nCF4MgIxvJ<0P2tATVVMXg!mT1_ZayW
zQnJx)l!D`A97M)fl(FCh8H+4xQ3$md)RW{}9PnMTr;YQ8$9sybC4_xFR^>WP#!@nV
zrHoV0ka4h;Yj8-eGUPf-zGaqgS%|NGWpc$i@-3%iz1k`T=gByPj1!e{>IE_mwWvcw
zsQT?f-P)6Hh2>ij;#&#dpUJn9k{#9xE|PH=8QXZ3f(9}Ux2VHIs3SnVM7|>|-w`3c
zBjJ0Qd`D8UKdNNjU&uI$jLWowD`XsPQAdYR$AEg3e8*V6V?un#!ncup$5OJQIHlkk
z8Sf?IbY+}+os9Qc)cZoH`clUgH^_IK<vT9K_kQ@^B;Wff+0R<REiyhp#*Xny!EG`=
zXi*;wp^gXj4*8C^e8-3QPJnL{`A(o@pQ>cuW->lR#yYJ)h2u43qD7q;LY)MvdNG6V
zB+GYFi0{Mj^^otwlx%c6rJxlVA0gu_%2=QtSfEa}sFOpeQ$P(T-zfyx)6RLu8$rfL
zIaPv66-ma&IF&LMM3M1vE7jv6sh&Wp*5vy{z<0@>1gDp$>ht!_ON*17{8lmQg}y{N
zzVT}PY){p_$xcGmgk&csYVf8vANqQFy(3e@+E=}i>|Al)u6m)P^QI@h&61lPorqTd
E4-e~?i2wiq