Issue metadata
Sign in to add a comment
|
Security: PDFium: Heap Buffer Overflow in CGifLZWDecoder::ClearTable
Reported by
stackexp...@gmail.com,
Jun 2 2016
|
||||||||||||||||||||||
Issue description
Security: PDFium: Heap Buffer Overflow in CGifLZWDecoder::ClearTable
VULNERABILITY DETAILS
This heap-buffer-overflow vulnerability was caused by the malformed gif file embedded in the PDF document. More specifically, this issue can be triggered by embedding a malformed gif file in the XFA component.
The latest dev version of chrome (52.0.2743.19 dev-m) was vulnerable to this issue.
---------------------------
Exception Information
---------------------------
(55ec.4258): Access violation - code c0000005 (!!! second chance !!!)
eax=00001007 ebx=00000100 ecx=00001007 edx=0962cfe0 esi=09692fd8 edi=0962cfe0
eip=00cf4403 esp=0034f880 ebp=0034f888 iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283
pdfium_test!CGifLZWDecoder::ClearTable+0x53:
00cf4403 88848e0e100000 mov byte ptr [esi+ecx*4+100Eh],al ds:002b:09698002=??
---------------------------
Heap Information
---------------------------
0:000> !heap -p -a esi
address 09692fd8 found in
_DPH_HEAP_ROOT @ 3d1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
a1137b8: 9692fd8 5024 - 9692000 7000
60d78e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77621d4e ntdll!RtlDebugAllocateHeap+0x00000030
775db586 ntdll!RtlpAllocateHeap+0x000000c4
77583541 ntdll!RtlAllocateHeap+0x0000023a
00c9e67f pdfium_test!_malloc_base+0x00000038 [d:\th\minkernel\crts\ucrt\src\appcrt\heap\malloc_base.cpp @ 29]
00c7ff47 pdfium_test!operator new+0x0000002c [f:\dd\vctools\crt\vcstartup\src\heap\new_scalar.cpp @ 19]
00cf5590 pdfium_test!gif_load_frame+0x00000190 [core\fxcodec\lgif\fx_gif.cpp @ 887]
00cf1965 pdfium_test!CCodec_GifModule::LoadFrame+0x00000035 [core\fxcodec\codec\fx_codec_gif.cpp @ 146]
00ceded9 pdfium_test!CCodec_ProgressiveDecoder::ContinueDecode+0x00000219 [core\fxcodec\codec\fx_codec_progress.cpp @ 2119]
00b91b22 pdfium_test!XFA_LoadImageFromBuffer+0x000001b2 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1107]
00b91927 pdfium_test!XFA_LoadImageData+0x00000277 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1032]
00b8514b pdfium_test!CXFA_ImageLayoutData::LoadImageData+0x0000006b [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 96]
00b851b1 pdfium_test!CXFA_WidgetAcc::LoadImageImage+0x00000011 [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 1002]
00b7cfa8 pdfium_test!CXFA_FFPageWidgetIterator::MoveToNext+0x00000018 [xfa\fxfa\app\xfa_ffpageview.cpp @ 166]
009596b7 pdfium_test!CPDFSDK_Document::GetPageView+0x00000087 [fpdfsdk\fsdk_mgr.cpp @ 268]
0094e73e pdfium_test!FORM_OnAfterLoadPage+0x0000002e [fpdfsdk\fpdfformfill.cpp @ 642]
00945517 pdfium_test!RenderPage+0x00000047 [samples\pdfium_test.cc @ 498]
00945b02 pdfium_test!RenderPdf+0x00000302 [samples\pdfium_test.cc @ 694]
0094bb1e pdfium_test!main+0x0000042e [samples\pdfium_test.cc @ 836]
00c805d6 pdfium_test!__scrt_common_main_seh+0x000000ff [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 264]
7528338a kernel32!BaseThreadInitThunk+0x0000000e
77589a02 ntdll!__RtlUserThreadStart+0x00000070
775899d5 ntdll!_RtlUserThreadStart+0x0000001b
---------------------------
Overflow Information
---------------------------
void CGifLZWDecoder::ClearTable() {
code_size_cur = code_size + 1;
code_next = code_end + 1;
code_old = (uint16_t)-1;
FXSYS_memset(code_table, 0, sizeof(tag_Table) * GIF_MAX_LZW_CODE);
FXSYS_memset(stack, 0, GIF_MAX_LZW_CODE);
for (uint16_t i = 0; i < code_clear; i++) {
code_table[i].suffix = (uint8_t)i;
}
}
Here the value of |code_clear| was 0x4000. In other words, the overflow size can be very large (0x2ff9 bytes).
0:000> u eip
pdfium_test!CGifLZWDecoder::ClearTable+0x53 [core\fxcodec\lgif\fx_gif.cpp @ 37]:
00cf4403 88848e0e100000 mov byte ptr [esi+ecx*4+100Eh],al
00cf440a 40 inc eax
00cf440b 663b4602 cmp ax,word ptr [esi+2] ; <-------- i < code_clear ?
00cf440f 72ef jb pdfium_test!CGifLZWDecoder::ClearTable+0x50 (00cf4400)
00cf4411 5e pop esi
00cf4412 c3 ret
00cf4413 cc int 3
00cf4414 cc int 3
$$ code_clear
0:000> dw esi+2 L1
09692fda 4000
$$ i
0:000> r eax
eax=00001007
$$ overflow size
0:000> ?4000-1007
Evaluate expression: 12281 = 00002ff9
---------------------------
Stacktrace Information
---------------------------
0:000> k
ChildEBP RetAddr
0034f880 00cf4883 pdfium_test!CGifLZWDecoder::ClearTable+0x53 [core\fxcodec\lgif\fx_gif.cpp @ 37]
0034f888 00cf55b6 pdfium_test!CGifLZWDecoder::InitTable+0x53 [core\fxcodec\lgif\fx_gif.cpp @ 29]
0034f8b0 00cf1965 pdfium_test!gif_load_frame+0x1b6 [core\fxcodec\lgif\fx_gif.cpp @ 894]
0034f8d4 00ceded9 pdfium_test!CCodec_GifModule::LoadFrame+0x35 [core\fxcodec\codec\fx_codec_gif.cpp @ 146]
0034f918 00b91b22 pdfium_test!CCodec_ProgressiveDecoder::ContinueDecode+0x219 [core\fxcodec\codec\fx_codec_progress.cpp @ 2119]
0034f980 00b91927 pdfium_test!XFA_LoadImageFromBuffer+0x1b2 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1107]
0034f9d8 00b8514b pdfium_test!XFA_LoadImageData+0x277 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1032]
0034fa0c 00b851b1 pdfium_test!CXFA_ImageLayoutData::LoadImageData+0x6b [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 96]
0034fa18 00c0a488 pdfium_test!CXFA_WidgetAcc::LoadImageImage+0x11 [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 1002]
0034fa20 00b7cd83 pdfium_test!CXFA_FFImage::LoadWidget+0x28 [xfa\fxfa\app\xfa_ffimage.cpp @ 28]
0034fa34 00b7cfa8 pdfium_test!CXFA_FFPageWidgetIterator::GetWidget+0x83 [xfa\fxfa\app\xfa_ffpageview.cpp @ 198]
0034fa44 00959f4d pdfium_test!CXFA_FFPageWidgetIterator::MoveToNext+0x18 [xfa\fxfa\app\xfa_ffpageview.cpp @ 166]
0034fa74 009596b7 pdfium_test!CPDFSDK_PageView::LoadFXAnnots+0x8d [fpdfsdk\fsdk_mgr.cpp @ 921]
0034fa88 0094e73e pdfium_test!CPDFSDK_Document::GetPageView+0x87 [fpdfsdk\fsdk_mgr.cpp @ 268]
(Inline) -------- pdfium_test!?A0x06ce08b4::FormHandleToPageView+0x2a [fpdfsdk\fpdfformfill.cpp @ 45]
0034fa9c 00945517 pdfium_test!FORM_OnAfterLoadPage+0x2e [fpdfsdk\fpdfformfill.cpp @ 642]
0034fb90 00945b02 pdfium_test!RenderPage+0x47 [samples\pdfium_test.cc @ 498]
0034fcac 0094bb1e pdfium_test!RenderPdf+0x302 [samples\pdfium_test.cc @ 694]
0034fde8 00c805d6 pdfium_test!main+0x42e [samples\pdfium_test.cc @ 836]
(Inline) -------- pdfium_test!invoke_main+0x1d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 74]
0034fe34 7528338a pdfium_test!__scrt_common_main_seh+0xff [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 264]
0034fe40 77589a02 kernel32!BaseThreadInitThunk+0xe
0034fe80 775899d5 ntdll!__RtlUserThreadStart+0x70
0034fe98 00000000 ntdll!_RtlUserThreadStart+0x1b
---------------------------
PoC Diff
---------------------------
I've tried to do some difference reduction work. But there were too many changes between the original gif file and the mutated gif file.
VERSION
Chrome Version: [52.0.2743.19] + [dev]
Operating System: [Windows 7 SP1]
REPRODUCTION CASE
Both the original normal gif file, the malformed gif file, and the proof-of-concept PDF file were attached.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab]
,
Jun 2 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6045287542161408
,
Jun 2 2016
,
Jun 3 2016
This time I will attach the minimized proof-of-concept files. The difference between the seed image and proof-of-concept image has been reduced to one byte. The 35th byte of the gif image was changed from 0x02 to 0x0F. This mutation could crash pdfium.
---------
SEED
---------
struct Gif.Data.ImageData {
UBYTE LZWMinimumCodeSize; // 0x02
struct DATASUBBLOCKS DataSubBlocks { ... }
}
---------
POC
---------
struct Gif.Data.ImageData {
UBYTE LZWMinimumCodeSize; // 0x0F <----------------
struct DATASUBBLOCKS DataSubBlocks { ... }
}
To conclude, the value of |LZWMinimumCodeSize| variable was changed from 0x02 to 0x0F.
,
Jun 3 2016
Thanks for the report! (Well, set of reports!) ochang@, could you PTAL? I see you've worked on pdfium bugs before.
,
Jun 3 2016
,
Jun 3 2016
,
Jun 3 2016
hong_zhang, could you please route this security bug to the appropriate person? thanks.
,
Jun 4 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 8 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6045287542161408 Uploader: felt@google.com Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 1 Crash Address: 0x62a000089232 Crash State: gif_load_frame CCodec_GifModule::LoadFrame CCodec_ProgressiveDecoder::ContinueDecode Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=393856:393893 Minimized Testcase (18.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95pHFVr7BLekGnp8oh7nYAhFenXHXp0bk46NeN9lVcehnmqX3Kf5lc8RnIlDDYzpAaMLtfJWqlfwEaYLKX2yw20JFmE2reWNopskvyZeyyLoGJrys1yc5HPw6quQ1qjPuGnV962rMsbSJ5FQdcLVs-Tu27EPR2RfSYdRDHQmjHyDw9Vp7Y See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 10 2016
ClusterFuzz has detected this issue as fixed in range 399086:399117. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6045287542161408 Uploader: felt@google.com Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 1 Crash Address: 0x62a000089232 Crash State: gif_load_frame CCodec_GifModule::LoadFrame CCodec_ProgressiveDecoder::ContinueDecode Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=393856:393893 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=399086:399117 Minimized Testcase (18.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95pHFVr7BLekGnp8oh7nYAhFenXHXp0bk46NeN9lVcehnmqX3Kf5lc8RnIlDDYzpAaMLtfJWqlfwEaYLKX2yw20JFmE2reWNopskvyZeyyLoGJrys1yc5HPw6quQ1qjPuGnV962rMsbSJ5FQdcLVs-Tu27EPR2RfSYdRDHQmjHyDw9Vp7Y See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 10 2016
ClusterFuzz has detected this issue as fixed in range 399086:399117. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6045287542161408 Uploader: felt@google.com Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 1 Crash Address: 0x62a000089232 Crash State: gif_load_frame CCodec_GifModule::LoadFrame CCodec_ProgressiveDecoder::ContinueDecode Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=393856:393893 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=399086:399117 Minimized Testcase (18.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95pHFVr7BLekGnp8oh7nYAhFenXHXp0bk46NeN9lVcehnmqX3Kf5lc8RnIlDDYzpAaMLtfJWqlfwEaYLKX2yw20JFmE2reWNopskvyZeyyLoGJrys1yc5HPw6quQ1qjPuGnV962rMsbSJ5FQdcLVs-Tu27EPR2RfSYdRDHQmjHyDw9Vp7Y See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 13 2016
,
Jun 13 2016
Hi ochang@, could you have a look at Issue 619405 please? It's a OpenJPEG heap buffer overflow problem. Thanks.
,
Jun 13 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 14 2016
,
Jun 14 2016
Sorry for the incorrect ClusterFuzz update, please ignore it. Reopening bug.
,
Jun 15 2016
[Bulk edit] Per inferno@, Security_Impact=None bugs should not be release blockers.
,
Jun 15 2016
,
Jun 16 2016
,
Jun 28 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5525684273545216 Fuzzer: libfuzzer_pdf_codec_gif_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 1 Crash Address: 0x62a000005232 Crash State: ClearTable InitTable gif_load_frame Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95ISEZK7XOlm0B3vMqtVHxlc2Q6MbEpb7HxtNUHvgdhfwlF1cYumE7V9hFSYnUkkdqOYI4z9J2yqURJAKfC0uv5d3RwC3GJWq3AZH5MMZFkSlHw3laXeVSTYVqInLkJyGAvBam30akq9_NXkowJLspjWU85YQ?testcase_id=5525684273545216 Filer: tanin See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 31 2016
ClusterFuzz has detected this issue as fixed in range 408652:408744. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5525684273545216 Fuzzer: libfuzzer_pdf_codec_gif_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 1 Crash Address: 0x62a000005232 Crash State: ClearTable InitTable gif_load_frame Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=408652:408744 Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95ISEZK7XOlm0B3vMqtVHxlc2Q6MbEpb7HxtNUHvgdhfwlF1cYumE7V9hFSYnUkkdqOYI4z9J2yqURJAKfC0uv5d3RwC3GJWq3AZH5MMZFkSlHw3laXeVSTYVqInLkJyGAvBam30akq9_NXkowJLspjWU85YQ?testcase_id=5525684273545216 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 2 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6631310993129472 Fuzzer: pdf_codec_gif_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 1 Crash Address: 0x62a000005232 Crash State: ClearTable InitTable gif_load_frame Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=409041:409082 Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95mTbCcjyFpdlHMBjywCV9avcnofQHMIC9tRIdAq0lsqM7j6wntSHr9UmLKYK4Lz1gLEZ3_d3MmOjTgBaSRCbQyGkygaqwLy18A3skPPUYBA6T8fYz0qgAZtA9xknAH-vYfBKO5ubpFnB0ozMCK7qKNZKyByw?testcase_id=6631310993129472 Filer: tanin See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Oct 7 2016
ClusterFuzz has detected this issue as fixed in range 423381:423433. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6631310993129472 Fuzzer: pdf_codec_gif_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 1 Crash Address: 0x62a000005232 Crash State: ClearTable InitTable gif_load_frame Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=409041:409082 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=423381:423433 Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95mTbCcjyFpdlHMBjywCV9avcnofQHMIC9tRIdAq0lsqM7j6wntSHr9UmLKYK4Lz1gLEZ3_d3MmOjTgBaSRCbQyGkygaqwLy18A3skPPUYBA6T8fYz0qgAZtA9xknAH-vYfBKO5ubpFnB0ozMCK7qKNZKyByw?testcase_id=6631310993129472 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 8 2016
Kindly reminder: this issue is still reproducible.
,
Oct 12 2016
Issue 655126 has been merged into this issue.
,
Oct 14 2016
,
Oct 16 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5267529318793216 Fuzzer: afl_pdf_codec_gif_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 1 Crash Address: 0x62a000005232 Crash State: ClearTable InitTable gif_load_frame Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=402185:402404 Minimized Testcase (0.37 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97pkFicy_djFXhjBVIS0GPPi5sjrwLTdIxPTQRBpOFiyDqpeKvVXX0SaK7-MtQOxH4iX19f6EtOa4cVmpv93Z1ramJnJvipCsumYZWUWk75vnTDxEmpdezql6aFnqj3O4q9eoJ8bDyZ1TLF6xAmIw6IFX3qxQ?testcase_id=5267529318793216 Additional requirements: Requires Gestures See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Nov 7 2016
Issue 662727 has been merged into this issue.
,
Jan 11 2017
ClusterFuzz has detected this issue as fixed in range 442647:442714. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5267529318793216 Fuzzer: afl_pdf_codec_gif_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 1 Crash Address: 0x62a000005232 Crash State: ClearTable InitTable gif_load_frame Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=402185:402404 Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=442647:442714 Minimized Testcase (0.37 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97pkFicy_djFXhjBVIS0GPPi5sjrwLTdIxPTQRBpOFiyDqpeKvVXX0SaK7-MtQOxH4iX19f6EtOa4cVmpv93Z1ramJnJvipCsumYZWUWk75vnTDxEmpdezql6aFnqj3O4q9eoJ8bDyZ1TLF6xAmIw6IFX3qxQ?testcase_id=5267529318793216 Additional requirements: Requires Gestures See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 16 2017
,
Mar 29 2017
,
Aug 29 2017
,
Oct 24 2017
For more information, please see https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md. The link referenced in the description is no longer valid. (bulk edit)
,
Jan 29 2018
The Detect fix is likely from a major rewrite I did of the GIF code
,
May 8 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 Deleted