From 0d8314171c37d8d0a73af8552113aa7da7d65ccb Mon Sep 17 00:00:00 2001
From: Harshitha Onkar <honkar@openjdk.org>
Date: Thu, 6 Feb 2025 18:30:39 +0000
Subject: [PATCH] 8347377: Add validation checks for ICC_Profile header fields

Reviewed-by: prr, jdv
---
 .../java/awt/color/ICC_ColorSpace.java        |  17 +-
 .../classes/java/awt/color/ICC_Profile.java   |  80 +++++-
 .../ValidateICCHeaderData.java                | 261 ++++++++++++++++++
 .../ValidateICCHeaderData/invalidSRGB.icc     | Bin 0 -> 6876 bytes
 4 files changed, 346 insertions(+), 12 deletions(-)
 create mode 100644 test/jdk/java/awt/color/ICC_Profile/ValidateICCHeaderData/ValidateICCHeaderData.java
 create mode 100644 test/jdk/java/awt/color/ICC_Profile/ValidateICCHeaderData/invalidSRGB.icc

diff --git a/src/java.desktop/share/classes/java/awt/color/ICC_ColorSpace.java b/src/java.desktop/share/classes/java/awt/color/ICC_ColorSpace.java
index 5b0e8a55f81..d814777aa4e 100644
--- a/src/java.desktop/share/classes/java/awt/color/ICC_ColorSpace.java
+++ b/src/java.desktop/share/classes/java/awt/color/ICC_ColorSpace.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -114,13 +114,14 @@ public ICC_ColorSpace (ICC_Profile profile) {
         int profileClass = profile.getProfileClass();
 
         /* REMIND - is NAMEDCOLOR OK? */
-        if ((profileClass != ICC_Profile.CLASS_INPUT) &&
-            (profileClass != ICC_Profile.CLASS_DISPLAY) &&
-            (profileClass != ICC_Profile.CLASS_OUTPUT) &&
-            (profileClass != ICC_Profile.CLASS_COLORSPACECONVERSION) &&
-            (profileClass != ICC_Profile.CLASS_NAMEDCOLOR) &&
-            (profileClass != ICC_Profile.CLASS_ABSTRACT)) {
-            throw new IllegalArgumentException("Invalid profile type");
+        if (profileClass != ICC_Profile.CLASS_INPUT
+                && profileClass != ICC_Profile.CLASS_DISPLAY
+                && profileClass != ICC_Profile.CLASS_OUTPUT
+                && profileClass != ICC_Profile.CLASS_DEVICELINK
+                && profileClass != ICC_Profile.CLASS_COLORSPACECONVERSION
+                && profileClass != ICC_Profile.CLASS_NAMEDCOLOR
+                && profileClass != ICC_Profile.CLASS_ABSTRACT) {
+            throw new IllegalArgumentException("Invalid profile class");
         }
 
         thisProfile = profile;
diff --git a/src/java.desktop/share/classes/java/awt/color/ICC_Profile.java b/src/java.desktop/share/classes/java/awt/color/ICC_Profile.java
index e1424f2cc86..1a3e650a1b7 100644
--- a/src/java.desktop/share/classes/java/awt/color/ICC_Profile.java
+++ b/src/java.desktop/share/classes/java/awt/color/ICC_Profile.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -722,6 +722,7 @@ public class ICC_Profile implements Serializable {
      */
     public static final int icXYZNumberX       = 8;    /* XYZNumber X */
 
+    private static final int HEADER_SIZE = 128;
 
     /**
      * Constructs an ICC_Profile object with a given ID.
@@ -773,6 +774,10 @@ public static ICC_Profile getInstance(byte[] data) {
         ProfileDataVerifier.verify(data);
 
         try {
+            byte[] theHeader = new byte[HEADER_SIZE];
+            System.arraycopy(data, 0, theHeader, 0, HEADER_SIZE);
+            verifyHeader(theHeader);
+
             p = CMSManager.getModule().loadProfile(data);
         } catch (CMMException c) {
             throw new IllegalArgumentException("Invalid ICC Profile Data");
@@ -1092,16 +1097,18 @@ public int getMinorVersion() {
      * @return One of the predefined profile class constants.
      */
     public int getProfileClass() {
-    byte[] theHeader;
-    int theClassSig, theClass;
 
         ProfileDeferralInfo info = deferralInfo;
         if (info != null) {
             return info.profileClass;
         }
 
-        theHeader = getData(icSigHead);
+        byte[] theHeader = getData(icSigHead);
+        return getProfileClass(theHeader);
+    }
 
+    private static int getProfileClass(byte[] theHeader) {
+        int theClassSig, theClass;
         theClassSig = intFromBigEndian (theHeader, icHdrDeviceClass);
 
         switch (theClassSig) {
@@ -1171,6 +1178,11 @@ static int getColorSpaceType(Profile p) {
         return theColorSpace;
     }
 
+    private static int getColorSpaceType(byte[] theHeader) {
+        int theColorSpaceSig = intFromBigEndian(theHeader, icHdrColorSpace);
+        return iccCStoJCS(theColorSpaceSig);
+    }
+
     /**
      * Returns the color space type of the Profile Connection Space (PCS).
      * Returns one of the color space type constants defined by the
@@ -1200,6 +1212,29 @@ static int getPCSType(Profile p) {
     }
 
 
+    private static int getPCSType(byte[] theHeader) {
+        int thePCSSig = intFromBigEndian(theHeader, icHdrPcs);
+        int theDeviceClass = intFromBigEndian(theHeader, icHdrDeviceClass);
+        int thePCSType;
+
+        if (theDeviceClass == icSigLinkClass) {
+            return iccCStoJCS(thePCSSig);
+        } else {
+            switch (thePCSSig) {
+                case icSigXYZData:
+                    thePCSType = ColorSpace.TYPE_XYZ;
+                    break;
+                case icSigLabData:
+                    thePCSType = ColorSpace.TYPE_Lab;
+                    break;
+                default:
+                    throw new IllegalArgumentException("Unexpected PCS type");
+            };
+        }
+
+        return thePCSType;
+    }
+
     /**
      * Write this ICC_Profile to a file.
      *
@@ -1324,12 +1359,49 @@ static byte[] getData(Profile p, int tagSignature) {
      * @see #getData
      */
     public void setData(int tagSignature, byte[] tagData) {
+        if (tagSignature == ICC_Profile.icSigHead) {
+            verifyHeader(tagData);
+        }
 
         activate();
 
         CMSManager.getModule().setTagData(cmmProfile, tagSignature, tagData);
     }
 
+    private static void verifyHeader(byte[] data) {
+        if (data == null || data.length < HEADER_SIZE) {
+            throw new IllegalArgumentException("Invalid header data");
+        }
+        getProfileClass(data);
+        getColorSpaceType(data);
+        getPCSType(data);
+        checkRenderingIntent(data);
+    }
+
+    private static boolean checkRenderingIntent(byte[] header) {
+        int index = ICC_Profile.icHdrRenderingIntent;
+
+        /* According to ICC spec, only the least-significant 16 bits shall be
+         * used to encode the rendering intent. The most significant 16 bits
+         * shall be set to zero. Thus, we are ignoring two most significant
+         * bytes here. Please refer ICC Spec Document for more details.
+         */
+        int renderingIntent = ((header[index+2] & 0xff) <<  8) |
+                              (header[index+3] & 0xff);
+
+        switch (renderingIntent) {
+            case icPerceptual:
+            case icMediaRelativeColorimetric:
+            case icSaturation:
+            case icAbsoluteColorimetric:
+                break;
+            default:
+                throw new IllegalArgumentException("Unknown Rendering Intent");
+        }
+
+        return true;
+    }
+
     /**
      * Sets the rendering intent of the profile.
      * This is used to select the proper transform from a profile that
diff --git a/test/jdk/java/awt/color/ICC_Profile/ValidateICCHeaderData/ValidateICCHeaderData.java b/test/jdk/java/awt/color/ICC_Profile/ValidateICCHeaderData/ValidateICCHeaderData.java
new file mode 100644
index 00000000000..28831a422b0
--- /dev/null
+++ b/test/jdk/java/awt/color/ICC_Profile/ValidateICCHeaderData/ValidateICCHeaderData.java
@@ -0,0 +1,261 @@
+/*
+ * Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8337703
+ * @summary To verify if ICC_Profile's setData() and getInstance() methods
+ *          validate header data and throw IAE for invalid values.
+ * @run main ValidateICCHeaderData
+ */
+
+import java.awt.color.ColorSpace;
+import java.awt.color.ICC_Profile;
+import java.awt.image.BufferedImage;
+import java.io.IOException;
+import java.math.BigInteger;
+import java.nio.ByteBuffer;
+
+public class ValidateICCHeaderData {
+    private static ICC_Profile profile;
+
+    private static final boolean DEBUG = false;
+    private static final int VALID_HEADER_SIZE = 128;
+    private static final int HEADER_TAG = ICC_Profile.icSigHead;
+    private static final int PROFILE_CLASS_START_INDEX = ICC_Profile.icHdrDeviceClass;
+    private static final int COLOR_SPACE_START_INDEX = ICC_Profile.icHdrColorSpace;
+    private static final int RENDER_INTENT_START_INDEX = ICC_Profile.icHdrRenderingIntent;
+    private static final int PCS_START_INDEX = ICC_Profile.icHdrPcs;
+
+    private static final int[] VALID_PROFILE_CLASS = new int[] {
+            ICC_Profile.icSigInputClass, ICC_Profile.icSigDisplayClass,
+            ICC_Profile.icSigOutputClass, ICC_Profile.icSigLinkClass,
+            ICC_Profile.icSigAbstractClass, ICC_Profile.icSigColorSpaceClass,
+            ICC_Profile.icSigNamedColorClass
+    };
+
+    private static final int[] VALID_COLOR_SPACE = new int[] {
+            ICC_Profile.icSigXYZData, ICC_Profile.icSigLabData,
+            ICC_Profile.icSigLuvData, ICC_Profile.icSigYCbCrData,
+            ICC_Profile.icSigYxyData, ICC_Profile.icSigRgbData,
+            ICC_Profile.icSigGrayData, ICC_Profile.icSigHsvData,
+            ICC_Profile.icSigHlsData, ICC_Profile.icSigCmykData,
+            ICC_Profile.icSigSpace2CLR, ICC_Profile.icSigSpace3CLR,
+            ICC_Profile.icSigSpace4CLR, ICC_Profile.icSigSpace5CLR,
+            ICC_Profile.icSigSpace6CLR, ICC_Profile.icSigSpace7CLR,
+            ICC_Profile.icSigSpace8CLR, ICC_Profile.icSigSpace9CLR,
+            ICC_Profile.icSigSpaceACLR, ICC_Profile.icSigSpaceBCLR,
+            ICC_Profile.icSigSpaceCCLR, ICC_Profile.icSigSpaceDCLR,
+            ICC_Profile.icSigSpaceECLR, ICC_Profile.icSigSpaceFCLR,
+            ICC_Profile.icSigCmyData
+    };
+
+    private static final int[] VALID_RENDER_INTENT = new int[] {
+            ICC_Profile.icPerceptual, ICC_Profile.icMediaRelativeColorimetric,
+            ICC_Profile.icSaturation, ICC_Profile.icAbsoluteColorimetric
+    };
+
+    private static void createCopyOfBuiltInProfile() {
+        ICC_Profile builtInProfile = ICC_Profile.getInstance(ColorSpace.CS_sRGB);
+        //copy of SRGB BuiltIn Profile that can be modified
+        //using ICC_Profile.setData()
+        profile = ICC_Profile.getInstance(builtInProfile.getData());
+    }
+
+    public static void main(String[] args) throws Exception {
+        createCopyOfBuiltInProfile();
+
+        System.out.println("CASE 1: Testing VALID Profile Classes ...");
+        testValidHeaderData(VALID_PROFILE_CLASS, PROFILE_CLASS_START_INDEX, 4);
+        System.out.println("CASE 1: Passed \n");
+
+        // PCS field validation for Profile class != DEVICE_LINK
+        System.out.println("CASE 2: Testing VALID PCS Type"
+                           + " for Profile class != DEVICE_LINK ...");
+        testValidHeaderData(new int[] {ICC_Profile.icSigXYZData, ICC_Profile.icSigLabData},
+                PCS_START_INDEX, 4);
+        System.out.println("CASE 2: Passed \n");
+
+        System.out.println("CASE 3: Testing INVALID PCS Type"
+                           + " for Profile class != DEVICE_LINK ...");
+        testInvalidHeaderData(ICC_Profile.icSigCmykData, PCS_START_INDEX, 4);
+        System.out.println("CASE 3: Passed \n");
+
+        System.out.println("CASE 4: Testing DEVICE LINK PROFILE CLASS ...");
+        testValidHeaderData(new int[] {ICC_Profile.icSigLinkClass},
+                PROFILE_CLASS_START_INDEX, 4);
+        //to check if instantiating BufferedImage with
+        //ICC_Profile device class = CLASS_DEVICELINK does not throw IAE.
+        BufferedImage img = new BufferedImage(100, 100,
+                                              BufferedImage.TYPE_3BYTE_BGR);
+        System.out.println("CASE 4: Passed \n");
+
+        // PCS field validation for Profile class == DEVICE_LINK
+        System.out.println("CASE 5: Testing VALID PCS Type"
+                           + " for Profile class == DEVICE_LINK ...");
+        testValidHeaderData(VALID_COLOR_SPACE, PCS_START_INDEX, 4);
+        System.out.println("CASE 5: Passed \n");
+
+        System.out.println("CASE 6: Testing INVALID PCS Type"
+                           + " for Profile class == DEVICE_LINK ...");
+        //original icSigLabData = 0x4C616220
+        int invalidSigLabData = 0x4C616221;
+        testInvalidHeaderData(invalidSigLabData, PCS_START_INDEX, 4);
+        System.out.println("CASE 6: Passed \n");
+
+        System.out.println("CASE 7: Testing VALID Color Spaces ...");
+        testValidHeaderData(VALID_COLOR_SPACE, COLOR_SPACE_START_INDEX, 4);
+        System.out.println("CASE 7: Passed \n");
+
+        System.out.println("CASE 8: Testing VALID Rendering Intent ...");
+        testValidHeaderData(VALID_RENDER_INTENT, RENDER_INTENT_START_INDEX, 4);
+        System.out.println("CASE 8: Passed \n");
+
+        System.out.println("CASE 9: Testing INVALID Profile Class ...");
+        //original icSigInputClass = 0x73636E72
+        int invalidSigInputClass = 0x73636E70;
+        testInvalidHeaderData(invalidSigInputClass, PROFILE_CLASS_START_INDEX, 4);
+        System.out.println("CASE 9: Passed \n");
+
+        System.out.println("CASE 10: Testing INVALID Color Space ...");
+        //original icSigXYZData = 0x58595A20
+        int invalidSigXYZData = 0x58595A21;
+        testInvalidHeaderData(invalidSigXYZData, COLOR_SPACE_START_INDEX, 4);
+        System.out.println("CASE 10: Passed \n");
+
+        System.out.println("CASE 11: Testing INVALID Rendering Intent ...");
+        //valid rendering intent values are 0-3
+        int invalidRenderIntent = 5;
+        testInvalidHeaderData(invalidRenderIntent, RENDER_INTENT_START_INDEX, 4);
+        System.out.println("CASE 11: Passed \n");
+
+        System.out.println("CASE 12: Testing INVALID Header Size ...");
+        testInvalidHeaderSize();
+        System.out.println("CASE 12: Passed \n");
+
+        System.out.println("CASE 13: Testing ICC_Profile.getInstance(..)"
+                           + " with VALID profile data ...");
+        testProfileCreation(true);
+        System.out.println("CASE 13: Passed \n");
+
+        System.out.println("CASE 14: Testing ICC_Profile.getInstance(..)"
+                           + " with INVALID profile data ...");
+        testProfileCreation(false);
+        System.out.println("CASE 14: Passed \n");
+
+        System.out.println("CASE 15: Testing Deserialization of ICC_Profile ...");
+        testDeserialization();
+        System.out.println("CASE 15: Passed \n");
+
+        System.out.println("Successfully completed testing all 15 cases. Test Passed !!");
+    }
+
+    private static void testValidHeaderData(int[] validData, int startIndex,
+                                            int fieldLength) {
+        for (int value : validData) {
+            setTag(value, startIndex, fieldLength);
+        }
+    }
+
+    private static void testInvalidHeaderData(int invalidData, int startIndex,
+                                              int fieldLength) {
+        try {
+            setTag(invalidData, startIndex, fieldLength);
+            throw new RuntimeException("Test Failed ! Expected IAE NOT thrown");
+        } catch (IllegalArgumentException iae) {
+            System.out.println("Expected IAE thrown: " + iae.getMessage());
+        }
+    }
+
+    private static void setTag(int value, int startIndex, int fieldLength) {
+        byte[] byteArray;
+        if (startIndex == RENDER_INTENT_START_INDEX) {
+            byteArray = ByteBuffer.allocate(4).putInt(value).array();
+        } else {
+            BigInteger big = BigInteger.valueOf(value);
+            byteArray = (big.toByteArray());
+        }
+
+        if (DEBUG) {
+            System.out.print("Byte Array : ");
+            for (int i = 0; i < byteArray.length; i++) {
+                System.out.print(byteArray[i] + " ");
+            }
+            System.out.println("\n");
+        }
+
+        byte[] iccProfileHeaderData = profile.getData(HEADER_TAG);
+        System.arraycopy(byteArray, 0, iccProfileHeaderData, startIndex, fieldLength);
+        profile.setData(HEADER_TAG, iccProfileHeaderData);
+    }
+
+    private static void testProfileCreation(boolean validCase) {
+        ICC_Profile builtInProfile = ICC_Profile.getInstance(ColorSpace.CS_GRAY);
+        byte[] profileData = builtInProfile.getData();
+
+        int validDeviceClass = ICC_Profile.icSigInputClass;
+        BigInteger big = BigInteger.valueOf(validDeviceClass);
+        //valid case set device class to 0x73636E72 (icSigInputClass)
+        //invalid case set device class to 0x00000000
+        byte[] field = validCase ? big.toByteArray()
+                                 : ByteBuffer.allocate(4).putInt(0).array();
+        System.arraycopy(field, 0, profileData, PROFILE_CLASS_START_INDEX, 4);
+
+        try {
+            ICC_Profile.getInstance(profileData);
+            if (!validCase) {
+                throw new RuntimeException("Test Failed ! Expected IAE NOT thrown");
+            }
+        } catch (IllegalArgumentException iae) {
+            if (!validCase) {
+                System.out.println("Expected IAE thrown: " + iae.getMessage());
+            } else {
+                throw new RuntimeException("Unexpected IAE thrown");
+            }
+        }
+    }
+
+    private static void testInvalidHeaderSize() {
+        byte[] iccProfileHeaderData = profile.getData(HEADER_TAG);
+        byte[] invalidHeaderSize = new byte[VALID_HEADER_SIZE - 1];
+        System.arraycopy(iccProfileHeaderData, 0,
+                invalidHeaderSize, 0, invalidHeaderSize.length);
+        try {
+            profile.setData(HEADER_TAG, invalidHeaderSize);
+            throw new RuntimeException("Test Failed ! Expected IAE NOT thrown");
+        } catch (IllegalArgumentException iae) {
+            System.out.println("Expected IAE thrown: " + iae.getMessage());
+        }
+    }
+
+    private static void testDeserialization() throws IOException {
+        //invalidSRGB.icc is serialized on older version of JDK
+        //Upon deserialization, the invalid profile is expected to throw IAE
+        try {
+            ICC_Profile.getInstance("./invalidSRGB.icc");
+            throw new RuntimeException("Test Failed ! Expected IAE NOT thrown");
+        } catch (IllegalArgumentException iae) {
+            System.out.println("Expected IAE thrown: " + iae.getMessage());
+        }
+    }
+}
diff --git a/test/jdk/java/awt/color/ICC_Profile/ValidateICCHeaderData/invalidSRGB.icc b/test/jdk/java/awt/color/ICC_Profile/ValidateICCHeaderData/invalidSRGB.icc
new file mode 100644
index 0000000000000000000000000000000000000000..1520dac1f1a0ce3511a636b9f0fb75c7b3026f8c
GIT binary patch
literal 6876
zcmeI1S5y?q8po@<CkMjJFr*=eAxM-kfaIJ+au5}mA;U;U0TZ&g0xO7!Bt;NWzy%XQ
zR#6effG8+nKzEQuKv@@85fzo4!H3;*?tR>IU+(ln^{>DBPJPwgbx!@yzW|UKPhcme
z!unw4@^Q9P3<?fW#Et?IU;qlh0(v+*HObT0$xo0V$o-!A&-TM8fCSGEbpCt)KXd<s
ziJU|(2LK4i?}_6?rn32*#^)GLB1aG(7jR};5<dnz@R^pvpCF%u1RU|569gRnop-L}
z`1#oLbIJg~k)l_aa8$q%D@-{hV0KJOA^<X7{Cw5#b@>E<n1<jb6l1w*kty8p1kIJ;
zzuEkwmPo4LgGZ#tCZy@aa{tXD{IUL5bp-3>`_$iAuB-!yUh#KqGyfm3-T;7<{2fz0
z41nlv06Kd9jzt^?ptA%3spstUl#K7=p#(QHAOKN71JXbqr~nP10}O#FumCo|5x4;_
z;0J=iM!*I!AQ7a1OppV1fqYO1O29!-1!_S9XacR^Ea(Im!Bubr+yVE&2zUy3U<$kj
z^WXzmf*=SBks&H14JklskTzrpu^=nR5%Pe1pkOEriiWsQI+O$Lh6<rls0ylsnxHe#
z1?Vbt3mSqRLle*}^e6NgMqm<5gXLg#SPy2wwy-<w2XBC*;bb@q&V%>C6>vR#3hscf
z!gt^im<PXx7Z89D5jvuT=pZb_9`Qm#kSHVt*^U$-<w!l!igY9W$OD9j%pspp7!(zy
zh|)n>pj=S?C^jk?wH;N2szRMab)foC4^R`RdDJ&F8O=azqs`H-=pb}7Iuo6bE=M<_
z+tJt2Bj_pg2Mh*7$1pLb7#B=1CJvL0DZ(7av|+AbhA@+u1uPaTjn&3lV!g28*feZD
zwi0^^dl@^7ox*;^5pfDQL!1*X1johY;>vN&xE|avZW_0Q7sIRJ&GBA%4t^`X7~g>J
z#^1wF;g<;F1SY|f;75of>>^YUS_#()<AiraB2k%WM)W4e5_b|Sh^L7+i4(+6BnnB3
zWKRkurIYrNPLQsU9+TdY$z*l14LO9IM&3tmB3~mvCw~;7is*{Cif}}Bh*XPohzyIo
z5ygwDiQ0;86wMMX7d<C>PjpTUFQzVLFBUGgU94K{g4meYf;d&&K-^0_QM^dJS^Spx
z3<XP3r#MnLlsw8Y$~DR)6``t7?Wt_)ZfXPdI(3SMp)qN$v^ZKJ?PuB`ZC-*RVI&bC
zu|=X<;*tc9j?mTVuJi<YG5sukl>S*#PSRE~QgW|ktK_icqLi$ZjZ~ymfmEB+h}36k
zMQKOrc<KGpozl-_P%>IF-ZGgoM`W(c%*oPZEo9lU1+r&lpD<vC7Q=^;%{aywU@XYV
z%Q?#>$yLf-lbe&L%iGAu$(PCZ$j>TJ6|59u70MJYE4)&aP_$J{P^?hwQ=C^~D7h%5
zE7d6tDlI89mHm}-mD`k`sSs3HDp4wBD!nT6stT%}syV7Hs!!DLYAm%FwL@zCYK!Vj
z^+5GK>YeH{Oev--GmF{69M>RgSZgF})N4G{#AvcK<24U!-q(V)jJ0C4s<rNE!`dd=
zvD$~VhgP9inXTfks$VsxL(;L;$<S%hnb4){dg$ircIv*-Q`HO6+ppKJ_f6keKS94i
z|EU4Rz|A1npxfY2LoGwLVYT7I)#TMqt9PvKTK(2Y+bGiLh|wcss<Ef>9^+o)uO_A@
zDJHEZv!<%1VWu^vV=NkL9jl0S(+q89XST!aqS+^N6Z16lv*v$T=vc&CG+WH9VXlc>
z)39dJQrR-xvd)rcrDzpqb<~Pytz;c;U2pxuM#Y9>(`Ykot7#i&d&>5WoxWX)UAx_)
zy}A81`zsEJgR?_{!=NL@(ciJk@wt<-Q?yfy)4a2>bGGvp7qpAJ%YK(JS2<U<Ym@7|
zo2lD2w?220yRUnd`wI^(j}(t?PuSDV^ML30TD7&@wVhtT%hl_E*RyrZb;;{~@y2+s
z^RD)O>0{uN<J0d;_1)y#?EAsb&ac?-slSGQx_@tgXh3K{Q@~=NLttqjFGw$FThN_g
znc&#qt`KZUKuBZA!g|N`2iH%98i(eGj&5LX*s|f)MwyKX8!v4V-4wp*To^hmFswQ3
zOSo5fefUCzYeY@NJlmdqi2a&l!zts;Mp{OeMovdrMwLd*L|aB5h@OqHjwz3si?xrf
zihUdB5?33y81EH-B7Qj`Frh6Gml&3KflJ}WbNe>SZ{D(bC`mghKZ%!Yo_sKQKE*wy
zF%?SPklK|-<8RCZ=^E)jq)%j6WmIQ;%nZmpw?%vlcgw(5t*v{vPG>n~9nVH(v$K11
zlyY|EOl-5=R<|A69<jZ5hsut;9aB4<cb?ou*cHF)ZmxcAY3}>ofxEl&<nngrP5$8g
zLrcC$eoFq>9*aG-Kcaq&{c&*b>b;eFzZGx_ZWrnomKT00Vi(>1$>67opO*JU?HepM
zDLztyDdCok?zi55vQ)e@t90^!=Yftg#j=93_Xjr}yj5;gUVDgeDE$zx!lR<AQnj+A
z@=H}r)kw8nbz2RiW^c{nVb0;<BQ{4`YvpPSYd;^2J^HB5xvryLy}tYy=2*tDmkj|8
z{l{6yn;K;r3md<l;GW=}^f}qrWZKl!%xErdfm_mBW>1Bly8pAo&t0uLt#xhmw!+ik
zbo%L6XTr{mo^?OldyaLk^}O2ons#b?K?l^awPU_Brjyqd+%<H;?Lu$2MR)rzy1$&b
zsC2RVlEkIr9zsuE&+_H0%L`YMuFPGHzB<{vsrTu%plc8Ny!!^PyI;R~!|BGge%t=b
zH!W{oyk&mt!fn>=&O0V|ItGjf+V2|QZ67ol?6_xouj{_q{qCVPLp{UR!&e_TJh<`D
z_2He7wIf5L{-ck^LdSTIIFDu?Cp>=pB;(1_)1Bk!@q%Y!&&r=Op4b1X`D+``gm-De
zVPfEg?~A9C?8(=^rT+G1D(@xvW%;zibkmIC%*9!!+54~7znXfT^m=J7|9A1<Yu;$Q
zIsb>v9|QA2^HXnA-Y)-H^iKNSiT6hDdl%L%JpYjRVQI18qx8p<pID#zKL>uEUdsG}
z{ZjE&^K17v_iy9NiOb7EEg;kaLM<TF0zxey)B-{+Ak+dvUqI*!2z>#eFCg><guZ~#
m7x+K+1y;^(_-X(VD1u{S0QhAC;Bgm#$|?ZVqxk0wp??9)(E)$}

literal 0
HcmV?d00001