Out-of-bounds write in AST parser #104016

guidovranken · 2023-04-30T16:36:48Z

Crash report

Reported by OSS-Fuzz (issue 58510).

Reproducer:

import ast
ast.parse(bytes([
  0x46, 0x22, 0x76, 0x76, 0x3a, 0x6f, 0x72, 0x3a, 0x2d, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x77, 0x72, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a,
  0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x78, 0x3a, 0x77, 0x76, 0x3a,
  0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a,
  0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22,
  0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d,
  0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a,
  0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a,
  0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22,
  0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d,
  0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a,
  0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a,
  0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22,
  0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d,
  0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a,
  0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a,
  0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22,
  0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d,
  0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a,
  0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a,
  0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22,
  0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d,
  0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a,
  0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a,
  0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22,
  0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d,
  0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a,
  0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a,
  0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22,
  0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d,
  0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a,
  0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a,
  0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22,
  0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d,
  0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a,
  0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a,
  0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22,
  0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d,
  0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a,
  0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a,
  0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22,
  0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d,
  0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a,
  0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a,
  0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22,
  0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d,
  0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a,
  0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a,
  0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22,
  0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d,
  0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a,
  0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a,
  0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22,
  0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d,
  0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a,
  0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a,
  0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22,
  0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d,
  0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a,
  0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a,
  0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22,
  0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d,
  0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a,
  0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a,
  0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22,
  0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d,
  0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b,
  0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20,
  0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77,
  0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46,
  0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b,
  0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20,
  0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77,
  0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46,
  0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b,
  0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20,
  0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77,
  0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46,
  0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b,
  0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20,
  0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77,
  0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46,
  0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b,
  0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20,
  0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77,
  0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46,
  0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b,
  0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20,
  0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77,
  0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46,
  0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b,
  0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20,
  0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77,
  0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46,
  0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b,
  0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20,
  0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77,
  0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46,
  0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b,
  0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20,
  0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77,
  0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b,
  0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20,
  0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77,
  0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46,
  0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b,
  0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20,
  0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77,
  0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x2d, 0x7b, 0x75, 0x74, 0x66, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a,
  0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22,
  0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73,
  0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d, 0x7b, 0x22, 0x7b, 0x22,
  0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76,
  0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x77, 0x76,
  0x3a, 0x3a, 0x20, 0x74, 0x61, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x2d,
  0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22, 0x76, 0x3a, 0x2e, 0x7b, 0x22, 0x7b,
  0x22, 0x46, 0x22, 0x76, 0x3a, 0x2d, 0x7b, 0x22, 0x7b, 0x22, 0x46, 0x22,
  0x76, 0x3a, 0x77, 0x76, 0x3a, 0x3a, 0x20, 0x73, 0x61, 0x2d, 0x7b, 0xa7,
  0x61, 0x2d, 0xf3, 0xa0, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3,
  0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81,
  0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa1, 0x81, 0x81, 0xb5,
  0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0,
  0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81,
  0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3,
  0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81,
  0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5,
  0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0,
  0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81,
  0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3,
  0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81,
  0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x82, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5,
  0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0,
  0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81,
  0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3,
  0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81,
  0x81, 0xb5, 0xf3, 0xa1, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5,
  0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0,
  0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81,
  0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3,
  0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81,
  0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5,
  0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0,
  0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81,
  0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3,
  0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81,
  0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5,
  0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0,
  0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81,
  0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3,
  0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81,
  0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5,
  0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0,
  0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81,
  0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3,
  0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81,
  0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5,
  0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0x81, 0xb5, 0xf3, 0xa0,
  0x81, 0x81, 0xb5, 0xf3, 0xa0, 0x81, 0xa7, 0x7b, 0x15, 0x7b, 0xc0, 0xad,
  0x7b, 0x7b, 0xc0, 0xad, 0x7b, 0x22]))

Regression range: ece20db...6be7aee

Error messages

AddressSanitizer stack trace:

==2936==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a0000b91f4 at pc 0x000000c0a818 bp 0x7ffc21dc1e30 sp 0x7ffc21dc1e28
WRITE of size 1 at 0x62a0000b91f4 thread T0
SCARINESS: 31 (1-byte-write-heap-buffer-overflow)
    #0 0xc0a817 in tok_get_normal_mode cpython/Parser/tokenizer.c:2240:41
    #1 0xbf81d5 in tok_get cpython/Parser/tokenizer.c:2676:16
    #2 0xbf81d5 in _PyTokenizer_Get cpython/Parser/tokenizer.c:2685:18
    #3 0xb46ffa in _PyPegen_tokenize_full_source_to_check_for_errors cpython/Parser/pegen_errors.c:171:17
    #4 0xb46c26 in _Pypegen_set_syntax_error cpython/Parser/pegen_errors.c:0
    #5 0xb4313c in _PyPegen_run_parser cpython/Parser/pegen.c:858:9
    #6 0xb43a4d in _PyPegen_run_parser_from_string cpython/Parser/pegen.c:952:14
    #7 0xbf4ec7 in _PyParser_ASTFromString cpython/Parser/peg_api.c:14:21
    #8 0x95dab9 in Py_CompileStringObject cpython/Python/pythonrun.c:1771:11
    #9 0x7d8af6 in builtin_compile_impl cpython/Python/bltinmodule.c:831:14
    #10 0x7d8af6 in builtin_compile cpython/Python/clinic/bltinmodule.c.h:383:20
    #11 0xca3720 in cfunction_vectorcall_FASTCALL_KEYWORDS cpython/Objects/methodobject.c:438:24
    #12 0x5c1b88 in _PyObject_VectorcallTstate cpython/Include/internal/pycore_call.h:92:11
    #13 0x5c1b88 in PyObject_Vectorcall cpython/Objects/call.c:301:12
    #14 0x7f427f in _PyEval_EvalFrameDefault cpython/Python/bytecodes.c:2577:19
    #15 0x7e2a1f in _PyEval_EvalFrame cpython/Include/internal/pycore_ceval.h:88:16
    #16 0x7e2a1f in _PyEval_Vector cpython/Python/ceval.c:1529:12
    #17 0x5c261e in _PyFunction_Vectorcall cpython/Objects/call.c:0
    #18 0x5c193f in _PyVectorcall_Call cpython/Objects/call.c:247:16
    #19 0x5c1f22 in _PyObject_Call cpython/Objects/call.c:330:16
    #20 0x5c2a23 in PyObject_CallObject cpython/Objects/call.c:454:12
    #21 0x593bc4 in LLVMFuzzerTestOneInput python-library-fuzzers/fuzzer.cpp:134:14
    #22 0x461943 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #23 0x44d0a2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #24 0x45294c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #25 0x47be82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #26 0x7eafaded4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
    #27 0x44326d in _start
0x62a0000b91f4 is located 4 bytes to the right of 20464-byte region [0x62a0000b4200,0x62a0000b91f0)
allocated by thread T0 here:
    #0 0x552ad6 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x68ee29 in _PyMem_RawMalloc cpython/Objects/obmalloc.c:42:12
    #2 0x691e7a in PyMem_Malloc cpython/Objects/obmalloc.c:587:12
    #3 0xbf580a in tok_new cpython/Parser/tokenizer.c:74:49
    #4 0xbf580a in _PyTokenizer_FromString cpython/Parser/tokenizer.c:884:29
    #5 0xb43752 in _PyPegen_run_parser_from_string cpython/Parser/pegen.c:929:15
    #6 0xbf4ec7 in _PyParser_ASTFromString cpython/Parser/peg_api.c:14:21
    #7 0x95dab9 in Py_CompileStringObject cpython/Python/pythonrun.c:1771:11
    #8 0x7d8af6 in builtin_compile_impl cpython/Python/bltinmodule.c:831:14
    #9 0x7d8af6 in builtin_compile cpython/Python/clinic/bltinmodule.c.h:383:20
    #10 0xca3720 in cfunction_vectorcall_FASTCALL_KEYWORDS cpython/Objects/methodobject.c:438:24
    #11 0x5c1b88 in _PyObject_VectorcallTstate cpython/Include/internal/pycore_call.h:92:11
    #12 0x5c1b88 in PyObject_Vectorcall cpython/Objects/call.c:301:12
    #13 0x7f427f in _PyEval_EvalFrameDefault cpython/Python/bytecodes.c:2577:19
    #14 0x7e2a1f in _PyEval_EvalFrame cpython/Include/internal/pycore_ceval.h:88:16
    #15 0x7e2a1f in _PyEval_Vector cpython/Python/ceval.c:1529:12
    #16 0x5c261e in _PyFunction_Vectorcall cpython/Objects/call.c:0
    #17 0x5c193f in _PyVectorcall_Call cpython/Objects/call.c:247:16
    #18 0x5c1f22 in _PyObject_Call cpython/Objects/call.c:330:16
    #19 0x5c2a23 in PyObject_CallObject cpython/Objects/call.c:454:12
    #20 0x593bc4 in LLVMFuzzerTestOneInput python-library-fuzzers/fuzzer.cpp:134:14
    #21 0x461943 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #22 0x44d0a2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #23 0x45294c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #24 0x47be82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #25 0x7eafaded4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16

Your environment

Linux x64, latest cpython main branch checkout.

Linked PRs

The text was updated successfully, but these errors were encountered:

alex · 2023-04-30T16:39:00Z

I'm guessing this is related to 1ef61cf and d4aa857

cc: @pablogsal, @lysnikolaou, @isidentical, @mgmacias95, @sunmy2019

sunmy2019 · 2023-04-30T17:28:25Z

The overflow should be caught by an assert.

cpython/Parser/tokenizer.c

Lines 49 to 53 in 7d3931e

    
           static inline tokenizer_mode* TOK_NEXT_MODE(struct tok_state* tok) { 
        
               assert(tok->tok_mode_stack_index >= 0); 
        
               assert(tok->tok_mode_stack_index < MAXLEVEL); 
        
               return &(tok->tok_mode_stack[++tok->tok_mode_stack_index]); 
        
           }

Should be

-     assert(tok->tok_mode_stack_index < MAXLEVEL); 
+     assert(tok->tok_mode_stack_index + 1 < MAXLEVEL);

Some code paths do not guard tok->tok_mode_stack_index.

sunmy2019 · 2023-04-30T18:38:54Z

The tok->level checks on reading ( or {, while f" increases on tok->tok_mode_stack_index. Adding one more check here should solve the problem.

Simplified test case:

import ast
ast.parse('f"{1 1:' + ('{f"1:' * 199))

By the way, OSS-Fuzz is amazing at finding bugs! It's just hard to solve them. 😢

Co-authored-by: sunmy2019 <59365878+sunmy2019@users.noreply.github.com> Co-authored-by: Ken Jin <kenjin@python.org> Co-authored-by: Pablo Galindo <pablogsal@gmail.com>

* main: (463 commits) pythongh-104057: Fix direct invocation of test_super (python#104064) pythongh-87092: Expose assembler to unit tests (python#103988) pythongh-97696: asyncio eager tasks factory (python#102853) pythongh-84436: Immortalize in _PyStructSequence_InitBuiltinWithFlags() (pythongh-104054) pythongh-104057: Fix direct invocation of test_module (pythonGH-104059) pythongh-100458: Clarify Enum.__format__() change of mixed-in types in the whatsnew/3.11.rst (pythonGH-100387) pythongh-104018: disallow "z" format specifier in %-format of byte strings (pythonGH-104033) pythongh-104016: Fixed off by 1 error in f string tokenizer (python#104047) pythonGH-103629: Update Unpack's repr in compliance with PEP 692 (python#104048) pythongh-102799: replace sys.exc_info by sys.exception in inspect and traceback modules (python#104032) Fix typo in "expected" word in few source files (python#104034) pythongh-103824: fix use-after-free error in Parser/tokenizer.c (python#103993) pythongh-104035: Do not ignore user-defined `__{get,set}state__` in slotted frozen dataclasses (python#104041) pythongh-104028: Reduce object creation while calling callback function from gc (pythongh-104030) pythongh-104036: Fix direct invocation of test_typing (python#104037) pythongh-102213: Optimize the performance of `__getattr__` (pythonGH-103761) pythongh-103895: Improve how invalid `Exception.__notes__` are displayed (python#103897) Adjust expression from `==` to `!=` in alignment with the meaning of the paragraph. (pythonGH-104021) pythongh-88496: Fix IDLE test hang on macOS (python#104025) Improve int test coverage (python#104024) ...

guidovranken · 2023-05-02T16:53:20Z

OSS-Fuzz has detected this as being fixed, so closing this issue.

pablogsal · 2023-05-02T16:56:10Z

Thanks a lot for opening the issue!

Btw, @guidovranken there is any place where we can keep track of the OSS-Fuzz detections/tickets?

guidovranken · 2023-05-02T17:14:01Z

I can add people to the auto_ccs: https://github.com/google/oss-fuzz/blob/2647d8ae7c23f45d6078756d9de1ab0eec02dcc9/projects/python3-libraries/project.yaml#L5-L8

Please give me the email addresses of all the recipients you would like to add. Note that:

These addressess will be public (they are stored in the project.yaml file in the oss-fuzz repository)
The addresses must be linked to a Google account in order to see detailed bug reports on https://oss-fuzz.com/

pablogsal · 2023-05-02T18:09:14Z

Please give me the email addresses of all the recipients you would like to add. Note that:

Add this one for the time being: pablogsal@python.org

guidovranken · 2023-05-02T18:19:05Z

Done. You should be able to log in to https://oss-fuzz.com/ 24 hours (or so) after that PR is merged.

The fuzzer harnesses are here: https://github.com/guidovranken/python-library-fuzzers , if you can think of an improvement feel free to submit a PR.

* main: pythongh-103822: [Calendar] change return value to enum for day and month APIs (pythonGH-103827) pythongh-65022: Fix description of tuple return value in copyreg (python#103892) pythonGH-103525: Improve exception message from `pathlib.PurePath()` (pythonGH-103526) pythongh-84436: Add integration C API tests for immortal objects (pythongh-103962) pythongh-103743: Add PyUnstable_Object_GC_NewWithExtraData (pythonGH-103744) pythongh-102997: Update Windows installer to SQLite 3.41.2. (python#102999) pythonGH-103484: Fix redirected permanently URLs (python#104001) Improve assert_type phrasing (python#104081) pythongh-102997: Update macOS installer to SQLite 3.41.2. (pythonGH-102998) pythonGH-103472: close response in HTTPConnection._tunnel (python#103473) pythongh-88496: IDLE - fix another test on macOS (python#104075) pythongh-94673: Hide Objects in PyTypeObject Behind Accessors (pythongh-104074) pythongh-94673: Properly Initialize and Finalize Static Builtin Types for Each Interpreter (pythongh-104072) pythongh-104016: Skip test for deeply neste f-strings on wasi (python#104071)

* main: (760 commits) pythonGH-104102: Optimize `pathlib.Path.glob()` handling of `../` pattern segments (pythonGH-104103) pythonGH-104104: Optimize `pathlib.Path.glob()` by avoiding repeated calls to `os.path.normcase()` (pythonGH-104105) pythongh-103822: [Calendar] change return value to enum for day and month APIs (pythonGH-103827) pythongh-65022: Fix description of tuple return value in copyreg (python#103892) pythonGH-103525: Improve exception message from `pathlib.PurePath()` (pythonGH-103526) pythongh-84436: Add integration C API tests for immortal objects (pythongh-103962) pythongh-103743: Add PyUnstable_Object_GC_NewWithExtraData (pythonGH-103744) pythongh-102997: Update Windows installer to SQLite 3.41.2. (python#102999) pythonGH-103484: Fix redirected permanently URLs (python#104001) Improve assert_type phrasing (python#104081) pythongh-102997: Update macOS installer to SQLite 3.41.2. (pythonGH-102998) pythonGH-103472: close response in HTTPConnection._tunnel (python#103473) pythongh-88496: IDLE - fix another test on macOS (python#104075) pythongh-94673: Hide Objects in PyTypeObject Behind Accessors (pythongh-104074) pythongh-94673: Properly Initialize and Finalize Static Builtin Types for Each Interpreter (pythongh-104072) pythongh-104016: Skip test for deeply neste f-strings on wasi (python#104071) pythongh-104057: Fix direct invocation of test_super (python#104064) pythongh-87092: Expose assembler to unit tests (python#103988) pythongh-97696: asyncio eager tasks factory (python#102853) pythongh-84436: Immortalize in _PyStructSequence_InitBuiltinWithFlags() (pythongh-104054) ...

Add Python team member per their request: python/cpython#104016 (comment)

guidovranken added the type-crash A hard crash of the interpreter, possibly with a core dump label Apr 30, 2023

alex added the type-security A security issue label Apr 30, 2023

bedevere-bot mentioned this issue May 1, 2023

gh-104016: Fixed off by 1 error in f string tokenizer #104047

Merged

bedevere-bot mentioned this issue May 1, 2023

gh-104016: Skip test for deeply neste f-strings on wasi #104071

Merged

pablogsal added a commit to pablogsal/cpython that referenced this issue May 1, 2023

pythongh-104016: Skip test for deeply neste f-strings on wasi

1796a64

pablogsal added a commit to pablogsal/cpython that referenced this issue May 1, 2023

pythongh-104016: Skip test for deeply neste f-strings on wasi

52671f9

pablogsal added a commit that referenced this issue May 1, 2023

gh-104016: Skip test for deeply neste f-strings on wasi (#104071)

b1ca34d

guidovranken closed this as completed May 2, 2023

guidovranken mentioned this issue May 2, 2023

[python3-libraries] Add Python team member google/oss-fuzz#10214

Merged

jonathanmetzman pushed a commit to google/oss-fuzz that referenced this issue May 3, 2023

[python3-libraries] Add Python team member (#10214)

76e0b59

Add Python team member per their request: python/cpython#104016 (comment)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Out-of-bounds write in AST parser #104016

Out-of-bounds write in AST parser #104016

guidovranken commented Apr 30, 2023 •

edited by bedevere-bot

Loading

alex commented Apr 30, 2023

sunmy2019 commented Apr 30, 2023

sunmy2019 commented Apr 30, 2023 •

edited

Loading

guidovranken commented May 2, 2023

pablogsal commented May 2, 2023

guidovranken commented May 2, 2023

pablogsal commented May 2, 2023

guidovranken commented May 2, 2023

Out-of-bounds write in AST parser #104016

Out-of-bounds write in AST parser #104016

Comments

guidovranken commented Apr 30, 2023 • edited by bedevere-bot Loading

Crash report

Error messages

Your environment

Linked PRs

alex commented Apr 30, 2023

sunmy2019 commented Apr 30, 2023

sunmy2019 commented Apr 30, 2023 • edited Loading

guidovranken commented May 2, 2023

pablogsal commented May 2, 2023

guidovranken commented May 2, 2023

pablogsal commented May 2, 2023

guidovranken commented May 2, 2023

guidovranken commented Apr 30, 2023 •

edited by bedevere-bot

Loading

sunmy2019 commented Apr 30, 2023 •

edited

Loading