bug-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#9079: integer overflow etc. issues (e.g., image crashes Emacs)


From: Paul Eggert
Subject: bug#9079: integer overflow etc. issues (e.g., image crashes Emacs)
Date: Thu, 14 Jul 2011 00:55:39 -0700
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110516 Thunderbird/3.1.10

Package: emacs
Version: 24.0.50
Tags: patch

I examined more of the Emacs C source code, looking for problems with
integer overflow and signedness issues, and found several issues,
all fixed in the patch below.

This patch does not add any features to Emacs, and it focuses on
fixing bugs, so I hope that it's suitable for the trunk now.

Here's an example bug.  Take the attached file 46341x46341.png.gz,
uncompress it with 'gunzip', start up Emacs under X Windows, execute
(setq max-image-size 50000), and then visit the file 46341x46341.png.
If you're lucky Emacs will thrash around for quite some time and then
dump core.  If you're unlucky Emacs's internal data structures will be
silently corrupted.

To make things a bit easier on my hand examination (so that I didn't
have so many false matches for 'size_t') this patch assumes the
cleanups assuming C89 libraries that I circulated a week or two ago
<http://lists.gnu.org/archive/html/emacs-devel/2011-07/msg00261.html>
<http://lists.gnu.org/archive/html/emacs-devel/2011-07/msg00402.html>.

This bug report to some extent follows up on Bug#8873, but takes a
somewhat different tack, as it mostly focuses on unsigned integers.


# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: address@hidden
# target_branch: ../memcmp
# testament_sha1: 9592d4b269a0873b3fbe5e662fc3f163f4678863
# timestamp: 2011-07-14 00:51:13 -0700
# base_revision_id: address@hidden
# 
# Begin patch
=== modified file 'src/ChangeLog'
--- src/ChangeLog       2011-07-14 07:31:04 +0000
+++ src/ChangeLog       2011-07-14 07:50:51 +0000
@@ -1,5 +1,176 @@
 2011-07-14  Paul Eggert  <address@hidden>
 
+       Integer signedness and overflow and related fixes.
+
+       * image.c: Improve checking for integer overflow.
+       (check_image_size): Assume that f is nonnull, since
+       it is always nonnull in practice.  This is one less thing to
+       worry about when checking for integer overflow later.
+       (x_check_image_size): New function, which checks for integer
+       overflow issues inside X.
+       (x_create_x_image_and_pixmap, xbm_read_bitmap_data): Use it.
+       This removes the need for a memory_full check.
+       (xbm_image_p): Rewrite to avoid integer multiplication overflow.
+       (Create_Pixmap_From_Bitmap_Data, xbm_load): Use x_check_image_size.
+       (xbm_read_bitmap_data): Change locals back to 'int', since
+       their values must fit in 'int'.
+       (xpm_load_image, png_load, tiff_load):
+       Invoke x_create_x_image_and_pixmap earlier,
+       to avoid much needless work if the image is too large.
+       (tiff_load): Treat overly large images as if
+       x_create_x_image_and_pixmap failed, not as malloc failures.
+       (gs_load): Use x_check_image_size.
+
+       * gtkutil.c: Omit integer casts.
+       (xg_get_pixbuf_from_pixmap): Remove unnecessary cast.
+       (xg_set_toolkit_scroll_bar_thumb): Rewrite to avoid need for cast.
+
+       * image.c (png_load): Don't assume height * row_bytes fits in 'int'.
+
+       * bidi.c (bidi_dump_cached_states): Use pD to print ptrdiff_t.
+
+       * xfaces.c (Fbitmap_spec_p): Fix integer overflow bug.
+       Without this fix, (bitmap-spec-p '(34359738368 1 "x"))
+       would wrongly return t on a 64-bit host.
+
+       * dispnew.c (init_display): Use *_RANGE_OVERFLOW macros.
+       The plain *_OVERFLOW macros run afoul of GCC bug 49705
+       <http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49705>
+       and therefore cause GCC to emit a bogus diagnostic in some cases.
+
+       * image.c: Integer signedness and overflow and related fixes.
+       This is not an exhaustive set of fixes, but it's time to
+       record what I've got.
+       (lookup_pixel_color, check_image_size): Remove redundant decls.
+       (check_image_size): Don't assume that arbitrary EMACS_INT values
+       fit in 'int', or that arbitrary 'double' values fit in 'int'.
+       (x_alloc_image_color, x_create_x_image_and_pixmap, png_load)
+       (tiff_load, imagemagick_load_image):
+       Check for overflow in size calculations.
+       (x_create_x_image_and_pixmap): Remove unnecessary test for
+       xmalloc returning NULL; that can't happen.
+       (xbm_read_bitmap_data): Don't assume sizes fit into 'int'.
+       (xpm_color_bucket): Use better integer hashing function.
+       (xpm_cache_color): Don't possibly over-allocate memory.
+       (struct png_memory_storage, tiff_memory_source, tiff_seek_in_memory)
+       (gif_memory_source):
+       Use ptrdiff_t, not int or size_t, to record sizes.
+       (png_load): Don't assume values greater than 2**31 fit in 'int'.
+       (our_stdio_fill_input_buffer): Prefer ptrdiff_t to size_t when
+       either works, as we prefer signed integers.
+       (tiff_read_from_memory, tiff_write_from_memory):
+       Return tsize_t, not size_t, since that's what the TIFF API wants.
+       (tiff_read_from_memory): Don't fail simply because the read would
+       go past EOF; instead, return a short read.
+       (tiff_load): Omit no-longer-needed casts.
+       (Fimagemagick_types): Don't assume size fits into 'int'.
+
+       Improve hashing quality when configured --with-wide-int.
+       * fns.c (hash_string): New function, taken from sxhash_string.
+       Do not discard information about ASCII character case; this
+       discarding is no longer needed.
+       (sxhash-string): Use it.  Change sig to match it.  Caller changed.
+       * lisp.h: Declare it.
+       * lread.c (hash_string): Remove, since we now use fns.c's version.
+       The fns.c version returns a wider integer if --with-wide-int is
+       specified, so this should help the quality of the hashing a bit.
+
+       * emacs.c: Integer overflow minor fix.
+       (heap_bss_diff): Now uprintmax_t, not unsigned long.  All used changed.
+       Define only if GNU_LINUX.
+       (main, Fdump_emacs): Set and use heap_bss_diff only if GNU_LINUX.
+
+       * dispnew.c: Integer signedness and overflow fixes.
+       Remove unnecessary forward decls, that were a maintenance hassle.
+       (history_tick): Now uprintmax_t, so it's more likely to avoid overflow.
+       All uses changed.
+       (adjust_glyph_matrix, realloc_glyph_pool, adjust_frame_message_buffer)
+       (scrolling_window): Use ptrdiff_t, not int, for byte count.
+       (prepare_desired_row, line_draw_cost):
+       Use int, not unsigned, where either works.
+       (save_current_matrix, restore_current_matrix):
+       Use ptrdiff_t, not size_t, where either works.
+       (init_display): Check for overflow more accurately, and without
+       relying on undefined behavior.
+
+       * editfns.c (pWIDE, pWIDElen, signed_wide, unsigned_wide):
+       Remove, replacing with the new symbols in lisp.h.  All uses changed.
+       * fileio.c (make_temp_name):
+       * filelock.c (lock_file_1, lock_file):
+       * xdisp.c (message_dolog):
+       Don't assume PRIdMAX etc. works; this isn't portable to pre-C99 hosts.
+       Use pMd etc. instead.
+       * lisp.h (printmax_t, uprintmax_t, pMd, pMu): New types and macros,
+       replacing the pWIDE etc. symbols removed from editfns.c.
+
+       * keyboard.h (num_input_events): Now uintmax_t.
+       This is (very slightly) less likely to mess up due to wraparound.
+       All uses changed.
+
+       * buffer.c: Integer signedness fixes.
+       (alloc_buffer_text, enlarge_buffer_text):
+       Use ptrdiff_t rather than size_t when either will do, as we prefer
+       signed integers.
+
+       * bidi.c: Integer signedness and overflow fixes.
+       (bidi_cache_idx, bidi_cache_last_idx, bidi_cache_fetch_state)
+       (bidi_cache_search, bidi_cache_find_level_change)
+       (bidi_cache_iterator_state, bidi_cache_find)
+       (bidi_find_other_level_edge, bidi_dump_cached_states):
+       Don't arbitrarily limit cache indexes to int; use ptrdiff_t instead.
+       (bidi_cache_size): Use ptrdiff_t rather than size_t, as we prefer
+       signed integers.
+       (elsz): Make it a (signed) constant.
+       (bidi_cache_iterator_state): Check for size-calculation overflow.
+
+       * alloc.c: Integer signedness and overflow fixes.
+       Do not impose an arbitrary 32-bit limit on malloc sizes when debugging.
+       (__malloc_size_t): Default to size_t, not to int.
+       (pure_size, pure_bytes_used_before_overflow, stack_copy_size)
+       (Fgarbage_collect, mark_object_loop_halt, mark_object):
+       Prefer ptrdiff_t to size_t when either would do, as we prefer
+       signed integers.
+       (XMALLOC_OVERRUN_CHECK_OVERHEAD): New macro.
+       (xmalloc_overrun_check_header, xmalloc_overrun_check_trailer):
+       Now const.  Initialize with values that are in range even if char
+       is signed.
+       (XMALLOC_PUT_SIZE, XMALLOC_GET_SIZE): Remove, replacing with ...
+       (xmalloc_put_size, xmalloc_get_size): New functions.  All uses changed.
+       These functions do the right thing with sizes > 2**32.
+       (check_depth): Now ptrdiff_t, not int.
+       (overrun_check_malloc, overrun_check_realloc, overrun_check_free):
+       Adjust to new way of storing sizes.  Check for size overflow bugs
+       in rest of code.
+       (STRING_BYTES_MAX): Adjust to new overheads.  The old code was
+       slightly wrong anyway, as it missed one instance of
+       XMALLOC_OVERRUN_CHECK_OVERHEAD.
+       (refill_memory_reserve): Omit needless cast to size_t.
+       (mark_object_loop_halt): Mark as externally visible.
+
+       * xselect.c: Integer signedness and overflow fixes.
+       (Fx_register_dnd_atom, x_handle_dnd_message):
+       Use ptrdiff_t, not size_t, since we prefer signed.
+       (Fx_register_dnd_atom): Check for ptrdiff_t (and size_t) overflow.
+       * xterm.h (struct x_display_info): Use ptrdiff_t, not size_t, for
+       x_dnd_atoms_size and x_dnd_atoms_length.
+
+       * doprnt.c: Prefer signed to unsigned when either works.
+       * eval.c (verror):
+       * doprnt.c (doprnt):
+       * lisp.h (doprnt):
+       * xdisp.c (vmessage):
+       Use ptrdiff_t, not size_t, when using or implementing doprnt,
+       since the sizes cannot exceed ptrdiff_t bounds anyway, and we
+       prefer signed arithmetic to avoid comparison confusion.
+       * doprnt.c (doprnt): Avoid a "+ 1" that can't overflow,
+       but is a bit tricky.
+
+       * lisp.h (struct vectorlike_header, struct Lisp_Subr): Signed sizes.
+       Use EMACS_INT, not EMACS_UINT, for sizes.  The code works equally
+       well either way, and we prefer signed to unsigned.
+
+2011-07-14  Paul Eggert  <address@hidden>
+
        Assume freestanding C89 headers, string.h, stdlib.h.
        * data.c, doprnt.c, floatfns.c, print.c:
        Include float.h unconditionally.

=== modified file 'src/alloc.c'
--- src/alloc.c 2011-07-13 01:04:29 +0000
+++ src/alloc.c 2011-07-13 03:45:56 +0000
@@ -70,7 +70,7 @@
 #include <malloc.h>
 /* malloc.h #defines this as size_t, at least in glibc2.  */
 #ifndef __malloc_size_t
-#define __malloc_size_t int
+#define __malloc_size_t size_t
 #endif
 
 /* Specify maximum number of areas to mmap.  It would be nice to use a
@@ -214,12 +214,12 @@
 /* Pointer to the pure area, and its size.  */
 
 static char *purebeg;
-static size_t pure_size;
+static ptrdiff_t pure_size;
 
 /* Number of bytes of pure storage used before pure storage overflowed.
    If this is non-zero, this implies that an overflow occurred.  */
 
-static size_t pure_bytes_used_before_overflow;
+static ptrdiff_t pure_bytes_used_before_overflow;
 
 /* Value is non-zero if P points into pure space.  */
 
@@ -252,7 +252,7 @@
 
 #if MAX_SAVE_STACK > 0
 static char *stack_copy;
-static size_t stack_copy_size;
+static ptrdiff_t stack_copy_size;
 #endif
 
 /* Non-zero means ignore malloc warnings.  Set during initialization.
@@ -486,14 +486,15 @@
 
 
 #ifndef XMALLOC_OVERRUN_CHECK
-#define XMALLOC_OVERRUN_CHECK_SIZE 0
+#define XMALLOC_OVERRUN_CHECK_OVERHEAD 0
 #else
 
-/* Check for overrun in malloc'ed buffers by wrapping a 16 byte header
-   and a 16 byte trailer around each block.
+/* Check for overrun in malloc'ed buffers by wrapping a header and trailer
+   around each block.
 
-   The header consists of 12 fixed bytes + a 4 byte integer contaning the
-   original block size, while the trailer consists of 16 fixed bytes.
+   The header consists of 16 fixed bytes followed by sizeof (size_t) bytes
+   containing the original block size in little-endian order,
+   while the trailer consists of 16 fixed bytes.
 
    The header is used to detect whether this block has been allocated
    through these functions -- as it seems that some low-level libc
@@ -502,31 +503,47 @@
 
 
 #define XMALLOC_OVERRUN_CHECK_SIZE 16
-
-static char xmalloc_overrun_check_header[XMALLOC_OVERRUN_CHECK_SIZE-4] =
-  { 0x9a, 0x9b, 0xae, 0xaf,
-    0xbf, 0xbe, 0xce, 0xcf,
-    0xea, 0xeb, 0xec, 0xed };
-
-static char xmalloc_overrun_check_trailer[XMALLOC_OVERRUN_CHECK_SIZE] =
-  { 0xaa, 0xab, 0xac, 0xad,
-    0xba, 0xbb, 0xbc, 0xbd,
-    0xca, 0xcb, 0xcc, 0xcd,
-    0xda, 0xdb, 0xdc, 0xdd };
-
-/* Macros to insert and extract the block size in the header.  */
-
-#define XMALLOC_PUT_SIZE(ptr, size)    \
-  (ptr[-1] = (size & 0xff),            \
-   ptr[-2] = ((size >> 8) & 0xff),     \
-   ptr[-3] = ((size >> 16) & 0xff),    \
-   ptr[-4] = ((size >> 24) & 0xff))
-
-#define XMALLOC_GET_SIZE(ptr)                  \
-  (size_t)((unsigned)(ptr[-1])         |       \
-          ((unsigned)(ptr[-2]) << 8)   |       \
-          ((unsigned)(ptr[-3]) << 16)  |       \
-          ((unsigned)(ptr[-4]) << 24))
+#define XMALLOC_OVERRUN_CHECK_OVERHEAD \
+  (2 * XMALLOC_OVERRUN_CHECK_SIZE + sizeof (size_t))
+
+static char const xmalloc_overrun_check_header[XMALLOC_OVERRUN_CHECK_SIZE] =
+  { '\x9a', '\x9b', '\xae', '\xaf',
+    '\xbf', '\xbe', '\xce', '\xcf',
+    '\xea', '\xeb', '\xec', '\xed',
+    '\xdf', '\xde', '\x9c', '\x9d' };
+
+static char const xmalloc_overrun_check_trailer[XMALLOC_OVERRUN_CHECK_SIZE] =
+  { '\xaa', '\xab', '\xac', '\xad',
+    '\xba', '\xbb', '\xbc', '\xbd',
+    '\xca', '\xcb', '\xcc', '\xcd',
+    '\xda', '\xdb', '\xdc', '\xdd' };
+
+/* Insert and extract the block size in the header.  */
+
+static void
+xmalloc_put_size (unsigned char *ptr, size_t size)
+{
+  int i;
+  for (i = 0; i < sizeof (size_t); i++)
+    {
+      *--ptr = size & (1 << CHAR_BIT) - 1;
+      size >>= CHAR_BIT;
+    }
+}
+
+static size_t
+xmalloc_get_size (unsigned char *ptr)
+{
+  size_t size = 0;
+  int i;
+  ptr -= sizeof (size_t);
+  for (i = 0; i < sizeof (size_t); i++)
+    {
+      size <<= CHAR_BIT;
+      size += *ptr++;
+    }
+  return size;
+}
 
 
 /* The call depth in overrun_check functions.  For example, this might happen:
@@ -545,10 +562,10 @@
 
    xfree(10032)
      overrun_check_free(10032)
-       decrease overhed
+       decrease overhead
        free(10016)  <-  crash, because 10000 is the original pointer.  */
 
-static int check_depth;
+static ptrdiff_t check_depth;
 
 /* Like malloc, but wraps allocated block with header and trailer.  */
 
@@ -556,15 +573,16 @@
 overrun_check_malloc (size_t size)
 {
   register unsigned char *val;
-  size_t overhead = ++check_depth == 1 ? XMALLOC_OVERRUN_CHECK_SIZE*2 : 0;
+  int overhead = ++check_depth == 1 ? XMALLOC_OVERRUN_CHECK_OVERHEAD : 0;
+  if (SIZE_MAX - overhead < size)
+    abort ();
 
   val = (unsigned char *) malloc (size + overhead);
   if (val && check_depth == 1)
     {
-      memcpy (val, xmalloc_overrun_check_header,
-             XMALLOC_OVERRUN_CHECK_SIZE - 4);
-      val += XMALLOC_OVERRUN_CHECK_SIZE;
-      XMALLOC_PUT_SIZE(val, size);
+      memcpy (val, xmalloc_overrun_check_header, XMALLOC_OVERRUN_CHECK_SIZE);
+      val += XMALLOC_OVERRUN_CHECK_SIZE + sizeof (size_t);
+      xmalloc_put_size (val, size);
       memcpy (val + size, xmalloc_overrun_check_trailer,
              XMALLOC_OVERRUN_CHECK_SIZE);
     }
@@ -580,31 +598,32 @@
 overrun_check_realloc (POINTER_TYPE *block, size_t size)
 {
   register unsigned char *val = (unsigned char *) block;
-  size_t overhead = ++check_depth == 1 ? XMALLOC_OVERRUN_CHECK_SIZE*2 : 0;
+  int overhead = ++check_depth == 1 ? XMALLOC_OVERRUN_CHECK_OVERHEAD : 0;
+  if (SIZE_MAX - overhead < size)
+    abort ();
 
   if (val
       && check_depth == 1
       && memcmp (xmalloc_overrun_check_header,
-                val - XMALLOC_OVERRUN_CHECK_SIZE,
-                XMALLOC_OVERRUN_CHECK_SIZE - 4) == 0)
+                val - XMALLOC_OVERRUN_CHECK_SIZE - sizeof (size_t),
+                XMALLOC_OVERRUN_CHECK_SIZE) == 0)
     {
-      size_t osize = XMALLOC_GET_SIZE (val);
+      size_t osize = xmalloc_get_size (val);
       if (memcmp (xmalloc_overrun_check_trailer, val + osize,
                  XMALLOC_OVERRUN_CHECK_SIZE))
        abort ();
       memset (val + osize, 0, XMALLOC_OVERRUN_CHECK_SIZE);
-      val -= XMALLOC_OVERRUN_CHECK_SIZE;
-      memset (val, 0, XMALLOC_OVERRUN_CHECK_SIZE);
+      val -= XMALLOC_OVERRUN_CHECK_SIZE + sizeof (size_t);
+      memset (val, 0, XMALLOC_OVERRUN_CHECK_SIZE + sizeof (size_t));
     }
 
   val = (unsigned char *) realloc ((POINTER_TYPE *)val, size + overhead);
 
   if (val && check_depth == 1)
     {
-      memcpy (val, xmalloc_overrun_check_header,
-             XMALLOC_OVERRUN_CHECK_SIZE - 4);
-      val += XMALLOC_OVERRUN_CHECK_SIZE;
-      XMALLOC_PUT_SIZE(val, size);
+      memcpy (val, xmalloc_overrun_check_header, XMALLOC_OVERRUN_CHECK_SIZE);
+      val += XMALLOC_OVERRUN_CHECK_SIZE + sizeof (size_t);
+      xmalloc_put_size (val, size);
       memcpy (val + size, xmalloc_overrun_check_trailer,
              XMALLOC_OVERRUN_CHECK_SIZE);
     }
@@ -623,20 +642,20 @@
   if (val
       && check_depth == 1
       && memcmp (xmalloc_overrun_check_header,
-                val - XMALLOC_OVERRUN_CHECK_SIZE,
-                XMALLOC_OVERRUN_CHECK_SIZE - 4) == 0)
+                val - XMALLOC_OVERRUN_CHECK_SIZE - sizeof (size_t),
+                XMALLOC_OVERRUN_CHECK_SIZE) == 0)
     {
-      size_t osize = XMALLOC_GET_SIZE (val);
+      size_t osize = xmalloc_get_size (val);
       if (memcmp (xmalloc_overrun_check_trailer, val + osize,
                  XMALLOC_OVERRUN_CHECK_SIZE))
        abort ();
 #ifdef XMALLOC_CLEAR_FREE_MEMORY
-      val -= XMALLOC_OVERRUN_CHECK_SIZE;
-      memset (val, 0xff, osize + XMALLOC_OVERRUN_CHECK_SIZE*2);
+      val -= XMALLOC_OVERRUN_CHECK_SIZE + sizeof (size_t);
+      memset (val, 0xff, osize + XMALLOC_OVERRUN_CHECK_OVERHEAD);
 #else
       memset (val + osize, 0, XMALLOC_OVERRUN_CHECK_SIZE);
-      val -= XMALLOC_OVERRUN_CHECK_SIZE;
-      memset (val, 0, XMALLOC_OVERRUN_CHECK_SIZE);
+      val -= XMALLOC_OVERRUN_CHECK_SIZE + sizeof (size_t);
+      memset (val, 0, XMALLOC_OVERRUN_CHECK_SIZE + sizeof (size_t));
 #endif
     }
 
@@ -1661,7 +1680,8 @@
    calculating a value to be passed to malloc.  */
 #define STRING_BYTES_MAX                                         \
   min (STRING_BYTES_BOUND,                                       \
-       ((SIZE_MAX - XMALLOC_OVERRUN_CHECK_SIZE - GC_STRING_EXTRA  \
+       ((SIZE_MAX - XMALLOC_OVERRUN_CHECK_OVERHEAD               \
+        - GC_STRING_EXTRA                                        \
         - offsetof (struct sblock, first_data)                   \
         - SDATA_DATA_OFFSET)                                     \
        & ~(sizeof (EMACS_INT) - 1)))
@@ -3320,7 +3340,7 @@
 {
 #ifndef SYSTEM_MALLOC
   if (spare_memory[0] == 0)
-    spare_memory[0] = (char *) malloc ((size_t) SPARE_MEMORY);
+    spare_memory[0] = (char *) malloc (SPARE_MEMORY);
   if (spare_memory[1] == 0)
     spare_memory[1] = (char *) lisp_align_malloc (sizeof (struct cons_block),
                                                  MEM_TYPE_CONS);
@@ -4922,7 +4942,7 @@
   if (NILP (Vpurify_flag))
     {
       char *stack;
-      size_t stack_size;
+      ptrdiff_t stack_size;
       if (&stack_top_variable < stack_bottom)
        {
          stack = &stack_top_variable;
@@ -5233,7 +5253,7 @@
    links of a list, in mark_object.  In debugging,
    the call to abort will hit a breakpoint.
    Normally this is zero and the check never goes off.  */
-static size_t mark_object_loop_halt;
+ptrdiff_t mark_object_loop_halt EXTERNALLY_VISIBLE;
 
 static void
 mark_vectorlike (struct Lisp_Vector *ptr)
@@ -5290,7 +5310,7 @@
   void *po;
   struct mem_node *m;
 #endif
-  size_t cdr_count = 0;
+  ptrdiff_t cdr_count = 0;
 
  loop:
 

=== modified file 'src/bidi.c'
--- src/bidi.c  2011-06-26 17:23:40 +0000
+++ src/bidi.c  2011-07-12 17:35:56 +0000
@@ -263,10 +263,10 @@
 
 #define BIDI_CACHE_CHUNK 200
 static struct bidi_it *bidi_cache;
-static size_t bidi_cache_size = 0;
-static size_t elsz = sizeof (struct bidi_it);
-static int bidi_cache_idx;     /* next unused cache slot */
-static int bidi_cache_last_idx;        /* slot of last cache hit */
+static ptrdiff_t bidi_cache_size = 0;
+enum { elsz = sizeof (struct bidi_it) };
+static ptrdiff_t bidi_cache_idx;       /* next unused cache slot */
+static ptrdiff_t bidi_cache_last_idx;  /* slot of last cache hit */
 
 static inline void
 bidi_cache_reset (void)
@@ -288,7 +288,7 @@
 }
 
 static inline void
-bidi_cache_fetch_state (int idx, struct bidi_it *bidi_it)
+bidi_cache_fetch_state (ptrdiff_t idx, struct bidi_it *bidi_it)
 {
   int current_scan_dir = bidi_it->scan_dir;
 
@@ -304,10 +304,10 @@
    level less or equal to LEVEL.  if LEVEL is -1, disregard the
    resolved levels in cached states.  DIR, if non-zero, means search
    in that direction from the last cache hit.  */
-static inline int
+static inline ptrdiff_t
 bidi_cache_search (EMACS_INT charpos, int level, int dir)
 {
-  int i, i_start;
+  ptrdiff_t i, i_start;
 
   if (bidi_cache_idx)
     {
@@ -366,12 +366,12 @@
    C, searching backwards (DIR = -1) for LEVEL = 2 will return the
    index of slot B or A, depending whether BEFORE is, respectively,
    non-zero or zero.  */
-static int
+static ptrdiff_t
 bidi_cache_find_level_change (int level, int dir, int before)
 {
   if (bidi_cache_idx)
     {
-      int i = dir ? bidi_cache_last_idx : bidi_cache_idx - 1;
+      ptrdiff_t i = dir ? bidi_cache_last_idx : bidi_cache_idx - 1;
       int incr = before ? 1 : 0;
 
       if (!dir)
@@ -407,7 +407,7 @@
 static inline void
 bidi_cache_iterator_state (struct bidi_it *bidi_it, int resolved)
 {
-  int idx;
+  ptrdiff_t idx;
 
   /* We should never cache on backward scans.  */
   if (bidi_it->scan_dir == -1)
@@ -420,6 +420,9 @@
       /* Enlarge the cache as needed.  */
       if (idx >= bidi_cache_size)
        {
+         if (min (PTRDIFF_MAX, SIZE_MAX) / elsz - BIDI_CACHE_CHUNK
+             < bidi_cache_size)
+           memory_full (SIZE_MAX);
          bidi_cache_size += BIDI_CACHE_CHUNK;
          bidi_cache =
            (struct bidi_it *) xrealloc (bidi_cache, bidi_cache_size * elsz);
@@ -468,7 +471,7 @@
 static inline bidi_type_t
 bidi_cache_find (EMACS_INT charpos, int level, struct bidi_it *bidi_it)
 {
-  int i = bidi_cache_search (charpos, level, bidi_it->scan_dir);
+  ptrdiff_t i = bidi_cache_search (charpos, level, bidi_it->scan_dir);
 
   if (i >= 0)
     {
@@ -1756,7 +1759,7 @@
 bidi_find_other_level_edge (struct bidi_it *bidi_it, int level, int end_flag)
 {
   int dir = end_flag ? -bidi_it->scan_dir : bidi_it->scan_dir;
-  int idx;
+  ptrdiff_t idx;
 
   /* Try the cache first.  */
   if ((idx = bidi_cache_find_level_change (level, dir, end_flag)) >= 0)
@@ -1912,7 +1915,7 @@
 void
 bidi_dump_cached_states (void)
 {
-  int i;
+  ptrdiff_t i;
   int ndigits = 1;
 
   if (bidi_cache_idx == 0)
@@ -1920,7 +1923,7 @@
       fprintf (stderr, "The cache is empty.\n");
       return;
     }
-  fprintf (stderr, "Total of %d state%s in cache:\n",
+  fprintf (stderr, "Total of %"pD"d state%s in cache:\n",
           bidi_cache_idx, bidi_cache_idx == 1 ? "" : "s");
 
   for (i = bidi_cache[bidi_cache_idx - 1].charpos; i > 0; i /= 10)

=== modified file 'src/buffer.c'
--- src/buffer.c        2011-07-13 04:09:28 +0000
+++ src/buffer.c        2011-07-14 06:41:47 +0000
@@ -152,7 +152,7 @@
 Lisp_Object Qinsert_in_front_hooks;
 Lisp_Object Qinsert_behind_hooks;
 
-static void alloc_buffer_text (struct buffer *, size_t);
+static void alloc_buffer_text (struct buffer *, ptrdiff_t);
 static void free_buffer_text (struct buffer *b);
 static struct Lisp_Overlay * copy_overlays (struct buffer *, struct 
Lisp_Overlay *);
 static void modify_overlay (struct buffer *, EMACS_INT, EMACS_INT);
@@ -4796,7 +4796,7 @@
 /* Allocate NBYTES bytes for buffer B's text buffer.  */
 
 static void
-alloc_buffer_text (struct buffer *b, size_t nbytes)
+alloc_buffer_text (struct buffer *b, ptrdiff_t nbytes)
 {
   POINTER_TYPE *p;
 
@@ -4826,8 +4826,8 @@
 enlarge_buffer_text (struct buffer *b, EMACS_INT delta)
 {
   POINTER_TYPE *p;
-  size_t nbytes = (BUF_Z_BYTE (b) - BUF_BEG_BYTE (b) + BUF_GAP_SIZE (b) + 1
-                  + delta);
+  ptrdiff_t nbytes = (BUF_Z_BYTE (b) - BUF_BEG_BYTE (b) + BUF_GAP_SIZE (b) + 1
+                     + delta);
   BLOCK_INPUT;
 #if defined USE_MMAP_FOR_BUFFERS
   p = mmap_realloc ((POINTER_TYPE **) &b->text->beg, nbytes);

=== modified file 'src/callint.c'
--- src/callint.c       2011-07-07 16:59:26 +0000
+++ src/callint.c       2011-07-09 07:06:04 +0000
@@ -339,7 +339,7 @@
     {
       Lisp_Object input;
       Lisp_Object funval = Findirect_function (function, Qt);
-      size_t events = num_input_events;
+      uintmax_t events = num_input_events;
       input = specs;
       /* Compute the arg values using the user's expression.  */
       GCPRO2 (input, filter_specs);

=== modified file 'src/dispnew.c'
--- src/dispnew.c       2011-07-10 08:20:10 +0000
+++ src/dispnew.c       2011-07-11 18:36:33 +0000
@@ -103,57 +103,24 @@
 
 /* Function prototypes.  */
 
-static struct glyph_matrix *save_current_matrix (struct frame *);
-static void restore_current_matrix (struct frame *, struct glyph_matrix *);
-static int showing_window_margins_p (struct window *);
-static void fake_current_matrices (Lisp_Object);
-static void redraw_overlapping_rows (struct window *, int);
-static void redraw_overlapped_rows (struct window *, int);
-static int count_blanks (struct glyph *, int);
-static int count_match (struct glyph *, struct glyph *,
-                        struct glyph *, struct glyph *);
-static unsigned line_draw_cost (struct glyph_matrix *, int);
 static void update_frame_line (struct frame *, int);
-static struct dim allocate_matrices_for_frame_redisplay
-     (Lisp_Object, int, int, int, int *);
 static int required_matrix_height (struct window *);
 static int required_matrix_width (struct window *);
-static void allocate_matrices_for_window_redisplay (struct window *);
-static int realloc_glyph_pool (struct glyph_pool *, struct dim);
 static void adjust_frame_glyphs (struct frame *);
-static struct glyph_matrix *new_glyph_matrix (struct glyph_pool *);
-static void free_glyph_matrix (struct glyph_matrix *);
-static void adjust_glyph_matrix (struct window *, struct glyph_matrix *,
-                                 int, int, struct dim);
 static void change_frame_size_1 (struct frame *, int, int, int, int, int);
 static void increment_row_positions (struct glyph_row *, EMACS_INT, EMACS_INT);
-static void swap_glyph_pointers (struct glyph_row *, struct glyph_row *);
-#if GLYPH_DEBUG
-static int glyph_row_slice_p (struct glyph_row *, struct glyph_row *);
-#endif
 static void fill_up_frame_row_with_spaces (struct glyph_row *, int);
 static void build_frame_matrix_from_window_tree (struct glyph_matrix *,
                                                  struct window *);
 static void build_frame_matrix_from_leaf_window (struct glyph_matrix *,
                                                  struct window *);
-static struct glyph_pool *new_glyph_pool (void);
-static void free_glyph_pool (struct glyph_pool *);
-static void adjust_frame_glyphs_initially (void);
 static void adjust_frame_message_buffer (struct frame *);
 static void adjust_decode_mode_spec_buffer (struct frame *);
 static void fill_up_glyph_row_with_spaces (struct glyph_row *);
-static void build_frame_matrix (struct frame *);
-void clear_current_matrices (struct frame *);
-void scroll_glyph_matrix_range (struct glyph_matrix *, int, int,
-                                int, int);
 static void clear_window_matrices (struct window *, int);
 static void fill_up_glyph_row_area_with_spaces (struct glyph_row *, int);
 static int scrolling_window (struct window *, int);
 static int update_window_line (struct window *, int, int *);
-static void update_marginal_area (struct window *, int, int);
-static int update_text_area (struct window *, int);
-static void make_current (struct glyph_matrix *, struct glyph_matrix *,
-                          int);
 static void mirror_make_current (struct window *, int);
 #if GLYPH_DEBUG
 static void check_matrix_pointers (struct glyph_matrix *,
@@ -286,7 +253,7 @@
 /* A tick that's incremented each time something is added to the
    history.  */
 
-static unsigned history_tick;
+static uprintmax_t history_tick;
 
 static void add_frame_display_history (struct frame *, int);
 
@@ -305,7 +272,7 @@
   buf = redisplay_history[history_idx].trace;
   ++history_idx;
 
-  sprintf (buf, "%d: window %p (`%s')%s\n",
+  sprintf (buf, "%"pMu": window %p (`%s')%s\n",
           history_tick++,
           w,
           ((BUFFERP (w->buffer)
@@ -331,7 +298,7 @@
   buf = redisplay_history[history_idx].trace;
   ++history_idx;
 
-  sprintf (buf, "%d: update frame %p%s",
+  sprintf (buf, "%"pMu": update frame %p%s",
           history_tick++,
           f, paused_p ? " ***paused***" : "");
 }
@@ -532,7 +499,7 @@
   /* Enlarge MATRIX->rows if necessary.  New rows are cleared.  */
   if (matrix->rows_allocated < dim.height)
     {
-      int size = dim.height * sizeof (struct glyph_row);
+      ptrdiff_t size = dim.height * sizeof (struct glyph_row);
       new_rows = dim.height - matrix->rows_allocated;
       matrix->rows = (struct glyph_row *) xrealloc (matrix->rows, size);
       memset (matrix->rows + matrix->rows_allocated, 0,
@@ -1198,7 +1165,7 @@
 {
   if (!row->enabled_p)
     {
-      unsigned rp = row->reversed_p;
+      int rp = row->reversed_p;
 
       clear_glyph_row (row);
       row->enabled_p = 1;
@@ -1242,7 +1209,7 @@
    the number of characters in the line.  If must_write_spaces is
    zero, leading and trailing spaces are ignored.  */
 
-static unsigned int
+static int
 line_draw_cost (struct glyph_matrix *matrix, int vpos)
 {
   struct glyph_row *row = matrix->rows + vpos;
@@ -1435,7 +1402,7 @@
   needed = matrix_dim.width * matrix_dim.height;
   if (needed > pool->nglyphs)
     {
-      int size = needed * sizeof (struct glyph);
+      ptrdiff_t size = needed * sizeof (struct glyph);
 
       if (pool->glyphs)
        {
@@ -2061,7 +2028,7 @@
     {
       struct glyph_row *from = f->current_matrix->rows + i;
       struct glyph_row *to = saved->rows + i;
-      size_t nbytes = from->used[TEXT_AREA] * sizeof (struct glyph);
+      ptrdiff_t nbytes = from->used[TEXT_AREA] * sizeof (struct glyph);
       to->glyphs[TEXT_AREA] = (struct glyph *) xmalloc (nbytes);
       memcpy (to->glyphs[TEXT_AREA], from->glyphs[TEXT_AREA], nbytes);
       to->used[TEXT_AREA] = from->used[TEXT_AREA];
@@ -2083,7 +2050,7 @@
     {
       struct glyph_row *from = saved->rows + i;
       struct glyph_row *to = f->current_matrix->rows + i;
-      size_t nbytes = from->used[TEXT_AREA] * sizeof (struct glyph);
+      ptrdiff_t nbytes = from->used[TEXT_AREA] * sizeof (struct glyph);
       memcpy (to->glyphs[TEXT_AREA], from->glyphs[TEXT_AREA], nbytes);
       to->used[TEXT_AREA] = from->used[TEXT_AREA];
       xfree (from->glyphs[TEXT_AREA]);
@@ -2271,7 +2238,7 @@
 static void
 adjust_frame_message_buffer (struct frame *f)
 {
-  int size = FRAME_MESSAGE_BUF_SIZE (f) + 1;
+  ptrdiff_t size = FRAME_MESSAGE_BUF_SIZE (f) + 1;
 
   if (FRAME_MESSAGE_BUF (f))
     {
@@ -4301,7 +4268,8 @@
   struct glyph_matrix *current_matrix = w->current_matrix;
   int yb = window_text_bottom_y (w);
   int i, j, first_old, first_new, last_old, last_new;
-  int nruns, nbytes, n, run_idx;
+  int nruns, n, run_idx;
+  ptrdiff_t nbytes;
   struct row_entry *entry;
   struct redisplay_interface *rif = FRAME_RIF (XFRAME (WINDOW_FRAME (w)));
 
@@ -6326,11 +6294,14 @@
     int width = FRAME_TOTAL_COLS (sf);
     int height = FRAME_LINES (sf);
 
-    unsigned int total_glyphs = height * (width + 2) * sizeof (struct glyph);
-
     /* If these sizes are so big they cause overflow, just ignore the
-       change.  It's not clear what better we could do.  */
-    if (total_glyphs / sizeof (struct glyph) / height != width + 2)
+       change.  It's not clear what better we could do.  The rest of
+       the code assumes that (width + 2) * height * sizeof (struct glyph)
+       does not overflow and does not exceed PTRDIFF_MAX or SIZE_MAX.  */
+    if (INT_ADD_RANGE_OVERFLOW (width, 2, INT_MIN, INT_MAX)
+       || INT_MULTIPLY_RANGE_OVERFLOW (width + 2, height, INT_MIN, INT_MAX)
+       || (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (struct glyph)
+           < (width + 2) * height))
       fatal ("screen size %dx%d too big", width, height);
   }
 

=== modified file 'src/doprnt.c'
--- src/doprnt.c        2011-07-14 07:31:04 +0000
+++ src/doprnt.c        2011-07-14 07:50:51 +0000
@@ -129,8 +129,8 @@
    String arguments are passed as C strings.
    Integers are passed as C integers.  */
 
-size_t
-doprnt (char *buffer, register size_t bufsize, const char *format,
+ptrdiff_t
+doprnt (char *buffer, ptrdiff_t bufsize, const char *format,
        const char *format_end, va_list ap)
 {
   const char *fmt = format;    /* Pointer into format string */
@@ -140,7 +140,7 @@
   char tembuf[DBL_MAX_10_EXP + 100];
 
   /* Size of sprintf_buffer.  */
-  size_t size_allocated = sizeof (tembuf);
+  ptrdiff_t size_allocated = sizeof (tembuf);
 
   /* Buffer to use for sprintf.  Either tembuf or same as BIG_BUFFER.  */
   char *sprintf_buffer = tembuf;
@@ -159,7 +159,7 @@
   if (format_end == 0)
     format_end = format + strlen (format);
 
-  if ((format_end - format + 1) < sizeof (fixed_buffer))
+  if (format_end - format < sizeof (fixed_buffer) - 1)
     fmtcpy = fixed_buffer;
   else
     SAFE_ALLOCA (fmtcpy, char *, format_end - format + 1);
@@ -171,7 +171,7 @@
     {
       if (*fmt == '%') /* Check for a '%' character */
        {
-         size_t size_bound = 0;
+         ptrdiff_t size_bound = 0;
          EMACS_INT width;  /* Columns occupied by STRING on display.  */
          int long_flag = 0;
          int pIlen = sizeof pI - 1;
@@ -189,16 +189,16 @@
                     This might be a field width or a precision; e.g.
                     %1.1000f and %1000.1f both might need 1000+ bytes.
                     Parse the width or precision, checking for overflow.  */
-                 size_t n = *fmt - '0';
+                 ptrdiff_t n = *fmt - '0';
                  while (fmt + 1 < format_end
                         && '0' <= fmt[1] && fmt[1] <= '9')
                    {
-                     /* Avoid size_t overflow.  Avoid int overflow too, as
+                     /* Avoid ptrdiff_t, size_t, and int overflow, as
                         many sprintfs mishandle widths greater than INT_MAX.
                         This test is simple but slightly conservative: e.g.,
                         (INT_MAX - INT_MAX % 10) is reported as an overflow
                         even when it's not.  */
-                     if (n >= min (INT_MAX, SIZE_MAX) / 10)
+                     if (n >= min (INT_MAX, min (PTRDIFF_MAX, SIZE_MAX)) / 10)
                        error ("Format width or precision too large");
                      n = n * 10 + fmt[1] - '0';
                      *string++ = *++fmt;
@@ -230,7 +230,7 @@
 
          /* Make the size bound large enough to handle floating point formats
             with large numbers.  */
-         if (size_bound > SIZE_MAX - DBL_MAX_10_EXP - 50)
+         if (size_bound > min (PTRDIFF_MAX, SIZE_MAX) - DBL_MAX_10_EXP - 50)
            error ("Format width or precision too large");
          size_bound += DBL_MAX_10_EXP + 50;
 

=== modified file 'src/editfns.c'
--- src/editfns.c       2011-07-13 23:48:35 +0000
+++ src/editfns.c       2011-07-14 06:41:47 +0000
@@ -3510,22 +3510,6 @@
   RETURN_UNGCPRO (string);
 }
 
-/* pWIDE is a conversion for printing large decimal integers (possibly with a
-   trailing "d" that is ignored).  pWIDElen is its length.  signed_wide and
-   unsigned_wide are signed and unsigned types for printing them.  Use widest
-   integers if available so that more floating point values can be converted.  
*/
-#ifdef PRIdMAX
-# define pWIDE PRIdMAX
-enum { pWIDElen = sizeof PRIdMAX - 2 }; /* Don't count trailing "d".  */
-typedef intmax_t signed_wide;
-typedef uintmax_t unsigned_wide;
-#else
-# define pWIDE pI
-enum { pWIDElen = sizeof pI - 1 };
-typedef EMACS_INT signed_wide;
-typedef EMACS_UINT unsigned_wide;
-#endif
-
 DEFUN ("format", Fformat, Sformat, 1, MANY, 0,
        doc: /* Format a string out of a format-string and arguments.
 The first argument is a format control string.
@@ -3907,7 +3891,11 @@
                   precision is no more than DBL_USEFUL_PRECISION_MAX.
                   On all practical hosts, %f is the worst case.  */
                SPRINTF_BUFSIZE =
-                 sizeof "-." + (DBL_MAX_10_EXP + 1) + USEFUL_PRECISION_MAX
+                 sizeof "-." + (DBL_MAX_10_EXP + 1) + USEFUL_PRECISION_MAX,
+
+               /* Length of pM (that is, of pMd without the
+                  trailing "d").  */
+               pMlen = sizeof pMd - 2
              };
              verify (0 < USEFUL_PRECISION_MAX);
 
@@ -3920,7 +3908,7 @@
 
              /* Copy of conversion specification, modified somewhat.
                 At most three flags F can be specified at once.  */
-             char convspec[sizeof "%FFF.*d" + pWIDElen];
+             char convspec[sizeof "%FFF.*d" + pMlen];
 
              /* Avoid undefined behavior in underlying sprintf.  */
              if (conversion == 'd' || conversion == 'i')
@@ -3928,7 +3916,7 @@
 
              /* Create the copy of the conversion specification, with
                 any width and precision removed, with ".*" inserted,
-                and with pWIDE inserted for integer formats.  */
+                and with pM inserted for integer formats.  */
              {
                char *f = convspec;
                *f++ = '%';
@@ -3943,8 +3931,8 @@
                    || conversion == 'o' || conversion == 'x'
                    || conversion == 'X')
                  {
-                   memcpy (f, pWIDE, pWIDElen);
-                   f += pWIDElen;
+                   memcpy (f, pMd, pMlen);
+                   f += pMlen;
                    zero_flag &= ~ precision_given;
                  }
                *f++ = conversion;
@@ -3984,7 +3972,7 @@
                  /* For float, maybe we should use "%1.0f"
                     instead so it also works for values outside
                     the integer range.  */
-                 signed_wide x;
+                 printmax_t x;
                  if (INTEGERP (args[n]))
                    x = XINT (args[n]);
                  else
@@ -3992,13 +3980,13 @@
                      double d = XFLOAT_DATA (args[n]);
                      if (d < 0)
                        {
-                         x = TYPE_MINIMUM (signed_wide);
+                         x = TYPE_MINIMUM (printmax_t);
                          if (x < d)
                            x = d;
                        }
                      else
                        {
-                         x = TYPE_MAXIMUM (signed_wide);
+                         x = TYPE_MAXIMUM (printmax_t);
                          if (d < x)
                            x = d;
                        }
@@ -4008,7 +3996,7 @@
              else
                {
                  /* Don't sign-extend for octal or hex printing.  */
-                 unsigned_wide x;
+                 uprintmax_t x;
                  if (INTEGERP (args[n]))
                    x = XUINT (args[n]);
                  else
@@ -4018,7 +4006,7 @@
                        x = 0;
                      else
                        {
-                         x = TYPE_MAXIMUM (unsigned_wide);
+                         x = TYPE_MAXIMUM (uprintmax_t);
                          if (d < x)
                            x = d;
                        }

=== modified file 'src/emacs.c'
--- src/emacs.c 2011-07-10 08:20:10 +0000
+++ src/emacs.c 2011-07-11 06:05:57 +0000
@@ -170,8 +170,10 @@
 /* The address where the heap starts (from the first sbrk (0) call).  */
 static void *my_heap_start;
 
+#ifdef GNU_LINUX
 /* The gap between BSS end and heap start as far as we can tell.  */
-static unsigned long heap_bss_diff;
+static uprintmax_t heap_bss_diff;
+#endif
 
 /* Nonzero means running Emacs without interactive terminal.  */
 int noninteractive;
@@ -716,6 +718,7 @@
   setenv ("G_SLICE", "always-malloc", 1);
 #endif
 
+#ifdef GNU_LINUX
   if (!initialized)
     {
       extern char my_endbss[];
@@ -726,6 +729,7 @@
 
       heap_bss_diff = (char *)my_heap_start - max (my_endbss, 
my_endbss_static);
     }
+#endif
 
 #ifdef RUN_TIME_REMAP
   if (initialized)
@@ -2134,7 +2138,7 @@
     {
       fprintf (stderr, "**************************************************\n");
       fprintf (stderr, "Warning: Your system has a gap between BSS and the\n");
-      fprintf (stderr, "heap (%lu bytes).  This usually means that 
exec-shield\n",
+      fprintf (stderr, "heap (%"pMu" bytes).  This usually means that 
exec-shield\n",
                heap_bss_diff);
       fprintf (stderr, "or something similar is in effect.  The dump may\n");
       fprintf (stderr, "fail because of this.  See the section about\n");

=== modified file 'src/eval.c'
--- src/eval.c  2011-07-05 09:51:56 +0000
+++ src/eval.c  2011-07-07 02:14:52 +0000
@@ -1968,18 +1968,18 @@
 verror (const char *m, va_list ap)
 {
   char buf[4000];
-  size_t size = sizeof buf;
-  size_t size_max = STRING_BYTES_BOUND + 1;
-  size_t mlen = strlen (m);
+  ptrdiff_t size = sizeof buf;
+  ptrdiff_t size_max = STRING_BYTES_BOUND + 1;
+  char const *m_end = m + strlen (m);
   char *buffer = buf;
-  size_t used;
+  ptrdiff_t used;
   Lisp_Object string;
 
   while (1)
     {
       va_list ap_copy;
       va_copy (ap_copy, ap);
-      used = doprnt (buffer, size, m, m + mlen, ap_copy);
+      used = doprnt (buffer, size, m, m_end, ap_copy);
       va_end (ap_copy);
 
       /* Note: the -1 below is because `doprnt' returns the number of bytes

=== modified file 'src/fileio.c'
--- src/fileio.c        2011-07-04 17:50:12 +0000
+++ src/fileio.c        2011-07-07 21:52:44 +0000
@@ -587,9 +587,9 @@
 {
   Lisp_Object val;
   int len, clen;
-  intmax_t pid;
+  printmax_t pid;
   char *p, *data;
-  char pidbuf[INT_BUFSIZE_BOUND (pid_t)];
+  char pidbuf[INT_BUFSIZE_BOUND (printmax_t)];
   int pidlen;
 
   CHECK_STRING (prefix);
@@ -611,7 +611,7 @@
   else
     {
 #ifdef HAVE_LONG_FILE_NAMES
-      pidlen = sprintf (pidbuf, "%"PRIdMAX, pid);
+      pidlen = sprintf (pidbuf, "%"pMd, pid);
 #else
       pidbuf[0] = make_temp_name_tbl[pid & 63], pid >>= 6;
       pidbuf[1] = make_temp_name_tbl[pid & 63], pid >>= 6;

=== modified file 'src/filelock.c'
--- src/filelock.c      2011-06-20 03:11:40 +0000
+++ src/filelock.c      2011-07-07 21:52:44 +0000
@@ -337,7 +337,7 @@
 lock_file_1 (char *lfname, int force)
 {
   register int err;
-  intmax_t boot, pid;
+  printmax_t boot, pid;
   const char *user_name;
   const char *host_name;
   char *lock_info_str;
@@ -354,15 +354,15 @@
   else
     host_name = "";
   lock_info_str = (char *)alloca (strlen (user_name) + strlen (host_name)
-                                 + 2 * INT_STRLEN_BOUND (intmax_t)
+                                 + 2 * INT_STRLEN_BOUND (printmax_t)
                                  + sizeof "@.:");
   pid = getpid ();
 
   if (boot)
-    sprintf (lock_info_str, "address@hidden"PRIdMAX":%"PRIdMAX,
+    sprintf (lock_info_str, "address@hidden"pMd":%"pMd,
             user_name, host_name, pid, boot);
   else
-    sprintf (lock_info_str, "address@hidden"PRIdMAX,
+    sprintf (lock_info_str, "address@hidden"pMd,
             user_name, host_name, pid);
 
   err = symlink (lock_info_str, lfname);
@@ -542,7 +542,7 @@
   register Lisp_Object attack, orig_fn, encoded_fn;
   register char *lfname, *locker;
   lock_info_type lock_info;
-  intmax_t pid;
+  printmax_t pid;
   struct gcpro gcpro1;
 
   /* Don't do locking while dumping Emacs.
@@ -581,9 +581,10 @@
 
   /* Else consider breaking the lock */
   locker = (char *) alloca (strlen (lock_info.user) + strlen (lock_info.host)
-                           + INT_STRLEN_BOUND (intmax_t) + sizeof "@ (pid )");
+                           + INT_STRLEN_BOUND (printmax_t)
+                           + sizeof "@ (pid )");
   pid = lock_info.pid;
-  sprintf (locker, "address@hidden (pid %"PRIdMAX")",
+  sprintf (locker, "address@hidden (pid %"pMd")",
           lock_info.user, lock_info.host, pid);
   FREE_LOCK_INFO (lock_info);
 

=== modified file 'src/fns.c'
--- src/fns.c   2011-07-05 02:51:15 +0000
+++ src/fns.c   2011-07-08 00:51:25 +0000
@@ -4098,25 +4098,33 @@
 #define SXHASH_REDUCE(X) \
   ((((X) ^ (X) >> (BITS_PER_EMACS_INT - FIXNUM_BITS))) & INTMASK)
 
-/* Return a hash for string PTR which has length LEN.  The hash
-   code returned is guaranteed to fit in a Lisp integer.  */
+/* Return a hash for string PTR which has length LEN.  The hash value
+   can be any EMACS_UINT value.  */
 
-static EMACS_UINT
-sxhash_string (unsigned char *ptr, EMACS_INT len)
+EMACS_UINT
+hash_string (char const *ptr, ptrdiff_t len)
 {
-  unsigned char *p = ptr;
-  unsigned char *end = p + len;
+  char const *p = ptr;
+  char const *end = p + len;
   unsigned char c;
   EMACS_UINT hash = 0;
 
   while (p != end)
     {
       c = *p++;
-      if (c >= 0140)
-       c -= 40;
       hash = SXHASH_COMBINE (hash, c);
     }
 
+  return hash;
+}
+
+/* Return a hash for string PTR which has length LEN.  The hash
+   code returned is guaranteed to fit in a Lisp integer.  */
+
+static EMACS_UINT
+sxhash_string (char const *ptr, ptrdiff_t len)
+{
+  EMACS_UINT hash = hash_string (ptr, len);
   return SXHASH_REDUCE (hash);
 }
 
@@ -4231,7 +4239,7 @@
       /* Fall through.  */
 
     case Lisp_String:
-      hash = sxhash_string (SDATA (obj), SCHARS (obj));
+      hash = sxhash_string (SSDATA (obj), SBYTES (obj));
       break;
 
       /* This can be everything from a vector to an overlay.  */

=== modified file 'src/gtkutil.c'
--- src/gtkutil.c       2011-07-10 04:54:04 +0000
+++ src/gtkutil.c       2011-07-13 15:42:12 +0000
@@ -269,8 +269,8 @@
                                       GDK_COLORSPACE_RGB,
                                       FALSE,
                                       xim->bitmap_unit,
-                                      (int) width,
-                                      (int) height,
+                                      width,
+                                      height,
                                       xim->bytes_per_line,
                                       NULL,
                                       NULL);
@@ -3646,7 +3646,7 @@
              gtk_adjustment_set_page_size (adj, size);
              gtk_adjustment_set_step_increment (adj, new_step);
              /* Assume a page increment is about 95% of the page size  */
-             gtk_adjustment_set_page_increment (adj,(int) (0.95*size));
+             gtk_adjustment_set_page_increment (adj, size - size / 20);
              changed = 1;
            }
        }

=== modified file 'src/image.c'
--- src/image.c 2011-07-10 08:20:10 +0000
+++ src/image.c 2011-07-14 06:20:53 +0000
@@ -136,7 +136,6 @@
 #ifdef COLOR_TABLE_SUPPORT
 static void free_color_table (void);
 static unsigned long *colors_in_color_table (int *n);
-static unsigned long lookup_pixel_color (struct frame *f, unsigned long p);
 #endif
 static Lisp_Object Finit_image_library (Lisp_Object, Lisp_Object);
 
@@ -987,7 +986,6 @@
  ***********************************************************************/
 
 static void free_image (struct frame *f, struct image *img);
-static int check_image_size (struct frame *f, int width, int height);
 
 #define MAX_IMAGE_SIZE 6.0
 /* Allocate and return a new image structure for image specification
@@ -1042,7 +1040,7 @@
 /* Return 1 if the given widths and heights are valid for display;
    otherwise, return 0. */
 
-int
+static int
 check_image_size (struct frame *f, int width, int height)
 {
   int w, h;
@@ -1051,23 +1049,18 @@
     return 0;
 
   if (INTEGERP (Vmax_image_size))
-    w = h = XINT (Vmax_image_size);
+    return (width <= XINT (Vmax_image_size)
+           && height <= XINT (Vmax_image_size));
   else if (FLOATP (Vmax_image_size))
     {
-      if (f != NULL)
-       {
-         w = FRAME_PIXEL_WIDTH (f);
-         h = FRAME_PIXEL_HEIGHT (f);
-       }
-      else
-       w = h = 1024;  /* Arbitrary size for unknown frame. */
-      w = (int) (XFLOAT_DATA (Vmax_image_size) * w);
-      h = (int) (XFLOAT_DATA (Vmax_image_size) * h);
+      xassert (f);
+      w = FRAME_PIXEL_WIDTH (f);
+      h = FRAME_PIXEL_HEIGHT (f);
+      return (width <= XFLOAT_DATA (Vmax_image_size) * w
+             && height <= XFLOAT_DATA (Vmax_image_size) * h);
     }
   else
     return 1;
-
-  return (width <= w && height <= h);
 }
 
 /* Prepare image IMG for display on frame F.  Must be called before
@@ -1368,7 +1361,9 @@
 
   xassert (STRINGP (color_name));
 
-  if (x_defined_color (f, SSDATA (color_name), &color, 1))
+  if (x_defined_color (f, SSDATA (color_name), &color, 1)
+      && img->ncolors < min (min (PTRDIFF_MAX, SIZE_MAX) / sizeof *img->colors,
+                            INT_MAX))
     {
       /* This isn't called frequently so we get away with simply
         reallocating the color vector to the needed size, here.  */
@@ -1911,6 +1906,38 @@
 static void x_destroy_x_image (XImagePtr);
 static void x_put_x_image (struct frame *, XImagePtr, Pixmap, int, int);
 
+/* Return nonzero if XIMG's size WIDTH x HEIGHT doesn't break X.
+   WIDTH and HEIGHT must both be positive.
+   If XIMG is null, assume it is a bitmap.  */
+static int
+x_check_image_size (XImagePtr ximg, int width, int height)
+{
+  /* Respect Xlib's limits: it cannot deal with images that have more
+     than INT_MAX (and/or UINT_MAX) bytes.  And respect Emacs's limits
+     of PTRDIFF_MAX (and/or SIZE_MAX) bytes for any object.  For now,
+     assume all windowing systems have the same limits that X does.  */
+  enum
+  {
+    XLIB_BYTES_MAX = min (INT_MAX, UINT_MAX),
+    X_IMAGE_BYTES_MAX = min (XLIB_BYTES_MAX, min (PTRDIFF_MAX, SIZE_MAX))
+  };
+
+  int bitmap_pad, depth, bytes_per_line;
+  if (ximg)
+    {
+      bitmap_pad = ximg->bitmap_pad;
+      depth = ximg->depth;
+      bytes_per_line = ximg->bytes_per_line;
+    }
+  else
+    {
+      bitmap_pad = 8;
+      depth = 1;
+      bytes_per_line = (width >> 3) + ((width & 7) != 0);
+    }
+  return (width <= (INT_MAX - (bitmap_pad - 1)) / depth
+         && height <= X_IMAGE_BYTES_MAX / bytes_per_line);
+}
 
 /* Create an XImage and a pixmap of size WIDTH x HEIGHT for use on
    frame F.  Set *XIMG and *PIXMAP to the XImage and Pixmap created.
@@ -1943,6 +1970,15 @@
       return 0;
     }
 
+  if (! x_check_image_size (*ximg, width, height))
+    {
+      x_destroy_x_image (*ximg);
+      *ximg = NULL;
+      image_error ("Image too large (%dx%d)",
+                  make_number (width), make_number (height));
+      return 0;
+    }
+
   /* Allocate image raster.  */
   (*ximg)->data = (char *) xmalloc ((*ximg)->bytes_per_line * height);
 
@@ -1989,11 +2025,6 @@
     palette_colors = 1 << depth - 1;
 
   *ximg = xmalloc (sizeof (XImage) + palette_colors * sizeof (RGBQUAD));
-  if (*ximg == NULL)
-    {
-      image_error ("Unable to allocate memory for XImage", Qnil, Qnil);
-      return 0;
-    }
 
   header = &(*ximg)->info.bmiHeader;
   memset (&(*ximg)->info, 0, sizeof (BITMAPINFO));
@@ -2365,7 +2396,7 @@
        }
       else if (BOOL_VECTOR_P (data))
        {
-         if (XBOOL_VECTOR (data)->size < width * height)
+         if (XBOOL_VECTOR (data)->size / height < width)
            return 0;
        }
       else
@@ -2561,13 +2592,15 @@
   img->pixmap = ns_image_from_XBM (data, img->width, img->height);
 
 #else
-  img->pixmap
-    = XCreatePixmapFromBitmapData (FRAME_X_DISPLAY (f),
+  img->pixmap =
+   (x_check_image_size (0, img->width, img->height)
+    ? XCreatePixmapFromBitmapData (FRAME_X_DISPLAY (f),
                                   FRAME_X_WINDOW (f),
                                   data,
                                   img->width, img->height,
                                   fg, bg,
-                                  DefaultDepthOfScreen (FRAME_X_SCREEN (f)));
+                                  DefaultDepthOfScreen (FRAME_X_SCREEN (f)))
+    : NO_PIXMAP);
 #endif /* !HAVE_NTGUI && !HAVE_NS */
 }
 
@@ -2674,6 +2707,13 @@
   expect ('=');
   expect ('{');
 
+  if (! x_check_image_size (0, *width, *height))
+    {
+      if (!inhibit_image_error)
+       image_error ("Image too large (%dx%d)",
+                    make_number (*width), make_number (*height));
+      goto failure;
+    }
   bytes_per_line = (*width + 7) / 8 + padding_p;
   nbytes = bytes_per_line * *height;
   p = *data = (char *) xmalloc (nbytes);
@@ -2864,6 +2904,12 @@
          img->width = XFASTINT (fmt[XBM_WIDTH].value);
          img->height = XFASTINT (fmt[XBM_HEIGHT].value);
          xassert (img->width > 0 && img->height > 0);
+         if (!check_image_size (f, img->width, img->height))
+           {
+             image_error ("Invalid image size (see `max-image-size')",
+                          Qnil, Qnil);
+             return 0;
+           }
        }
 
       /* Get foreground and background colors, maybe allocate colors.  */
@@ -2925,9 +2971,13 @@
 #endif
          /* Create the pixmap.  */
 
-         Create_Pixmap_From_Bitmap_Data (f, img, bits,
-                                         foreground, background,
-                                         non_default_colors);
+         if (x_check_image_size (0, img->width, img->height))
+           Create_Pixmap_From_Bitmap_Data (f, img, bits,
+                                           foreground, background,
+                                           non_default_colors);
+         else
+           img->pixmap = NO_PIXMAP;
+
          if (img->pixmap)
            success_p = 1;
          else
@@ -3125,12 +3175,8 @@
 static int
 xpm_color_bucket (char *color_name)
 {
-  unsigned h = 0;
-  char *s;
-
-  for (s = color_name; *s; ++s)
-    h = (h << 2) ^ *s;
-  return h %= XPM_COLOR_CACHE_BUCKETS;
+  EMACS_UINT hash = hash_string (color_name, strlen (color_name));
+  return hash % XPM_COLOR_CACHE_BUCKETS;
 }
 
 
@@ -3147,7 +3193,7 @@
   if (bucket < 0)
     bucket = xpm_color_bucket (color_name);
 
-  nbytes = sizeof *p + strlen (color_name);
+  nbytes = offsetof (struct xpm_cached_color, name) + strlen (color_name) + 1;
   p = (struct xpm_cached_color *) xmalloc (nbytes);
   strcpy (p->name, color_name);
   p->color = *color;
@@ -3849,6 +3895,18 @@
       goto failure;
     }
 
+  if (!x_create_x_image_and_pixmap (f, width, height, 0,
+                                   &ximg, &img->pixmap)
+#ifndef HAVE_NS
+      || !x_create_x_image_and_pixmap (f, width, height, 1,
+                                      &mask_img, &img->mask)
+#endif
+      )
+    {
+      image_error ("Image too large", Qnil, Qnil);
+      goto failure;
+    }
+
   expect (',');
 
   XSETFRAME (frame, f);
@@ -3942,18 +4000,6 @@
       expect (',');
     }
 
-  if (!x_create_x_image_and_pixmap (f, width, height, 0,
-                                   &ximg, &img->pixmap)
-#ifndef HAVE_NS
-      || !x_create_x_image_and_pixmap (f, width, height, 1,
-                                      &mask_img, &img->mask)
-#endif
-      )
-    {
-      image_error ("Out of memory (%s)", img->spec, Qnil);
-      goto error;
-    }
-
   for (y = 0; y < height; y++)
     {
       expect (XPM_TK_STRING);
@@ -5518,8 +5564,8 @@
 struct png_memory_storage
 {
   unsigned char *bytes;                /* The data       */
-  size_t len;                  /* How big is it? */
-  int index;                   /* Where are we?  */
+  ptrdiff_t len;               /* How big is it? */
+  ptrdiff_t index;             /* Where are we?  */
 };
 
 
@@ -5563,7 +5609,8 @@
 {
   Lisp_Object file, specified_file;
   Lisp_Object specified_data;
-  int x, y, i;
+  int x, y;
+  ptrdiff_t i;
   XImagePtr ximg, mask_img = NULL;
   png_struct *png_ptr = NULL;
   png_info *info_ptr = NULL, *end_info = NULL;
@@ -5683,11 +5730,19 @@
   fn_png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
                   &interlace_type, NULL, NULL);
 
-  if (!check_image_size (f, width, height))
+  if (! (width <= INT_MAX && height <= INT_MAX
+        && check_image_size (f, width, height)))
     {
       image_error ("Invalid image size (see `max-image-size')", Qnil, Qnil);
       goto error;
     }
+
+  /* Create the X image and pixmap now, so that the work below can be
+     omitted if the image is too large for X.  */
+  if (!x_create_x_image_and_pixmap (f, width, height, 0, &ximg,
+                                   &img->pixmap))
+    goto error;
+
   /* If image contains simply transparency data, we prefer to
      construct a clipping mask.  */
   if (fn_png_get_valid (png_ptr, info_ptr, PNG_INFO_tRNS))
@@ -5776,7 +5831,10 @@
   row_bytes = fn_png_get_rowbytes (png_ptr, info_ptr);
 
   /* Allocate memory for the image.  */
-  pixels = (png_byte *) xmalloc (row_bytes * height * sizeof *pixels);
+  if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof *rows < height
+      || min (PTRDIFF_MAX, SIZE_MAX) / sizeof *pixels / height < row_bytes)
+    memory_full (SIZE_MAX);
+  pixels = (png_byte *) xmalloc (sizeof *pixels * row_bytes * height);
   rows = (png_byte **) xmalloc (height * sizeof *rows);
   for (i = 0; i < height; ++i)
     rows[i] = pixels + i * row_bytes;
@@ -5790,11 +5848,6 @@
       fp = NULL;
     }
 
-  /* Create the X image and pixmap.  */
-  if (!x_create_x_image_and_pixmap (f, width, height, 0, &ximg,
-                                   &img->pixmap))
-    goto error;
-
   /* Create an image and pixmap serving as mask if the PNG image
      contains an alpha channel.  */
   if (channels == 4
@@ -6192,7 +6245,7 @@
   src = (struct jpeg_stdio_mgr *) cinfo->src;
   if (!src->finished)
     {
-      size_t bytes;
+      ptrdiff_t bytes;
 
       bytes = fread (src->buffer, 1, JPEG_STDIO_BUFFER_SIZE, src->file);
       if (bytes > 0)
@@ -6602,34 +6655,33 @@
 typedef struct
 {
   unsigned char *bytes;
-  size_t len;
-  int index;
+  ptrdiff_t len;
+  ptrdiff_t index;
 }
 tiff_memory_source;
 
-static size_t
+static tsize_t
 tiff_read_from_memory (thandle_t data, tdata_t buf, tsize_t size)
 {
   tiff_memory_source *src = (tiff_memory_source *) data;
 
-  if (size > src->len - src->index)
-    return (size_t) -1;
+  size = min (size, src->len - src->index);
   memcpy (buf, src->bytes + src->index, size);
   src->index += size;
   return size;
 }
 
-static size_t
+static tsize_t
 tiff_write_from_memory (thandle_t data, tdata_t buf, tsize_t size)
 {
-  return (size_t) -1;
+  return -1;
 }
 
 static toff_t
 tiff_seek_in_memory (thandle_t data, toff_t off, int whence)
 {
   tiff_memory_source *src = (tiff_memory_source *) data;
-  int idx;
+  ptrdiff_t idx;
 
   switch (whence)
     {
@@ -6765,8 +6817,8 @@
       memsrc.index = 0;
 
       tiff = fn_TIFFClientOpen ("memory_source", "r", (thandle_t)&memsrc,
-                               (TIFFReadWriteProc) tiff_read_from_memory,
-                               (TIFFReadWriteProc) tiff_write_from_memory,
+                               tiff_read_from_memory,
+                               tiff_write_from_memory,
                                tiff_seek_in_memory,
                                tiff_close_memory,
                                tiff_size_of_memory,
@@ -6805,7 +6857,16 @@
       return 0;
     }
 
-  buf = (uint32 *) xmalloc (width * height * sizeof *buf);
+  /* Create the X image and pixmap.  */
+  if (! (height <= min (PTRDIFF_MAX, SIZE_MAX) / sizeof *buf / width
+        && x_create_x_image_and_pixmap (f, width, height, 0,
+                                        &ximg, &img->pixmap)))
+    {
+      fn_TIFFClose (tiff);
+      return 0;
+    }
+
+  buf = (uint32 *) xmalloc (sizeof *buf * width * height);
 
   rc = fn_TIFFReadRGBAImage (tiff, width, height, buf, 0);
 
@@ -6826,13 +6887,6 @@
       return 0;
     }
 
-  /* Create the X image and pixmap.  */
-  if (!x_create_x_image_and_pixmap (f, width, height, 0, &ximg, &img->pixmap))
-    {
-      xfree (buf);
-      return 0;
-    }
-
   /* Initialize the color table.  */
   init_color_table ();
 
@@ -7034,8 +7088,8 @@
 typedef struct
 {
   unsigned char *bytes;
-  size_t len;
-  int index;
+  ptrdiff_t len;
+  ptrdiff_t index;
 }
 gif_memory_source;
 
@@ -7668,7 +7722,8 @@
   height = MagickGetImageHeight (image_wand);
   width = MagickGetImageWidth (image_wand);
 
-  if (! check_image_size (f, width, height))
+  if (! (width <= INT_MAX && height <= INT_MAX
+        && check_image_size (f, width, height)))
     {
       image_error ("Invalid image size (see `max-image-size')", Qnil, Qnil);
       goto imagemagick_error;
@@ -7872,7 +7927,7 @@
   size_t numf = 0;
   ExceptionInfo ex;
   char **imtypes = GetMagickList ("*", &numf, &ex);
-  int i;
+  size_t i;
   Lisp_Object Qimagemagicktype;
   for (i = 0; i < numf; i++)
     {
@@ -8426,12 +8481,15 @@
   /* Create the pixmap.  */
   xassert (img->pixmap == NO_PIXMAP);
 
-  /* Only W32 version did BLOCK_INPUT here.  ++kfs */
-  BLOCK_INPUT;
-  img->pixmap = XCreatePixmap (FRAME_X_DISPLAY (f), FRAME_X_WINDOW (f),
-                              img->width, img->height,
-                              DefaultDepthOfScreen (FRAME_X_SCREEN (f)));
-  UNBLOCK_INPUT;
+  if (x_check_image_size (0, img->width, img->height))
+    {
+      /* Only W32 version did BLOCK_INPUT here.  ++kfs */
+      BLOCK_INPUT;
+      img->pixmap = XCreatePixmap (FRAME_X_DISPLAY (f), FRAME_X_WINDOW (f),
+                                  img->width, img->height,
+                                  DefaultDepthOfScreen (FRAME_X_SCREEN (f)));
+      UNBLOCK_INPUT;
+    }
 
   if (!img->pixmap)
     {

=== modified file 'src/keyboard.c'
--- src/keyboard.c      2011-07-02 23:40:04 +0000
+++ src/keyboard.c      2011-07-07 17:55:38 +0000
@@ -210,8 +210,8 @@
 /* Last size recorded for a current buffer which is not a minibuffer.  */
 static EMACS_INT last_non_minibuf_size;
 
-/* Total number of times read_char has returned, modulo SIZE_MAX + 1.  */
-size_t num_input_events;
+/* Total number of times read_char has returned, modulo UINTMAX_MAX + 1.  */
+uintmax_t num_input_events;
 
 /* Value of num_nonmacro_input_events as of last auto save.  */
 

=== modified file 'src/keyboard.h'
--- src/keyboard.h      2011-06-23 06:31:41 +0000
+++ src/keyboard.h      2011-07-07 17:55:38 +0000
@@ -191,8 +191,8 @@
 /* A list of all kboard objects, linked through next_kboard.  */
 extern KBOARD *all_kboards;
 
-/* Total number of times read_char has returned, modulo SIZE_MAX + 1.  */
-extern size_t num_input_events;
+/* Total number of times read_char has returned, modulo UINTMAX_MAX + 1.  */
+extern uintmax_t num_input_events;
 
 /* Nonzero means polling for input is temporarily suppressed.  */
 extern int poll_suppress_count;

=== modified file 'src/lisp.h'
--- src/lisp.h  2011-07-14 07:27:40 +0000
+++ src/lisp.h  2011-07-14 07:50:51 +0000
@@ -61,6 +61,23 @@
 # define EMACS_UINT unsigned EMACS_INT
 #endif
 
+/* printmax_t and uprintmax_t are types for printing large integers.
+   These are the widest integers that are supported for printing.
+   pMd etc. are conversions for printing them.
+   On C99 hosts, there's no problem, as even the widest integers work.
+   Fall back on EMACS_INT on pre-C99 hosts.  */
+#ifdef PRIdMAX
+typedef intmax_t printmax_t;
+typedef uintmax_t uprintmax_t;
+# define pMd PRIdMAX
+# define pMu PRIuMAX
+#else
+typedef EMACS_INT printmax_t;
+typedef EMACS_UINT uprintmax_t;
+# define pMd pI"d"
+# define pMu pI"u"
+#endif
+
 /* Use pD to format ptrdiff_t values, which suffice for indexes into
    buffers and strings.  Emacs never allocates objects larger than
    PTRDIFF_MAX bytes, as they cause problems with pointer subtraction.
@@ -833,7 +850,7 @@
    <http://debbugs.gnu.org/cgi/bugreport.cgi?bug=8546>.  */
 struct vectorlike_header
   {
-    EMACS_UINT size;
+    EMACS_INT size;
 
     /* Pointer to the next vector-like object.  It is generally a buffer or a
        Lisp_Vector alias, so for convenience it is a union instead of a
@@ -1028,7 +1045,7 @@
 
 struct Lisp_Subr
   {
-    EMACS_UINT size;
+    EMACS_INT size;
     union {
       Lisp_Object (*a0) (void);
       Lisp_Object (*a1) (Lisp_Object);
@@ -2540,6 +2557,7 @@
 extern Lisp_Object Qcursor_in_echo_area;
 extern Lisp_Object Qstring_lessp;
 extern Lisp_Object QCsize, QCtest, QCweakness, Qequal, Qeq, Qeql;
+EMACS_UINT hash_string (char const *, ptrdiff_t);
 EMACS_UINT sxhash (Lisp_Object, int);
 Lisp_Object make_hash_table (Lisp_Object, Lisp_Object, Lisp_Object,
                              Lisp_Object, Lisp_Object, Lisp_Object,
@@ -2868,7 +2886,8 @@
 extern void syms_of_print (void);
 
 /* Defined in doprnt.c */
-extern size_t doprnt (char *, size_t, const char *, const char *, va_list);
+extern ptrdiff_t doprnt (char *, ptrdiff_t, const char *, const char *,
+                        va_list);
 
 /* Defined in lread.c.  */
 extern Lisp_Object Qvariable_documentation, Qstandard_input;

=== modified file 'src/lread.c'
--- src/lread.c 2011-07-10 08:20:10 +0000
+++ src/lread.c 2011-07-11 06:05:57 +0000
@@ -3647,8 +3647,6 @@
 
 static size_t oblookup_last_bucket_number;
 
-static size_t hash_string (const char *ptr, size_t len);
-
 /* Get an error if OBARRAY is not an obarray.
    If it is one, return it.  */
 
@@ -3891,23 +3889,6 @@
   XSETINT (tem, hash);
   return tem;
 }
-
-static size_t
-hash_string (const char *ptr, size_t len)
-{
-  register const char *p = ptr;
-  register const char *end = p + len;
-  register unsigned char c;
-  register size_t hash = 0;
-
-  while (p != end)
-    {
-      c = *p++;
-      if (c >= 0140) c -= 40;
-      hash = (hash << 3) + (hash >> (CHAR_BIT * sizeof hash - 4)) + c;
-    }
-  return hash;
-}
 
 void
 map_obarray (Lisp_Object obarray, void (*fn) (Lisp_Object, Lisp_Object), 
Lisp_Object arg)

=== modified file 'src/xdisp.c'
--- src/xdisp.c 2011-07-12 03:04:06 +0000
+++ src/xdisp.c 2011-07-12 17:38:05 +0000
@@ -8067,7 +8067,7 @@
       if (nlflag)
        {
          EMACS_INT this_bol, this_bol_byte, prev_bol, prev_bol_byte;
-         intmax_t dups;
+         printmax_t dups;
          insert_1 ("\n", 1, 1, 0, 0);
 
          scan_newline (Z, Z_BYTE, BEG, BEG_BYTE, -2, 0);
@@ -8091,12 +8091,12 @@
                  if (dups > 1)
                    {
                      char dupstr[sizeof " [ times]"
-                                 + INT_STRLEN_BOUND (intmax_t)];
+                                 + INT_STRLEN_BOUND (printmax_t)];
                      int duplen;
 
                      /* If you change this format, don't forget to also
                         change message_log_check_duplicate.  */
-                     sprintf (dupstr, " [%"PRIdMAX" times]", dups);
+                     sprintf (dupstr, " [%"pMd" times]", dups);
                      duplen = strlen (dupstr);
                      TEMP_SET_PT_BOTH (Z - 1, Z_BYTE - 1);
                      insert_1 (dupstr, duplen, 1, 0, 1);
@@ -8489,7 +8489,7 @@
        {
          if (m)
            {
-             size_t len;
+             ptrdiff_t len;
 
              len = doprnt (FRAME_MESSAGE_BUF (f),
                            FRAME_MESSAGE_BUF_SIZE (f), m, (char *)0, ap);

=== modified file 'src/xfaces.c'
--- src/xfaces.c        2011-07-10 08:20:10 +0000
+++ src/xfaces.c        2011-07-12 17:34:59 +0000
@@ -940,11 +940,13 @@
            }
        }
 
-      if (NATNUMP (width) && NATNUMP (height) && STRINGP (data))
+      if (STRINGP (data)
+         && INTEGERP (width) && 0 < XINT (width)
+         && INTEGERP (height) && 0 < XINT (height))
        {
-         int bytes_per_row = ((XFASTINT (width) + BITS_PER_CHAR - 1)
-                              / BITS_PER_CHAR);
-         if (SBYTES (data) >= bytes_per_row * XINT (height))
+         EMACS_INT bytes_per_row = ((XINT (width) + BITS_PER_CHAR - 1)
+                                    / BITS_PER_CHAR);
+         if (XINT (height) <= SBYTES (data) / bytes_per_row)
            pixmap_p = 1;
        }
     }

=== modified file 'src/xselect.c'
--- src/xselect.c       2011-07-13 01:48:43 +0000
+++ src/xselect.c       2011-07-13 03:45:56 +0000
@@ -2381,7 +2381,7 @@
 {
   Atom x_atom;
   struct frame *f = check_x_frame (frame);
-  size_t i;
+  ptrdiff_t i;
   struct x_display_info *dpyinfo = FRAME_X_DISPLAY_INFO (f);
 
 
@@ -2402,6 +2402,9 @@
 
   if (dpyinfo->x_dnd_atoms_length == dpyinfo->x_dnd_atoms_size)
     {
+      if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof *dpyinfo->x_dnd_atoms / 2
+         < dpyinfo->x_dnd_atoms_size)
+       memory_full (SIZE_MAX);
       dpyinfo->x_dnd_atoms_size *= 2;
       dpyinfo->x_dnd_atoms = xrealloc (dpyinfo->x_dnd_atoms,
                                        sizeof (*dpyinfo->x_dnd_atoms)
@@ -2424,7 +2427,7 @@
   int x, y;
   unsigned char *data = (unsigned char *) event->data.b;
   int idata[5];
-  size_t i;
+  ptrdiff_t i;
 
   for (i = 0; i < dpyinfo->x_dnd_atoms_length; ++i)
     if (dpyinfo->x_dnd_atoms[i] == event->message_type) break;

=== modified file 'src/xterm.h'
--- src/xterm.h 2011-06-22 06:16:16 +0000
+++ src/xterm.h 2011-07-07 02:24:56 +0000
@@ -326,8 +326,8 @@
 
   /* Atoms that are drag and drop atoms */
   Atom *x_dnd_atoms;
-  size_t x_dnd_atoms_size;
-  size_t x_dnd_atoms_length;
+  ptrdiff_t x_dnd_atoms_size;
+  ptrdiff_t x_dnd_atoms_length;
 
   /* Extended window manager hints, Atoms supported by the window manager and
      atoms for settig the window type.  */

# Begin bundle
IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWWciZ1wAiRTfgHgwf//////v
//7////+YI5+9Q7vXHu1S7We41JSQHMpB9DAHWwDyHQAAceOxp7ZX3brkxHM1tkrr498Mdy88oMP
RjsBfIVLPPsbz3e2fPsu4PPoAUrtipU+tvnxXz5fTX26He50IFA2xe23wduZ9ABpQADnhg50WGtB
6A6OeHu9ABXkqjVvD3vfHzumqAK0e74e8AABQO4bkCq6BoD3eDe8AAAD28LgAAUF4U9631AR7M0f
RpUp7cu9tvHdPZoXm9V4Ai08cqB24AabXS0bcAbG2d6oLbbxXk87kLVXvdHp3c4hsN7yecVWs3Bc
R22Kqd3eoBQjwL2a92I4yiSuuudjoDolyMIUBxZs0NGRsNC2ZVU02EW0qS67y87e7VSnbbOvffZU
+PSJaylVUaVptpmzZCUICAAQAmIBMk09Ro0mVNjJlPTSnqaeUeyUAGEoEACERITBNNTaRNGRpoAA
AAANAANMgCokJkyU9qI9TRtRoNDQAaNPUPUAA0ANAEmkkIJDQmBTMlPTKeaaaR6Keo0wEeoaaGJo
0wmhtIIkiECekwgI0MKegAhMDSE9U2AmhPUegmgzUCpJACZBAmmgIaaBommio9lR+mo9UPUPU0e1
Jp6gBkXQ6clI/uCkWxASBBRIimhH1RCiLBT1oWMU+FUoirEUYsQiSAQkSBBgJ/WCA02K/GKraCnm
PI9U9BaDlMjxq4D/pT4HB0cenlOE5fx+rkfydbH6unxa+Pe5fkT6zj83yTogjA6b4YiCkiwUA+XW
vDoHp7M0+vahp9x5WOZe9xkNME27ucas0fMi5kRtOrMYwFYP6fb5Tyfw/a/7+G/w2nHUR/N/3nCL
Qk3/snXNBklrQgoh/+URlEPtdaNCaPaCAz2/upiqG3Zjs3O1tB7brPsiz4PZt8iiNEUoZZxEXLiz
sLMndrA9PhyDi2ipiFIoPVVom5s5XOJKSjKZGiQ6ih7UOjDeIXiAX7VT4OTR3GGrW02QFg3b0+TR
t7nkw5PVPdYWAPRNIUeick0zh+3sa1o344Ds32wkUIoBFjbAptldXJy37dY6SW06IV8D2D1Z6Hhn
PizraslqKdckL3o27cMb5sDVLHV1dPV0vRx6J01sTVOViAw+znx2yPDrz5fz815lZWQ75Bm5WWf+
REmwU/CNXLu8+9+3DdrU6PU+y87/LfuXbPhL1/eWrz7O/B8/ic+vz+pHlKQdgL1/SF7AeOn/oHM9
8+v11ZxL8QNeCv3C/YvW9V7a9Ovzaf5VZxx3vc8PfN3K5TQ9P6OWUv7PIuC2xpmsuQ/Xls+VcygR
hUzMOMw066qrcQmM0xBGPliN+n6PtflP9IaB4H6Tu0YgJRAp86TlA3+XRr4+e7ztEHlY3tMrmDYg
dLHq4FHIrnse2cM5U02Q/H1SpTndtwfP3+7blWuSNfpo8coFe5PIlx7Pjak9VdKkGGcsSxLEtiDg
F4VlV1Lna3OJKnnmanIqEVCR6/NAGZznqV2Oss9c3pskRorUrUJUFgVk9iVtGgx2wTknh9705o14
vFpdT026eSSEM7KEtoFGGBEsoImMH8RT1zFDG2ujalTUmpulLLCxaUOXRiLQy7FHC8vQW3UQHenV
09agqV6tczb0I2M2MhOErEYsTnFOrBMOIhGinOhVIlxBeibd5wxlLCdzQXdTWZ616vUPRB5RJgmq
ojawvow0dvnrsEkDqzvJ297dztztiGl4Dt6YndS6MV7IFmSNclMGzPY8lohWQaZOGTkybjAN7eby
TTpkN0XpvTZlTdMoUHa4wIosDm4mJJzceTbTmgkgJLiKIaiGFFhhgwTGvgpMbTcCwogaWGAgSQOd
PCx8cNqqiIbTBHGC2FsNQ6aobMiy7uyZJwlHo8OJONXhA55QGqQRxnJfEBwlac5gb0Q15ETVMOdE
jLC1jfLZroaBERGixgN712wv8dBmADfY+z9HyCB8Xl7PL3ex7/ebNmisrAqumCrDGadIC6ZieDUM
mWkLMHEdjWGCTt2wUkHmv0/8992fLr+A7k5KrnLyKifD3jvCyoK+W0BVKVYUYxioI1Qpudy8mzO1
aq39zMhLYOkPzp9NMw0OSCSQXkAbXQKkMKw5B3TYydmXgPMEQQsRGY6h7TiBT4pMVqSw6KCDjb4B
mfaJicUZrujCcvSHajE1aBEjFsQRsm4N7dSsJKekOa3GTKHIpB+u52X4rjgGxVw0UC74k5Bha/pV
iyA20uIggObrpQCIznUt66a3E1BL6mrUeoOalI2laRTJc2k4HqWKy5XULPktHthxx4XjbHhNO36x
EEQT4/IxEYVUj96yiLKwrCLDLVigipFIsFFkFIsiklZNDRmMltXCozdgf6qIQFekKkEHAERzxnKq
C79nLbvTsOUOzbf3rqmjn9s6wrFB7nfvdUE/FNYQUERYiGJBRSopAWChFlqyh4vy/z98N6p9Yw3/
1aC46v+aPL7YD60mWncM1SGHxPz9noqoIeBb6HiKKqqiqKyB4hO4+fuT81IH84CbsKpz20vP9DVW
thOAAx8hI7nfN/EVi6VTEipNp/VHGo2UEfuvY+zFsNbWMzZMZJPAyd+v2/5xkqqX5fqf+P/Jt/xd
jnlzU3hWWB3H9MqylIHlFiSa2EGTzUcpmatkT7v7R3vP0P8lNHj7fB5ONZJoqYqTJKaZa0tTCU8m
TdS/x3lWwUp17F2RPC4Pf8Tcl2S3JD8BoSpSeTJBaWVEoVP+Co5byJF80ZWvd/DzhAUfBwzn1/yX
KB6DjhZkDhls6tRPwAd53E5+Zdfb50bHfk52P5uPpjSRqcKXGuwgNFMOJhfoWG6uxwOcyJWZJogi
Aa+YAifyE9yq1gpKkRgFQKkKwrFgpK1krIsiwWiVBkAVVUFFFFkWKsGpYKIwkoUo222oLFlZVZFB
WQGEFERWIsWKsUFgsRIoioqhFgSCgKAoRURVUUEYMRQRFkWIwUBEFVRQVRVgKCgosFgoCwVSKCyM
YIgsEVjbURiioxie07s92HhKJ/aUM+yH0oSST8P5B9X8Jfz6fg/NqL+oPZD/UDc1OXdTuUDYlbar
eDNZ9rwEh1CTqkpKIKjIqhEIpEIgqAqqJcbbj7TBhlZvYcVJO6260wxxL/dLJ0aJQyQ/KuQNmBMD
rACMKUUBBR0izeLfAkZGMxk0cPahxLG2ZBEwcLtTIIw3BxmHOrcJFGiq4PCTLF2BAi+oXSGi0daG
IEuiE8vz9EIiJQyEQ9uLihMQQCeTuDKYOgE2MYtCTRFGjJiEYYsNYO5BL5auZHQmtKDOBGWEBxlF
RJn4jtenN7MxpRAL6vHR4UChRQMkbWxfEU545mzC0p7rYAhQNiS5ElOmUY9apLSRCu40jMvBAffQ
c8VtCcVHVEArexu+tUGZYyzM2qCbswhU0xNQuCoDKHcHyf5B3N66tWyssPk1yQ5Wa6369CvMQIKL
lFzZC5OQSjXJsntga9F4vHktJi97pDkVWvbxHXzC+MpMmLaYmM2JbCgTUu927LAhhF0th6iCJg25
LOeLuiaSwOn26tma73Q70dGc9L1EP1B5h91gg11TlvTqm6bOBMo6lkMaQ1cJuAlISAmBREnCzYSR
dhMbtEPB7VJotKCpws8c4w/eBsEOCDAd7PHDJAmAlAIWkObhI2XIIHMkPATWAQHQ19YhooEXUO62
oLiNTA1L4KDuUgILWWmZuMMlSyQdxIxTJd01B32JtCFRfTEBWbhUDpwsINFOVdoE6YxSdxXiEnJQ
OS411pGFGCMwKSJNKkHa6CDbM5FAxKgiCxlDYRPhhei4wGpyHai1RozRuSLcbdVcsHOkTKFSiCJP
PMQFKDniL6uhHI0zQucw5Zom0II0sSIV7A00d/WHhh4eN1ObPtM1CS7zPgOmGEEs8O8Rcb5qbmcJ
mHsPTqiJOESd2nwq3fYpXc1LuIpWsovAycqCQKoKSzaSfDdowAXafRF4CVBq+q+zVGA4rqKJLI0Q
3vFTlvhrOQJsq01njRR44cdSWm5eiwovOgrwGzHGSDFxCdvjI8CKLVC8F58PRD1UQyOSnhCTzGY8
VWgCpJJYtBaSBRYmg71WVJaCkJ0V7+AiyO41xkZ5q78UEYLK/EkSiSJDQGN57t7heW/qrvAXAW3r
Fwp1ZhUmggoIjw9/wP4VMvWHWxJuLCp7mop43g0orKomN4EB46J5eroWE3OZTAYmPg6GJP9S88jM
QVE/69vj42OdohyjZx/H7HJyUpypZSzWxcpCsfP5tZ+GC+/on0glbT8ZjTVbJo2tJgeztxq+9sc8
j+bvyrkPOo4nOKYWSW811347mq5/VU3epZE0z6duR/PgzW8IcB0K0IcgQ54E8yL0zRurvoej0EcP
KiUr3gRUE1tRO1k/itFXyUtFN5YbZRFtqgSQifEcf9H2fTdrXp9nD06Xm0pIJxN5AZ48e81m8eRF
NxAYxFKHaDRHFJ/CXuc0EEgPTGuKRQ1Uxl+ThficlP8qcKzqt3fk9rVZioYli1DAOwEO6JGJdUTq
KaR2ITQOx3Fw25eTkYXToiOdfTbAghjzYsLm/YqCoflrPJy9jNO/xaa/Y5kjsxP9Gu5obNkxj63V
bKLBJSREMDMx4SRyifgL/Mvns9S33uzo3ebC002WOSz1GRzGkp1eLTR6p52pRXSVDH6FCiiiMoZU
eeu55RxJlQPKq1VT4bpS7SYUqcPgOhQ4gnkVJYXiiimJf+eyZvLCOUuvm8/o71zkx6RuuXMrzo0e
5ikgzMPxztZmiwQFNx9RecXqlYrKjRwqGCDqVXAiQUhAYonQHqyZGDswMLDi5V5zAr4d4LohryHS
TiKifafHQcIGFfgnSOGxhVc4aJX+4/Qd3yOQFCVAYzefYgpDsYr4p3IThGDkUVDEsfNSgPBZSsaF
UcnfJHDwPX2cvU9reXc05LnhZO1bAtZaiWqi0MyTr5jGw5DduE0cUEPwpHkMxfVVxc3bG5potLGR
NUjtKImJ9RQdly4YwPRbkkfoooiX9DgXP94ZOPrWxHiQufCFyZmJQbRR+4gnErZK6igyXzVKCwqI
KOKSAzjFoGdghvFFiPMS0IHc8tPwIi817yBVO+wsSBcpYZYQldRgTqolOSuVXEzdX+yvyvW+2u9w
2/uxa4Ojt6eLN88GWuj9IkFp1q5V7N1camD0XsVN9vqqqxUeO0spWKqWS1Bhk09/3H5a503+bdQj
1dfEYehfZIKyig5SDPgVlZHmq+cCRWZxYcenW4dUlxIYBgHJNuj3OVzmhMicBSVIYRJ/Xdkr96o0
glc8cKKUcEEQDeOKx9FZIekAUVRuMKUFdBKOSZPtqh81/Ip6lu/6XFTRmb6ZBJkDIKsDgyDTBkhI
D0KBTJAo58lhwuU9TBuvdJnMIwL11ZLmqlTyX4t2uTtCIwc9p8cc217GencwXOyLVWK0S0wXI0ws
20JcpKwibyksI0UKa1gayiIYVkcyApmOcRHqM1FmOm3faclR0vV+XfFrJT1ux0dE8nOZJW7Q88Ok
z1JPDNsQzsJ9hCQjoniqpNUHRK/rNx5mOUjDLAcZG8QRALhNopaMnUeM4XbIcdZSr53u9tUucN59
TNqqMtMNdW7GamLdSmjLkoYLN8tar0WdVHRv+qm7VmwXGL+LkOAkg8JKozbnmtEqMSRrJZPweaCQ
ogMIxkKKlg1B5u13WF1ZAUnwYiazsICoFpX8UvoT9jB3L2h/bo0eSzt/Fo6tZ5dqrsXeOLYYS03W
YPHBWMMPFMwPxNXeUHdevfJEnWbt3EWxgpGRc2OIHcXKNxubHK/fsf2mkPshtLmRCh3jr8XzFHhB
RSANUmyhuRP/KDlFUV9Xpi35fy/L8Tt9vycKj9+ybeUTUpUIdCf18Re4hynKq5GO8R9eRdisyBRo
xc7Gn+0rIJfhUI2CQs4cpTrJt9iHmZjNRVyRRslQrFj1+qmDWCAzEc1CguSKokIyYRSg6OmMUhKT
SUISgSZMsTFDlA4nEnBns98VVEV+VLQqtQq+ZfWFcqWlkWsbVRK1tsUVa1BGQURVRGKsWCl6h8yC
iPdSqlSckUIGIKAskVQiJiUSkM5BIHAMyrP8ef6/u/kyIMV7fw39yiZR5fL+Ae/qrws3xvL7ue6/
zvQec8+SiOv4RT/J03lJd+xOs46q3q/e+R59VrykfwvJ4c80TH7idd76kzWfmB5J9Z9/lR8L976X
ZQ6FO0xt3VCvrdL63dzajei6BKVfAoIjUFcHkzObXsX/BWlrf47zFHqVUzeF5q92yQ1jjyZ8yKYL
zxtna8ykF6GVncsXzmhZm4tC7amxpSpH8H7ERuYvi4VOSfBqf0hMERETwJ7evPhwsvx7Zbl1deyf
bx7u3s7u7R5e/w49fWonrCK1FRfv+61lVWEVX94kQALQbMBP6CBX5ffT/zPl98w1x2lGB/j6er+2
HE9X9nCLIMD931WoV/e16HrKX589rH5dei/JXMuazM0ZmazM94DdA5fQkOiCMFBGGEQNWWJqn8IY
kPSi9hoAM4IfefnUk81LVVVoFSTzJCi5SYmYqrmEzFslqoKqtKyB+L8/6/3/x/Ft/hT9NvLqqTp1
VaSW2ELVpLbC2ltgW22lthC1aBatkLVVbJCsBtktstVVWyBiAZllqrbVVVtqqq/h7/ue301vB1gq
cPx+LK6U/s/pF9XMrkcCC8Ox0Shk+mlidYyjS/R/8lO9zW2tagfv9Kgyyt+qd2Uo/uqhX+TOjqF+
7z9HTdiOq5v2l3BWQLOorGRcCZmEBUXn4xPezxpzpeqi7GZR8FwcZRXH9zyajnsLJzSjmccdpXy1
01iqo6WEIQzCCb7xuVAJIe7mbBFNcD1hwIHgUPwCBAwcRHjj/BIoMj7igsJh9x95RiWGh1JFpYkv
F5aHEsP6R+jEkSOZaVFZExMysiUHkfeTDf98fhz1a1WyrgvC9iA+H+Gb9fmZLX1Z55e1c265Thm7
m/rPVdshJdUUZuQ4d9ddmB+SHyMg/R+NVVn0pVarUVaiqqqXIWqquK1lVU0NdRGGUo4rpW5D7gMP
pZA+cEh+NJ5GQW9NPQRX5xvAqCfYf6HZZtAjz9Hy38e/r7Maz3Qia+VsaW2tIkzFItX0CQo7qKnV
UvOCKhK9LqQE7Cp007Emzybq+p7w/Y4zhKgxbPUqIYL1Li0mUU6ImrV4uPOCirsJy1FCGoYZw/ZE
jWbaZz+nR4yh8U8dlKIs+yg1wQ0GVrrbtDYU6tpeHvBFNghAUUDcXFNV5kjyYiEORjnoDQIpvFa0
sIlae/ajzeKCkzsThaq1ERS34rAqHpsoJMbkTFBR0RK3FZBFkRDUUDF7IPVYG7MSo2noaFJeQLu0
QTRQ7Pq/gj9wHoRI/fZR/kH3qt2KAxgQIKTO+eKA8yk70iKTwKRcoRRKRHmUSyklySix6hYzmNUq
VUPEUMlKjxLUCASI2gqNo2YAliERpoQaLNIPMXoAbpBWXKBos0oodqjAR+hEgG5oHk5S4u5GAfyU
IPiYoxxR4g3EP3wGUFtOF0eIcnpg6qHw7r/Tswj7nfNJ0nVOUTNbmvXxJi7O7qdOFzDRuggXVmQ6
LYJY4YGVkcukFm4F9ms0PVoTfxCYc9kOOI5YHLJ1bxLZZEzidXmSW3IhPJyu4Qnb/TTpeRfjihZJ
eqQNjvSkDuBdVuBwDx2lHaZ55ib/MwUCQYBhgAlj+Eu1XPZz97ONrXQemyTR818Vcp4Nv2VE3koN
P7ocn08vZ9BhLqz1lZRY5zMqt9tD/OMMZrAzhWfBjwiC00+XwqIKsfRF+3KuwV7T5LX8qEvTs5Hk
+4nftv04+Uk8LD8JajFn1lyPgvXgtxXrWek93+fl7Hy0sCqvQx1DQZVSg73bfp7U99dWTSypIg7m
zdXLCJcVRValeCi9opFye8UycWTtROMT9tDwPDdb06d3a47SC9zpqK6b9dBJX0eJaHkawY5G06G0
7jibBSRvPQcOBXOUc5nK0IU+Ume+Dlkzq+lj6/Pb6Kj6QrUmfKqh49PGVPlXN96Rcx1w/Y4T44sl
6WTdoWbqTFcmZLkzTJMFxyTQ2G5Y0GJoi9yGBmvNyy7LWmFVeovhhqta1tRox1GR6DSWDwkjF86Z
iCicrW1gfYZF5AUTwMa5edqutagJpOhkhETyHEQiMCTHCc6BIayDuPVR69CCZIRPhAsm0EYYgwht
M3YwuIKJoXc+1Q9Af7QA+f6PtsfJlc5wjhV+wcgiAYFS12fRZu17Hv79Rv/ft8edr/6222UV8V7e
tF52U49fGjn/XVr000ttqlKCyk6L2V73SlKL5Ngw6Oq9d+77fgLbAtoW2ELbC2y2ltLaW0LaS2lt
LaFtLbJbZJbS2ltLUEkAkgkgEkEkEkwSQZhF553YkPMe775KD785Y46G2iyyypaK3Ku9m8BmVZtB
24e+iEJPc7VClX7X6b4r7vMPQVPS3o98GQesNXr0kukycpLBzkWMJyfExNFxCgzjuzODZAiYVWlG
ZoZgzMZmIZAwgloplBkTRBvG0UqKuiCaIJuhjKkmJCTQybsJwySsgcxAKhJp2aJA9G+umgN0U5sO
TCbMnDDhFhpkDSAaRQhuwmzCsmMA5IsnPayGyEMZWTGSbobpsgCmyLNJCpw1IaTdkx3ZMQu06G13
vLkTbAk9fk6+/aVPqp9MY/ko2zCh/aUVOzKZWjM7OISecoVig6CzH6JOd0mf1f0tYgojObLV/YRO
+BAlAQlrEi+Wx9cuiYZTCEhOTkvbJodFjZ4M5Eu4KkQpeTiUsm3EFicxyBEEEQiaTVBM38eXw/xS
nxXZfOTIiAYzcGGQvZGJCsr1YwPqBhRwcRyCZV+Q9CEXENCjxKJLJbZHUqghQUVQCdRSp/HScDKi
FhMkOUJyfhpFrBB4YCWyxsoSMB0Ugg+7FV5Ya7K2VWqCXkYCp7SdS0ur8cbTFDxffuEdBNBRhAqQ
luy5P2VmMKUIJEFZVE/LT9L49osp0iCZagCdyJlCWIVJpVR9SnB2C+BgtIuCCAj7J5LBYrHJVBmK
/0uBaiKUTYOcDZRBMcCZ2gCmL2KClFld2MOjws1OjRCCMIFERBHNtOoTFeYr0LTDFlisyQWi90to
TG1rOdrS/OBARhybPObyOdggmYGMANZenZLKqonEV3bp2q/Tp08kQSWpIgJBkZ5sy4owTBFWSpUh
Q6Ka5rpqYdWLIi+2drc165oiYSLk/fuZVIXwpHBylKBMJHKnSZLaZVy9IZ5OSJha3JCGKNlFKYro
CnAgC3YlEBtUBM6QRe0ykRMMNVhMbExR3UATsrQpUewQLd/30Acgc6K0EuQkkHtfU3xLTOPBTS5V
CUkQFW4goxWCQURJvMauwUlUcM0HPCx+n582YBlFzwvqS4aVtbcYtFiqRFzCywkJ26oPBfy0Nlni
CL4OiYMYmTT8rDjkiY5+rno1GSSkw2VPnprd5NWzTe5q84PKQ5wSaVCFSEFSKjtCT2SP87NnT79/
A7du8vN2emTp1YMrvJ0QQGjwtg7FJHtSxzmCAgFCp7OApo05OdLZYtDjNZoxZtEyPLwicyYuuSzF
swpVOuoCgokihjo7CZcc68HKnQYbXkH7qUHKkjNVUINipK7mz2EN4jNUqVLFSD+jI9FBWKRwMrbn
Ck8tDKy8rRA+hQMARNCK0ZPoivryWgiwVNnZI4NArhzARwI8CxVCR98BOkTR7LgnwPwPXfInrkjx
ieMT3BNk15FGM0ROPgwIyCFApbLWl6mqJdrNqqzDldOeylAM0lmEEMAGHU/SrkZPAvNb8I4MBgM2
gzlhZD4mxxjEWUGRZgyuxNCiBFoDgqepwzp0vSIkDmlCc4gTblvxoIHFu4yYwXOTTLBsl5WbPRNI
Ud7kON9sRHamcb7EhWFVDlsWGknNCXLOhhnHQ1tNDo9MxmoAbJ0y+raeTbjiwuNuPtkf1eAvIvXj
pro67MG07hvMJ1DBgsURVjJIMGQRjCECG8t1dXL5LZqf2NKJqdEAG5WbRaaISJgsduOeFoZ3wvhh
Yl55gXTe1CXb/zRJU9s6IyIK34Vj1EhhksQWf6pAwaTQqVTAx3IhEEdMOchObgNkkEYp4qUHSgze
Gr+0upHJUaI7YOUkmN2SG6rqgiTdtKzaS1ShnU9Qk171+nvdXcc2yni38HtJO2UHadGBvsa5nvbb
ZpKqYZGCgPIiWWPB3lLQgxUUTTcmIIg3Fdltljm1nJy5Tl5ueer6M9gggJgdCUKb2G/pfVURLCdY
MJAYUlMJsi7bhk4GzmMR3ZYiObgbDvy2Y7805uIL0giaWxyHSJF95cEZGhIzEjcTzYIChWtS6khQ
4sSBPijnc7e2QYREMsHqjXCg1BaPe6CObM9WFZNzRhJMskMjuNWRmvXrcsyTwiOiNM6OjSkvB/Ot
dvvbQsdetel34tPUthkf01aPXK53TK+bcnnWJyisbvyeeLXl7ZzfJQsrPbeZ7elIpWL8dWbird8E
Nay1zSfIrDSpa+ny258bRzS4rSVFlKtaw7xhc8q09SmSxa8PQgsIiVKYJkGOBiIO7dyzOA6LY4OM
d98i9Vd5dK74q6dXO2N8g5CYIT3MWGBEKd42mdAhAl1sMwSDVxkWqtY7sM5emG/eWmbXG5UYolrq
6KbFYQRnalZTqyLmY6HZu7zSdnAoY7GO8OrigzN6R6gqShfOnFWkuzpO5MAOqoQtziCaHjvN+UxO
S+VvhEsvMKnVVqm6oN6dngsaklKJK3c2cuFaza5KiKR0XL13eRXeuw6s7GzTK1YRpL2DHjZ+hJ5E
nvwO3Lq08HJRbB79/Dp3UmIzqTY3oi9WK0EmJ259QbKW+o9F7WUbooiITzBn38OnyALYRGBk2sys
3NXd7ioUKIwNdOx++7i/QR0QTtURdYqcBTaYdNGUko6zi1BqLicKKmEelliXBDVXqmA5epa9E4K3
sYlSpvKx6qNS4idWdLi2jJjayX0lIhVBlZVXXYvoO5mLp9byFD6hRezGDpWUwwj96Vci5oYWDnRo
qWKc8c5ZpibYJhdlQlqQ62mBfEqcN67i+EnIZAJ1Fs55fLEl9sqHR9SCL2iWYwl4MeGA+PmoMHTB
5vpQXGQa6np9q71D66pJZ+rdEuhwsTsqXJWWgIyoJbFDp2lYgihFa2obKITWicKGQhCRIjJqDgv4
vEFSZip2Do7G5yujnU2S1R6MvwCCAmq1WYjoiA0Y9g4d2n+hCGmQZVOG3QlEiBfTnzIRGUWUqg7A
qcEF3J5NYg9aXXiOeamzefiChwnNik2GMN7zvMmc5Zsn08Lr4kwUSazrU0iQbd+ZWYqexFrBYkY2
fYT4IqXJjeQXufOD5HD2KGyfoiam91Iiljo+LnMDjnYpoqfSUJg7GHMOY6NhYPNF4scJFuETUx4J
QkQQYMIDEzaOim2bRybsHDS40L7N1mpu9Opg1RHVlMEU+awYuKy8veMUHKA4UL8MLaVdM76veCFQ
+Ds2WLg/NwQWJh2OKZHmXHJVKVv6vVZ0NnvSDwnd1n47fm30r8ZJ3RMhMyfPWfn8gCKlIJSHMQ17
Nz9rlRVg9s3u5DCq52xG7I0URWgNBYM5ZENAvfi/dcxBtutDITXy1xtzgjQr5kFBg9ywoRQoQCKI
VkEEgsxtOxOJrIFEURLH7j7sDw5dwIotvhlc3ASK2XbHftfxm12jVsTedeOrzceAg87mvmU+aIQe
dd8L9pexjPma6glotdGRa24nmscMCkycz7Szxxp4ELoIZBMoJQfI6pAqMDDJGtuqqqyBgeRi+Y6h
d7iQrqOMCNICICTqREzaVU3R+sRjASM8Oms+xxoaY4VnSsLcWw4XTIiE9Dd2uMCZ4dcrsHUusupU
tSyFpIE8TwwWMH0BPkAS08MtlDIrRx5INW+4lNvtdwTq7BI9dK+bwzqsl6kx9ABLFyCv2D3Ia0dO
tEtDmvWxU47m7HHmxzqrBqDlgiUMAuymYQbsk3nyWkOKFfkO6hid6OmUFk6hte2QSdA2xvu+C93m
TugjgyiwEOKjrIRhYRurjbTJViyCTRE1Wl6oJg8HL1XQeMtEEfdPBjQ45wxQgl+Ej88B0u2ZgVSr
KMnZnRDKaJB1UOlPPPkJHckpLzcLCKqQnRI0iBWJZc7Vw35OAgmF2RcR3yJCGpOvqBXeS2O7eyon
YxUSwi7rUVH7KGTQ5I2YCxL0XHFUg8P1BnvrVYUUVmWaXQSSCLPgk7DCMdp0OkQrIo3NVtIuDJaj
KQEyhEYREFzXhkmUBE9rtzCqKCpcr77qQZmQFxqmksFf4ATF71oyFLsWRDYiqgpKJfEVVm7VBHEB
7/p6Jqnq0unKkkzN2C527rEtxZlKUtTfnmkBxzA2Pnwz3hLCo3ZwsKKVLGixIoaM+4CYTLOr1WlO
SbDoJKktVNB0FZeDboEwooS8I6M+HC5iaL3JieDVrdwoYubuPIvW6ki5Mg0dHC1PDNH151vSSRdO
wiMpyGoqqCqVWecDCWBQtJmW61FsonsiC4gFz9yVp4dJhRRLmmS3ok4w+PVMimA2WwYogp0S7KVH
2uBtksPKFHDpzbTqJdkEmMgjoMMKqCTPTlE9o2D3qiQCl5d0K7zSo6QwOLA7RkYtyQ21H7yMU93E
0u8wdq2psZeT1XS4iQQCwFSZZy4vzTRgMVX9VyR4d1pI9SDBs6PgDLcCc5iycuQTXxIC2YJHmXr9
isCJMRAE5Q4CsshixsIsnsUUybgU2SvMb5UxMv6IkEGjNBcFwUpZ8m8GPn6uGujooXXwMH6Hiaow
3QryO+g5zyOyU9DBIFfZd1L5Cx2dnZwmYBDAVgOwuTLkiolDZUpgGrqwQ2ydgUsflmU+Kyr0xeth
OioQUG9QKeWskRPwNHRoL55YUp1wY2bNHgcsXKmCRJi5o6IIl91IAnq3GAVIJTp4+F4ts239wnlk
ORBOKCDwS3iYGSi7FwHIJjdDVezlUVy+Q4ZTU1KCOopm0QsjnurUcpeIyIaReID3kbrvKq9TONGr
UMCG64ixmSXdysVpKaJcuZeCMMuduHfJGCZOGGeXaRNgUHrIdnOR20DgcZgl3AjL2aiIlTcTkBzi
oqmbZDWPAHxu/xo9PSQAFohUEdcrMIac0mLUX7nTVlnEpApoY/CXCfGQcLHQ1yMDoic+1NK5OYiI
/3XfZOTbovSQEycWwM4tsDqyCSNFE8FN1D5DQpYLPYk5qX4ocvuU3Q2ruKJYVBllIgfd/5Sk0qAV
ARSqiGlzJlmEglImTIndUBC4sr8rPtt+5tWm9A1NDdhnvMZ0zWnRU5tl90Z4rMiYlF5cbY53DOyz
BUaqMmhaJww7nC03FxUV5dmJaXmJsKL4IoLg3vZ6YKl1n7UEzon3pscXSXo3IhKHNTW6yWcnhVyL
qF9TlJUl1JxRephSGhmsYMVoY08s7hC6YnkwXGtYmKyM1GVWVfR3Unn2ZfYRNe5HpuMKqyFoUmIb
K5TbFWWpkFc5yLlTgzmkCQHnZRJAoyHoO6SgJ2d0Eb7IBXqLOBnRA+w+DAPBxZudjXeEMDMYUqKB
xRF04McbWphJKjCYWgeEcNEdmAg9HRrXhQrjw3dYQNrsXxkWUmOWoTJsDux0gmDBHsgLTBvwci+R
L8vM3ZQbk1yru33a2S92Ys9LkzwBz2OWMJi96dWiVs7hVk1JlIoi0T71H4aljsnoEuWslZYCUzKi
kwcX5GlyvNevIHIW0krS6FRYTBaeyqcDOeEujQfnm8mVrsJqjBTDJ6ojCIoCjFWSvJoJNT6F/RKj
p2XLXIBwTwxqL3GRPgVa43hJKaUyRskkZ0buYU1Zj3Tl0NvIVjLNTRQexLRaJj6+0HM0JFBRkVBl
ShJki8eQk1x0NPZ+FqXJ17YPDz5c9WJ6OhN7RVUVBhEkSTfDcKu1gJNDbTM7N3A4GgDEERxWQDMl
WggfPfkVuKUGNQw7KscgNXJTVVVDOWCRk9CqFUxIZK4PBQboK/LetCcGBi/bVHXClyKuyIG0ZPc2
gZlF7NayEwllBLensnTj07GPAduAvQihcazA6YHJlPYT2bMzr16NB4HoEXKBNBUE10QKyw5MKDkh
xw8sUtIwc3u52NB0HoOFgmd7FwMD3OgktC2ypQoYKDHCxMtATOpFKhnvRV0dHXVfOGNNH4oau17l
g43OsRtWKzq0bD9FSxQ0bC5UUPCxUfOseEYucMCnCuC311tn62KBYkOVkq+MsnRTs4cNFDYdHJHS
nv37Ch7PWwnOZ4HnQx312jabMfmgnl70mQwdmDMoBRojRBiI6Y8IkcSOPGlDgCVB5p7Uvt95h4gC
XAlvPYgje6/ttrFATzv5pq16qNZF1nJpYsEGpeEJcWdcvMGd2Q+++Z0dMuOvEBcMb14uGoMzgmC3
QGd0YpMkiYLWYbmUNlndzu7CRIVS4i62a6OyAhmdh7JhAhCpiHGYZQTvNYX4WHqCNqqEjtoWN1dP
BAPf2JF9KOKjyMpGWNNslS4DfXVasFooqGqqwzyGExLEpGSB2cX6h5ySJexitTQWVSn2zm+ftwuQ
XtyrQmFQT46Z3xnnkyiCcmiwKYLP8zYUW6y2wqodqSeRDOdGmSaYw1SyonCTfgKZWWazzDFCchEF
meH6h9JgKjTBBAS9wkbK2ID8UA4VfoZj0xC1UbWFVj2KnwFvVS1iASYUXtmOsWREwgmUE4RJIGnc
4QRM9dmolIr4OaLET0C++/mIVMT5xQwG+g750XLl8I4WVwxBpcsUOIeSqfldlUQVPLBUpITQvyKa
MDGUFJ6Y5kgngWZ9PfosaFBEqKIiT5gwEjk3RA0KHDr7ELdkgyj+l5sMB7K+ldNSiERCBuhQQQE9
c7JzPCQvPeU6ClIVqOnKQfWhExkMwNhfAtIyMIgFJ+yurv3aO6kLJ5s1GNBLU1qjJ2xIcnNEEogm
QuMzXaeRvtBk6ao1km5p2vcjfQmbs3de8mJkNL2nbJGGlKJEyDGFUJ3DXZ09pSwD9JeVTOKZp6MN
25lpbkZhS8caQwsR7XjDgQiYho6MkL8FBM4ETIlM0LSL7EsR1F9o4mSQjoVHqbP2KejOu82IHNuK
pw8LLQRfVBNRyijQOR6x08kIgF7ILXC10oYMkag9DoZY0VK9HUlvUUihEr0Qgb91hM1GRaMdUfkD
y92dtFbDlxh2dYdeq0SogCzPhx+0shIl4TIeR8TjKn8Y9YaEjA1OrKzoldsiNJgYRKzigmlrpAiZ
AqCJZAQQcgFrUkEC8OHnUULcCwwMSN4GPRchJ2KHWAzS4SHqaDAZN53QUYoZmKW5c+zBIK1LYKIJ
s02CgsdBs2YDJzRo4dalPLljOTFczYq9WWGE+uJaJ5zF8kJTq0j8ueg+D0eHvwkWfyo5Q6kz+hzo
f28EEMXwLZg4YNDmYT9OaQe73Tj5Er6ufrJyn59fNCkDUgGHr0B0oa79k3wfrrc6RJVVlirLnCLq
aZUQZYFP3THa8doo9eKsBl+YRGxvTltbrbCZhQpg83F9T8wieuOgi5ueZoZkQBZNVm4aO5AU2lAi
LfWDkFNeyH0azg5NXLWidGi70TLjajIhEVPTnT1vmSykbN1ZCMiqBGojQc2RfVNr3hY07B1FKsRr
TQhfXrMe9Zs6MqbqgrPd8EtjmlcmjzcLQklyJ6+smfWREx0KoJZBitqx540tbFspZTdzWz8oSdEI
9lNgZMYHwsSDWsKwWCwWCwWRYLBQ6t2+25DGA/BZN1RBxBYPkChUFI4WFYKCg0jYCLMbkYmBgXOG
NAbAnCOkiSPTEARdeSIlDxevXUTE6xDWKCDybmavZXW6JfNIj7HXZF7TtjKJQ1k/WH7AK4J1VZjd
qeNNOaqwjvpkdBDbIibsWrh6YHR1YNm3reF3XaSMne22c4mtNjcB4IBrp3QeZToFP2rq1Dvg1Ql7
RAYMXPGE6xQ3afEoI4I9qHbzqeA5eZCcKQeSGOBF1fhZU+ABFAGqJptOCe/sTWXVNCPY5y3eTJmL
sQ+Ne++ljs89EodVhnsF49/I1ART6gcZxUUUgGQ1C0iuaLm18NQcOEMNCdLNlbFzPFZ7hcMh7OyS
XBwIQDqSXBGQCYQvQ5jKiAk5hOMjLWnSHu/Z8lqVsjKLYQfBDHx2giSREnAiALr3KOD+B8SvNru5
aOiOC6MG5x4vZdNH3ogkHRppsN8/LHAw0kOhzh9pZ07O5UPoStAvck3IQElgv26Vvr4CUWuVHOuv
Q6ZFFznVRSSiheJkiTtEpHQmw0jH0ZuzDpjj1ssh4zmUk7DtSgjRCoJvNpl8nsdH2aLOKtEwNNeB
QqSCZIyd+guXOGUQEt30txZvRbjkwSZQhlyKPLsky1oapQp5jAfF6LgPY5YyQCpXEChtlhUXGJiF
ZnSYmhppIdMLsJEtAre0qxxgU+DopwNGga5mo+BxzYcKlB6lEEQUOrcL2TZZGpJgwWkuLcHMuc3J
zLpJiotIVOBUkObv3vBFw74Zr2SbRo6Ow2TOgbs6OjuP0ps0fUXiS9qyslBiqinnKHhg2ZC9oJFx
8d0MN5gPRrOT0ZUzo2wUA9H2gggO7yHNzWMTQZ5lG3mR2eVHvB+COR4vf9B7PH0giCeQCd4hd5bu
0r7MuCwH8Xr06bBmczRCbTgtFDQo+Z4jXwpvnfJu6ArcYOytSolACCMZkhgNEVdNU1GPImYMGgOd
giwNaph7gIxaNW4VDHtRMiJYM9NMQwuZOVEB9WblZIeTS1ZhIQ6K4jdvYDlkLEblRllrax4YD7Uz
dbTGr8ImkTCJKoL5QhryrPOHywx3YKOy1VME5Te8g/WbK0kaBEkCogJn7jRynCc2BjSEnZDs/CRS
Oo/DgmzZ+R3xBK9vhcNVyyc1suGfI0fvUxNjK5PHstl17zSRJC406+ypek5nEr1nlaVDDUOi32/T
swVNmvljzsg78OdWV3hn7mcnAqCTLlgikkRlqKghQhRkFqHcQYHaGYUh5jFryuWwP8i3tIoMfrTR
10L69icJoJ0Ne93zh0bryo6bXBV7EwlHfZ2OfTWgShc2Xo6xoMEH0FQj7w9OUDh12aIHH3gPg4+r
bBqNi74pG2eYM4tXiwYFOTkVBD3isz0TUMMVaRcw9HICw8tlS5QkXY0RhdZ0qWbWWk8nqKpkSI3T
WvRoxRuhkTR2Q9FZBKtMtGDgzlTgopMLh8ETcxe28XxKor5sOWVhUZQyb9vO7VFsnC43bHe9lJHQ
olHH5hjsm9uj0W8OmLjmUQSuU6m4LCsdC7KBkc2EtFes3XAUOpEvQKkG+zR2FNUmxMOwaxc3bBcY
lgxssQaKFAsNeeC1tcHZSUh5SXBuNCj9Fx74VSUsk42TudlppWUktVJE2uKmhSvcplcQGzsNogTn
YwWqdC3N90DShPpV6UwFTrsPxQRUI0onizdtYhZbWNVBa6K+d0XB13i5nbo7N8b13Dlu0YurSaWn
xJNLCoRHMzKDXG2SKF8HdDKcDFiB97GwZIL/rQShgXQbOnIK4kTC0GiOQYJewYWVw1cgqpfpGMdf
PzJzo6PKPU4cBZEUU6oxUdOGzWnB5GDp5UDISL3MmhyxsyYmUCRXaVmcMYoZqZJ1KOklQtcc6O8B
QzlDAVOiCGLfZoJGDVs1z+7Z05W5qnRclssSc4NfthTRwmT+5DXx0Oggd2QgNQiCLyBJIJ3cgS/k
mWOWc8mZc8nx8Q9No0yKtZ83sL3ZsKTeMFJSISBAy1cQ80NahleNGs6TThyGWLKkRU7KHThyVLBn
saIityLZA9UkXUJ6Guad3vgrXRMiscahJCdw4h0KO2FwwSLe44qJmpHgV5Fb89/NTdkEMiIJoEGG
g1SaEr5d8LXSw762UtJES+kg9vtwXSI2bLaM5quYFMV8sJMfWvc0+rFjETnzWiImK87NrL0OlTJU
SPvFTJf0WwcPuKnCp0T11HGeyzlG+qHATSlFQQQmG6YgASxP1V7vZsXp1YRA7FAM3cHERBOg3mC1
5qqIkmmbhEEJmpqwaDhnhkT75dnOw8KlFjJcZVnHVYifENglXlKfERCSiCXKzpeuS/L1W+X/bfAW
MEyty58lJmPxpOuTGLDNElhFUhHwcoXPQ1XATslgNeslgc1IaXkto1uJsq/HV392eKGDVqYzVi7+
TE+uE/I1TC9dx1JHdCDCmTcOTDARwdBGDR2TywnJyL+rL3E8D1dHTeyDU2cepepMHv4dkkqN0LOB
gZ2SO8YE7AEd3QSBn8IewxkxlSUEEAVwpCA29N8aykKSQOvWZsDQ7teSh1l1xZ1SGV75J9mDBUPV
mwphT7DaHh6hz16kQWG9Gw5smMZYN83qPJiqmIjpexZeYcw1mODuTF9hsqbJVPnlSt7HmQkKhg9s
UzUn2nUyUbUnNBfQWadOjRQPwRO1RLyp0SCzCrc9MMfCCkaOwtvhHDNA+CWjSAdnMLSrdrC0qw6v
Opge/YWGtTwPiQeqlitPBcGh0UVRQz0YN+GnVieOkRpJ90ie0k6RBOfg8Hj5X3HOXGhPg6DVDsqH
hTQOaI8LfgJUMkzWl/B0uFjA5seh8MS2uw+QowOopkkSToUmQHRX5PXrCCV5k8Cp5cxLsNXFRS4M
dbK8JlHMjdL2FSgZbJceiYI2acdBqBieThyuiZY2cHVIpUbvudwsKWOh0uZ7UncwQfbvhYKJxFOz
WUYccUfGQvSW++QeDBQVFNg8YMko2VK7JhiYcBzoucNBY6MH4GBJ9Fq5LlgRBo38T1o+rq7xPIjf
kVvtFOIPb68ESvDuQTYmiIE05vTzBOhu2a+KuqYKyDbbOM4yiEKdw6SdACyGghEMJF3VXQhq9T5q
HTlyU/EHoEHbjD2G+vXxR2hgGoFmIID2tGGmwaLqcmRCIYByMEJZTzgdZgAcQRR0WNMTShxgmoUa
+bkUVgUiGkwLzBdUEc5xdDcO7iujNpTMWuAErt6QuDnO2enBN6sLgXSAtzFyMQxTK4ROsl4LkQ0V
jjeJYug0q10ltda1uyZoe/0wNnuUyr2q3c0CB942g0JGfRRSEwD2Zz2pY8CDwvM2dnht3DIxmimC
Vj6xcco2MUiHwTc+sKIJts09+/y7DYSK+/gbfh0SIMjj+kVb3sLWZIuSaRBULnR52YOuuGIME66M
H7+TQq/A0x2ow7u84PYJId8QYJUTApnJHEEvJW99j5NQGdopkmS8mUK2waanpKHZxEoLK286WLqM
0hXmiUIJ00QhptZJNMWj0W5gEwehPPDqQiYJHox4HfRkrtNLL01ZklVVeVOih2UNIdHeHuZr+sRA
MFixnTFfNlx00no/bayVlKAcg2VUa9yRjOzsVdjLi2KTWUyQqqr9VpIoilTZTRpKOlvbmS95GwYz
z96iPChmv1hY+fnCSNlwsaT6nhzzJwsHonYwtuyRXP0MXT0Cnv1z4NFXcm53vsmR4xQ9MRweDGyo
ZPr/agmjRGUMWY+PGJrA3TOSDQ/Op1CJHPZcPRonog8pz5G6GNHR7+D4CJhI2VFN5BU52OCC7qGV
6OmRiJu0XSxM7HbZ6yUg+l+63DJYpM4etGaCwXDkaDKdg5fw9n0MEx3oexmCXoyHlbt37202Wf+N
Ak6MlNlwiwlWBkFDQLwwax4JIPCnuejPTQZFwWFodD1Lmb2bIIm0M/oCJ77uWG7bijGlya5o9+90
wHAqGSAcFyKEgc+p/KYFFOXY9D+xkUz0HsHNFT8UElm4KNAV9Dm0EmOEujZQrwsdDicPRUodVLBE
sllFUJEHr19dypI8D2x0bIJkKY6Kmip2TpNGSy7OI5QmHOakO+EmfsBDJwqZ0HGycG7u8qbVGPJB
MDCBU5SeRC0iaiA8tfWSQsHjwbyCfdX4ZRO/1ehNoPgTqhNGvrPs6PvNPb4t3fvZ1Xzn5j7UkylS
7/MPyALz4KKd7hH3b3G3sC4mIbQmE9VPCIeNhIxTz0udaXvp3ipypY8jUvGBO0bYnXD0TmAGxFRB
iyFdwzvaoGAuSMZFjtEzhjYnnNzLCACBR13G1xESZmYGuU9Xp5zJ23kMpUy2uQcYpLiIS9tty/Hb
xOlKpNXaq2qyV+0tMmQULFMU2cHgBDISYzQGJYDkx8yrAZGZEQNgg2ltD3Vp2bDWFHBgQQEiQ9YB
8C80+4tgHPtKymE7tAgDcJHcyDJt3uQVIO+hjBw2Spe/SiuMj5bSi7XNCEspuZvYNMwagKSWlRQY
vsnIuyCdH7EE/H8fN4NrYLoWpQnNOOMVzvoj2d183KGYa0uyBxrEzAe8LFKBUOzQL2EnqddyCWUE
c9F6yLG0pjJYNrZSQpIKZ19l/itDzSIinGI6V4k8jTkVO1aTKFBX8YPYLccYiyTeQugl+XfpMGrm
hTrYga+INddKyil25L2HhKU1m2ShOR8SGhkcyN6cawxWx9qCIZFAuXC0oQDsmcsfrQ0VPT2cMYTZ
Coyhdfj3OHRmOH0+miJ7Po1+Gj4G2ZD2X1qYW8CofKhFfZ6CxY1o1kcy4+Rdxr1BRYcVjkl9OXHB
TkNAeuiw5rOBaYBskycR2WGyHYrUXegkJkz6zImHA+ejh1pxnZoYfgcDljuxocu4TKGBkkNOTRaY
xvHVMqSv7Wxs1nRBUsjXvDrH5BW0rSyVQ9FpJk7QldOuqej3UpQknteY8LumbsxvxZtLdFL2GvsJ
OUok9ezCYvv5OI1JmpmRj0EfV29Qkeq6boHL+/DRoFL9UMFDIpcPZEyC4oz1CZAevaWpyZKREvNF
wmOQQ+20UmQFtOmLd67EooV6S1IuZHR0kHVg0TGKnKIIx2UJCjHZguHZ927eEi9FHs1tHRgmdHQV
NwdVKajedWkRUUYqWNTLkjRZtqxOjNzbOHsuOTo6OhUkcXxOJ7Dx47t4BSPevsGBo8FSsy4DuNXn
NSjqU2hAOjuRsDwR538ROJEQ8xCoL7CI5EWwJA98UqAQgwgg4bfO9Ovn67HVx6b9ksdkv7jmALQs
CxVSr46VsC35oI2XUC0QwJNoWRtKSENCpFiTQkrKRLgt0sBdLXBci6CJgC2RAYC2BcRDJtigiaRQ
HRcFgLv9Duyj+zp/4LnpeqRl5/W80U3Kg0/PKUFexAU9e3+MuUKZM/++VrxVKTSR4/i9j73qdg54
thbj4SNRMd49vhyf4zP1uh4s12vT+cWQWLCa2udUVKzneVph5PjoOng4vhEgMfgWL7SjiZFB4eP9
aPzitQFf0ooH5xFpCzDzJr8B+zCUT929iCLBD55wXCGrSYy8U+fWpmCzNkRSBEGQBiQSLAZARgqR
BiwSJGIgMEjIQ96SUlKMZYSlEEKEpSshCiMjJQsssssYywKUtKXzFYCgsILBYooooKRRRQUWRZIo
ooooKKCiiwUkHIxjFwC1WMVjFQQVQgkSIiIiIkRERBkIRgwYxIkVEX7IZB8PmLz/IpIgw/YoWIip
aINQL4HLJHNMgWAurk58H0GvpcBBRP0ulPua+0kkPDittK4I4m8X9viH8vl+k/zBP734CfuInyue
koH/fcybEwwWeT/fyauVpe0/3H/6q8aCHQ7hwer5Wgo2iyh9dLMlh6QAoCxQWAQREIKyBEQBRCBF
JAkEeS0YbP863+/M/yyXAnNDQRdAcnms84adCPe3OJzh/S1iGDAWxNbq/6hiwRteH/O7IEmFmLaW
sSa6p8pEf3/B5eWEP2p4vv8nLnFH9ZTmEOBwPLlq7Q6MjrCJDtV0Z6m+Rlz5l21jPF1jv3+sqpJJ
LCH9tZFNB5aAo39yu49EoF+NKHYcdR/ji8xyPURNsZE8NJyJY/p45iGztKEE7CBYLKif8pn0LLB7
TqSLccBLnq7RMHNotkpNSA7Ced85PKSf+ort6uc1lGYGl9AR+jDKjUrC+BCBHzYNgzKumRR2vaHI
mA12FzGy9DzGhZtTWaWQ2iYJcFlijmZWwyOFy7f1nrT21N55STpKbTd4M3WzuaOotjO9gNUwL0UV
TTtKOB32SoW/rLFl1ju5TbcwidfLVyDznB5SHOGpVMeUMnt+h4WLeuUSLJIvt8bsfJwC3aexxw8r
ZsZu4YDwnsQaPDjYa2Ctw80A4ZaDMxseTQYaLbV7xUueaSXCPcwdQdH4fjVklKgntU3GS0pnZac9
E2D1ipGLBTx3FzQqFreOa+a0O61gHoipd40PlHW6hHjiD19NAaFQuGJprS88uck7vZf0ykmMcyRd
fCvSfwbjrs83e73ls/1l7lS4wdWXjfe2HtqiW4l7PCI8yT2L0cbdrD1DSWs2jXO4gUhoOREgZwNw
9ER8xAoDBYFZKwAMOcR1ZMu61zzoKqgKqkGZgz1Iq9mTHfAqZRtEDelBxEOvSUERRFj8qQ6GpO9G
HYZlGRHIuZEGE7ccQ/ulUSgcoeMWRzqkNCuqtFFDhUm0OQeowOmkPB7Ju39GTl5tKkn1STYYVO7g
1l7JXDytBi7Szeefz2FtLVWlq2dU9BO0hQ3npPtMvwtu6E6dojw04JoBozM6KqlqpKKqgqpJLHXf
UkWFvQuhfXxS+5XqvuzzzdyoL6UISFqq2807PGUNCaRPU2RHlypJ5x5I1j1CZYOocORzGHFNaIb0
oREQlL7+vZ3HxMP+SyAjD6/zAD7kwMj74fu+89DxNQd2xOpSvJoL6eytwVhvkk+HFj0KhBJ+6pLT
xTMsp+l6YVFxFMCLwlQOR4np5D0jyBrmRKu4tWLAwhLFDtuDe8u6SllUq76W++v9VOSN0TFc3aXv
KaaaMpJu/HfkDyEIQ5sTXG7wDr5RNuc2ZJr7vWd8f3/tOKvgD/4KKQhtT1FFvvPWWIfxPVAs+B+o
AJpTUWPlEyCKiUHUgZiZimkuauIlAkJd5oQN+6L8y5kUME5RymjHZhFoqalP/RUmU/TBgvcSqfm/
QdXaMlOUcNGhUwklkkOgWKlKEFgQCKgxQjGVfUEFyX8MoXlSTLVZzYRwYQROs1dSf8ObooozxqrL
mq9vFnWLP8FNufVkLubU1cL2bidlXG8mEtOyKWwjHnIpZcNlJw55xenKNXM7Ns91atHJvNVuFRIL
oUlaCGmpSFiDCJWu90UDJuGZv1uxdiQ2PCbbBO4dkVO6MWRBAqSFKMpKgsUlaSlE4whhkoCMqICJ
EsUWsspUVarWsWXDKbN43mxw0mOaJpqwFKbFYeKgI8gf8/7f6/3/t+Sn8/9oYEyn+3KjfGy8EepH
tQkRmpoyd/B/kszOHsQXNuH+3/pykKZH9yJoaGQMfIUvDUYQtxsfXTGElhJ1E9VsrR5xBN2jRlzx
2XsVGUSC5zvZmjkwWDf/MEmacuGSCCsFDo6MS2o/JA1Q6lioRz4sNTZQwaOgsQambLBL2QVK6NpL
hU2hO2WNlRTRbqRgqQOQVFMoSK3NkZOkn799hbwLh4vgQQhw+3wcqnVSZwPSUDefAyYmUOx7f43N
CkqmQ9uLYeG69lCQVFJHtHJBWZ792KpwySl1fq5dPPHLk5Clz1IGYgkz1F0LY0YkhmDMHo54MEFw
8FOsMoUGBdGvEE2f8fynnKMKNYmHbCh66DomZOBUsTmdl0uYLzkfmgH+rcF+8Bcu7sQa4GW+Pk+T
5IPUv3RPLdTVweDm01NHHhc5Oj3r0/s+J9n1vL/Vm0ZmryXHTuXcML3e7ll7qxc3Z63hDz9NokfW
mGp5FfYJ84ywopU8fkF1LlKSdMp2aFNjg5678PQeMDkyZ821lBNBjB7PfyaKCBZIo2TFPOJlMbLR
qywvLDE4bTTMgUoxqrJFY1w1BM9mAkGtyvY0SJmVBgb3RepGT6IgR96mRRQvwYJsbNJI8Jc8KH5v
e3ljouPMXsMToOCliQhuIoUCxWGRRRE6bigNCh6zyg7FC2flKVhiMDsLF8aP59xCHh2frMBhFxOT
A7GL7rsysL6uwK0WDc/DmN32GhMkaKTnKk6S0tlP0+S6MXyWQ/Fbg6Dz90FbvpHcTd68MoecVEgu
WTxJPd8Gk1aSMOmwXbh700Nm631Gk1AulU4E/dzULZ2SYxo1jNaEh7tp4+9kx+jZMbsfVEKi+kbO
knBpU55j2lHTxNIGCprNZ7QIXdpB7UBU5bKZksXO45V1GF8Dksu6jQPWPJlItyEOjosBqzDBF2HV
3WMR/wiO00bdIwIGOkgJci15uGqyL+RxQhBKOFaTSWEslKFtTYeBcsYJpEpyMAgLcUhleR5/IDiu
C/NAfBMg2r0Ed4nboNAifV1HIEX9WGME/DWIByDcdwp7HqY+kVY9o93wjDjZV5JkfvcI1bOT7k15
bP3OdxxT8v3/q7Nn72Wq9+ajB8WDWs9jM8D2z8ryl2VaS6cuUGKBokLZDRdbj4MnWzRspmZEane2
CfycNimKWL00fRLmQ6QjiWFccY4E+DnQUMPiZsqcDKjOQnRxRSh4eEw+wEkdhcaVNLuTmXCwYDop
oocGKX6MVCoU0tyB5e/A2bIGL1OHvNzatVih5yg4ejwydBjvpMnRom4dFRQkGRRgmZCweDGAmZou
CoawYULYjoqUGo5VFtcsKSE6OhV7H6od8LHYoydlDGrBpHIkLQUqdhi52UrYe4LYudBSpkyZ0pPr
qZxLIJv93yQHeiXl7sG9nM7Oy1Z3seVKBHRiZ6Pj8QuRIMC+yw0Ow7jWGeuuSaD6aaYGYpqNLy4f
oFsw+IHCfyGj9HPYtToXZ4yDB4ZNGBTUGjoMVOqGSUvPLkH0L+zrUFj2YKGyZYO2GOHZdTHPFoWZ
sGPV34NmzxmHGq3nucM5yYPAxfC0LCKgxQGQy2hhRUYEyZeYSQslppokkhS3FKm3h0eXVu8XZO52
YueTxYUweLDk7lNPkjm4nyIUe+CdpIsSEIyMJO2PuCD23K6yW/zXf6fwfWLvreahdE9h08X0bsZ7
mkwS9zJmioPVE1I+LxifgN9Xrk5FuSu9SxpBO5rSDyh46QXLSb1+FcDScFDkT1bu87hBuenBLKoc
BzbRiSEYcg7AUIEBFEUwGHntzcdEcPU+8EQbmiM9gQoqqaZ4HhTIF3g7/UfYdcFYQM1VROrXC5BY
SFUNyEUQwRPDR0StpeeT0+7Lhs1HSowoI+ChAYolIgpfLPfJfJGTRi2SPrfk5XcHs+rowFuaQb/c
LkUnU9D1xLLIA8JFRYXvsCsxFDCpw6Op8XuWqzaCusrkyjTTegodhYocMA47np+BCihg2VDqMnh4
NggobPCoeftcPRssS1AxAXOyhMhFuTBTgeWPzQQ3B7CluOWNt+kFcExipz2SJGDhByODFoQTYx0U
FThrDoWqR7PZkgJmyxg2cTgp7NpVBBRkEqFpMaLFERlKnAob31by8pb5Uahg0KidyI2+jeyxRKDC
nRMMFThQ7MhtyYdnUdwJgpi8oNg9zSh2WOxyRc2X4hQwMMV7JdbMGiZHdJhsQOHfbpswYOdhqxM2
dkkFG22Dru426PtkjzJLvKIpSPHvczq5OTvZsr73E8MCLjR7zM5ocwEJaFcy8Hh6Ei08BTM8OsET
3Km9gYRIJ1GMzhabuLDnlw2o17wy2G4fILyJVEak3LFSz4lpGrYVk94+uRHdeXQOFpeMGXcqVCwo
aJGRebNA/lDNzRruYfwgm+Bo1cmjhqyX9/yMFE6fWeTtu7OHHF9nDBiiNhkScaFoZGyITKzV1mYJ
C0oBttSDxKrK5sycbrhxaO1jjC4iVqYzYLU1lBImUDdDmZ67NYdxcudQLe71ncf60D3gvOCwCAQh
EiU/piIxYiercszskgUn6zC6hP2UwMKRSDgPsR3HFD57g9KPaZD4IFK09xDiZiwsJMmQwEJEwoYy
yGeM1omjBBRKNniiUHQpmjimrEH5o8qf7Rd4aK+HBA8AXQeRHEa6jrIVFpYtCPYaQ5QzUovIbvqE
N79UF9wOjIX8zk6DWEX/zspX/cQUT4q+bLV5AkBxi0IUFhKD0/WHpOjW7Q9PyNAJsOtDTsnocLfp
zsWCpVEqry97FpZJsU+Es0bR2hMHZ2NYZIUob4ZIYbsOHMJBwLwd3ijwFQHjDJGRMcS+vEx+j5vZ
/z6zRM/lyd+vb7NuEJY/qULwvqIFnALBRRCJIqmJCqrUKeFIlYYdw+LyHUeOA8JsM5BjIxMi/1D2
CA4iSNjGmmlU/jcdoImAVkcfGivb9eFzXgdH8l8lOxMF8oMZDFuCnAcKqLYWgp6NkkGKDXBTBANU
mb0cKqvCcFRTo2fWezon49uH9gE68mFxbE1WzyDJ4V88JkCRbbAohWXBM6FVezKRuBEwIkRIFZkS
LweNk7KeEhhyo5uR8BMehkqYMhImfFyp2kMGPmiI7mGytcjhs21at1mbm5ybGHTU9UQSxq5Y8TWL
2hc4vyVYxUT3zLk0EfT6SLmi7+zRowaJlByChIyHoET0XFHKgopUUUr2OVJl2KjJwK5FiLeyqTNl
/dQvrwNp7Gc7rgCoeCHuT+YYHdzA05DIQiFLUFimw+3lCjmN22jbbfwscAsc50aMnmuaz9yIF5y9
k8ROCeXzoyfOCatZ1NhszA5mb3MZ06RHj4FG3qZXvNg32csG6/Rm95Ez54tWy/k9KauXJbBZi9Hr
XrN2T0s0nc2a3OcLnPruZqlLDGkMYX34DFA8KWHlxBnlJtS3d6BgeKMKqCoasnjlEUz156SeXDCa
i0a40gpgXm5RRPk9EmbJuNpmow2xHHCgRP/aQYFHMQnsdknmIDfYSBl+N5tPcyIUCoQHi1ib9hZt
MzPVmROI42gu/p4e5tt7HsaqmbVk9OZU5RO5Ink7qzsd8eMUT0IIns6PJoyTEnUW0Q/DRoFLjc6H
vY0bUaJ8kOM4n7v7l0c5i65nOHaJ9sTx6JMIOa+SeEPqcCjj6hoeLOZpo/ocoewHzh9eH63u2P0f
ho82P7kecSWCVEPBCRH02Uax/iXOtwONgRByPsIp7Qf1a/P9nCSvf6fqwwkw+z8fy+ak0bFnxuJL
SgecPPZFnENQyEo9w0kh08Y0E6Fypt5aCjl5lSZc/nEkR65RgwSnviQaNs2zGs9ouFzbBoopwsvY
rGJbArlSZIP4B6FJKqOMPiYxgWeNXBRjI5cXJNHUVHDdEEeBAgKGRsqjmUwOKLCDCSUMGSpVzc3S
ZYoEjsdL0lQShcsEplor0qC4rPnz6LHJy7j59McaS2jnHDCCTmrJoKzlZPQqpfUYsw0pSiSkEygo
nsUUUC3oYvJCjyWYg4wwi0cqUIKgYRjF0JBVCtnk86ybV2u2i+LnroJywWhQpKApUsDYQCiIdz9n
VZ+FizuQlO94P18HjM30Ww7FcVMe8prV0dkYPqjZHVu13b9N2x3w33w1/Rs47tss/Hly8ZVryOW4
0GrtGPpXsuGROB2DZMNmRPWdQRCwePKOZicwYxDG6jaOE6mxTRQ4TNnMEjo2bKHR0YKhBQcn+Jk+
gMbXA51osYJEsFLnAv1KhcTOXPJpgoUMNZj6IMeUGDhMgk5Uwp0oXBIflCi/nt4Pt325y5O4Sblh
ZKD4P5MS436coSsz+mUsecyfR9hKrXLh0bspblQZ01dnftzrXfZez7HNV26RdfOjZx4beceNHKQt
/K97jC2T6Gru3wuowe1fDvptW+7su3btKstVqcKqcYUZStM6b4UdJPjug701OjX0zuXaFV2hbMvH
KaEOHM4zNWS++vjo9Vtm+dzFd8GDo2LjNg5vk+Tk3bmz97ijjKOXPJDXNFSZIevpP3i+DAd1qeEO
dMtWmeFjCmQ0KcueEtgoZPzQSZMwTNfB4RseV/uEQyF/OwU6KnBSNG77aZTw7Tqxg4fjgyU7FJqU
JaLqywHpTZ0oL2vCwxQdPnU6JMxKJlQx4VBPIKbzw4bUNxwRjuTmKDIIgHcigdnE8YDIIbpCQJCN
QJFRiiAgCDFiigRZFBVi2QElvlJIUfgLOMJNilDrE7BKdBODDsGGDoIse8MEUCwXiwUBgaMthiFO
BgxCSRSFFBMFRuZC9Bt8tB6A6+gPJz73wYHlcyex7n390c+ypVKqoixG74Lqo8L08fWR6TRjfUJ0
nh6Or5vF5Pi5vLr7l7yMtNVYJ2BtOhQIxYdDgfMKasDjnmLfxHhaKMcRxrNdpW0i8qSQxgSMzVqI
C5lwxSxI6CVHBERE+8zDeCvPA4iqAqHcGgIQidnTKsPh2cCMxSBlM2ZZqrthIxYLFSpM6N3zWPt2
prS2d7lRXKCs3INu83uHHa3ZacBuA0CZWJfXudmMg4xcu5xpe3k8zj858XxfUpZicon8kJEc1wII
CX4s4ZqTIbDt7zrzNxAc4MiMMzQG2lHshuIQiSBCQko2nHT08QhPPN5FIKIJTkd53ms0BEz9YdvS
zt1U083+az9Ke3hw2aavc3kvpDZrBEvJPqk0+Ek8PM9yzg9jrY9v1MuTU0PRphoyZfgcsl7FouU+
s4iNvgxdPSGDVDZULNz5UekQbK7wH6DuYUMKEiFAkKRCgJSQYQsCJSMKAlBlIliUiWJSJYlIlghS
JZElASxKRLEpEsEKQSxKRKAyUIlAGSWAJYlgliUgliWCWJYJYIWAliUiWCFIliWCWJYQoYlABClS
Clf6oDdMnWC6EE7EFPBD6/FgPg8Q4psJIeHTb3b+kLefh304rZlR3HCn3eHWjPTny1gido7Hw2PH
r35QV74q7uhZOCuHUAiUd+xYD6N2zulYUulWeBVddat13yBEoAROJqFTgnv8wLvAOjgr5E94onR5
TW+B+EPrNfcHnNZrdOXxPc+5jYzDgvr06taNhW2svkXUT/ARwS7aQE2HOZDQOg0lglih8S6FIZF8
z7Z9fANGR/GPB5XHMJFThEi0QS78/oQxQvhSP1c4o8070qZk3nC5hxToRJDlZBw4YSAoEERFRucw
csagN3Ih59E6KLEHeaTQS1xZuuEls7Gk5SMUuk3Xw0RH9BUnwphDXV6jrWDtUk24YxULhURpRJVI
SIrckpc/baqjZ+mLJcyGKzEw6L0/V3squZ982O41msdZCybr8lmia4NGGFX2XsnwT4o2DOJKTkSe
A0dWlvjvI7KUZqUQ2k1mbJuC9qUWzX9ZE6yCaknFYdB3s8Gml6nDm3ZXV+funEnZRVSlDp4bOW9c
kuPZGX2VAF5/8gN4QivDkDm3q/UjTrCEDoMoIqHgWes46gOhXbAXPikJEgBpaqmLJSSjAoe/QP88
MMHyFEwEv5cqJiPYNvFRHpAYhy+PD25/E9mguWv5hLRb1ZWRUZUSsJRVZy/Zc/nBhwxzwkP2XrmC
xuussac+T2apimbFEU66V2na+v6YfyhQHTlxJwfxEFsC3GO5s/hiwcKiVzucW0M5WLdwzsqJyyWk
5rDSHFrwkZCIMl+ZHUNNokqbJ7K5KkFq0KFy4mC8koeFEsWKDqXLpwsUkWBy5O2jFS97nCjRQtMK
SNEzQwTFVyH/TuRyR2XqpnouKQdhxKDhU0OYNjhkl2WIvOqhpHKkt2HgK1HHNGwm5cKChsvY5hsh
a5c5c7NnDo5IEEBG7gO2ehRH7UFNlgt2YCCVi8gahgU4DBIqDl0cyaMVrBUuGkyWLliDDN11Y3YU
uLk2SK6CoSIKGjh6p/sWlh5qkE55GLW05adI2K4N2h9IxXLz9SBNByx8TGPeTx7DU2fBwqcMi8oW
PZHZYJDlChI4OQZuMGixooKaMlwsTo80gqRcoDscMGj5+ezovgkSLo65PYTKH0BO3oULWiXZg0dn
R4dHVTwOjAcwXQEEGOGTJkwwZOfPuaEQmrJ3dOvJL1SSiT7p3x4397TWU6Lnc5GZInPnowN+zGER
V7ySTk9ML/faPsgfyiQf2dzGH2xILPbJIOn5SiVLBgcaEpFw/HKlDuiu/ao521M1tP5e8ROZU9Qg
UP4dh0p/216z2EIa40RdlqH3dIH1iBigvMnuo5IC8fMC5FtLDxOrnty7quepGFJzKwWhPfzdt63I
4AZgtxMsz1CgQDQdtCnTFCEHaoliFDQFCidSIUKWMCJCCWhgtH1IGGhbdB9F7+kTrNT5+jlvKxUi
lO7j4/22jwTOf7Hwak7PSclCWUFGW+pcIsMMskD2JgwwkgoFERRaEBgaVKCIkID9KgKlnyL1l1f5
IDBBROY2m1HeqnZ6zUHc/qw3almt8ThvHBXOP7Cz5zwlS3/PE1ITMxQPzMzEsvv8lj2eo8Xp9vJ6
eCJoPDo6DcD1o7SEhLNNS0pBBNQgm8/0Pp2IJxS4cHqeJkNwPukwTCTt2lJg6mCVBDESZShN5vgp
M6aDEguCgUC4lgsMIhDE/LwR5fvR8uRk6KSjUGqRuDUEETuS671o/kGKQVIIDmRR3FAcsfSSTtqj
rCigNXOICwEYYZD3psX2QCbQP0RRERerEQoxEFhUPJ7HZ1IB8cODtAfu2ww9FOo7zwSDJCcmEwPG
/Qybv1pSltzI5V2do4fyRpcu7g9Vkj/W4tfR3So+n4PTFIOj7bFoa2pMhmlKUpUrm1e9Ca6RNcn1
/v5bNEphH8FmkTA/CQ+ckj+TJ+8T3ogYo/N7wFU2G8i9yj6xJ80dSL8c9nH19Qh8Qd/DiZrYpcwU
tqo2HhXIjxcgpQwRKUuMLPMkrQvhe/nHPm1tGlQu3JI+Ioof8nyEGymZvB7xRtki2RDId8IzX3o+
Y5cyneC+fRkEX3Q+shUWSRA5j9oYBlIgRUSMERPQan34b+ByL8/Or1qRMy2q2If2KkkmSJ5IThgP
+z3PcU61SilDpnEg8ahELlEpPNY+1YNpq29fOMDyUe0PtCBQXAPv8jQLY+ZHcqv6EvC0D6ZSfwh6
NFmyZiQ60hwgn1/qN0DvXyOn0tGMmKmE8ywdHs2J9Uzf2w3j+ZQGJ9uCdgbi6BGLBIm3I+s30ZGO
zsHihzGOZ14l4OIjlrJjyRdR4k4DCikBM1ezI5bD+PTb6g5d5vWldBB6yDR2UfmAQbkL9Rgg/gyS
TqYAYiJlsARCk6P4JByyF+4FsC9QL7U6Tl+3iVAhAgLISBCUKo/pLv3XPXGOSujN7v4k9OtUO6y1
CkUfLnaXSpRoU2rnIJKm0zfnikdwBgZECGi7gXepHgFaYHmQHj+LiYKexmgOIW4cMCxgM9FigyYV
CMSwV3G9cF3CcwvQrcp+ZoOrEd+p/wCInJyhKiAcYQMRDRnpen4GZqIEOt7Vz8S7Eiv86AYH1bHM
NySCIAQFkDzG4xYsBe+dtmIKBxf0HPRdvFCEHkrt7Neo1q/3I+IP0Dmj/c9QhvfETk/FMN9tVVIS
GiioWqiqNgEN33nvR6fXyEZ0CGP4GWa/Ucyp2vAOV3Ibg/IExROf5IHoere+Z7LuABCDZwoLQbL2
Iw4bwBvvENSA+joUcsFHbWZvv3wBM+BQ7VgHVr2k3G02H65B6QuNohKDyo2NINvw/GewlT+fK48/
3o9vuFAbh0HkxEO4Pj0pYdT5Lqec0Uj44+yPU9keaHlM3wQn4ounrMn+KnAeTBcUBtUBjRPIWBrB
DEjL2JGFi++FxuSEIAd7g4wkT2ZAC+pHS7uYDGMiUxVBylp2o7AXdpAXQDsoBbkko6oSIpiOlz3w
+Dbr98l/sNZZpORSbRPu10MGqpM7E3SQbqUp5dLqq5IgvuhOErkjc5iIoG/jymwC5jolJwSrSya0
pNSfL9LIDzQev4isoLMY1o1ooZlBAFKxoodEE8tkj/b9aEDxRAxN+Aybgc4LA1qifUpcbThdZbnD
iB+5GyGYw9g0NBjOQNgR8M1TzIkOk5xwh+8rM0Ny6l6fuBcTEdIOFiEIihMAWgfloV9vjdwIJmA+
VTgCBylT4TSLn8oyjkvSI+1DBPNpk1jJD/t9jAaUg5XXMNuInTk8nqUvymLI9R1T6CYT/KjHvUVL
cElmUi8nkaOkkXKQfNlPb8FHtZr+H0blz4Flkpcj6nN4ac5rUMmGLY675WRKyTLE+j2K68uQHsR8
4PAdQW5xQPrDfvTSHFP2b9hxSFzASh+C4IcfbEbDzL+bFSRUbBti7AOg0P+cKJ5z0EMbfgQhH6DQ
DYQpIDeA8CQkYxHB0EPj+zpAXPyWSTRKr/6/9zQh6hk/mVN/wqRH24B1kQqHPBYQoXw+wh6JZVA0
0Z8AsB9n7/3FgbkFwEhL/ogWLAQq2AWRz3Qzc5sHA0/lJsBaNhiC+w9atAvdEA3/q1GUjIyROSBp
KMT+YwDm+wF5D4uj8vEHEF0i/HAPL1o0l0XURSAwQ+gt4lFn6UekF6lsaybUETlXCHrDVzZZd7s2
F1uCWLHx+Ifb7UeHwQNhia2hpM/y5EfF4p3I/LUju4lytLBGAMTsiW1mjs0en0dm3bTlyCmjyjDX
INCKTBNhNtpsOTW2gzRdUKJdBSjqzRTIHQ2PsjdiT1JMClNzcROymGJBCAtRkYhqrETKgWcgJ4vx
AdgL9oMsGHxifDR0qJu3S0SDOS3lgkvvokthOOS9Ps6UaKtEgtKHmyNChRJQekWP3epKyHCjtFCH
32QNTNNEwpEBzBhCNC2PXtoLjimCTkGiwXIKWJCKc3PhRK+6rp9o8CiCcIrCIVEDtJ3qGOmmBJ4b
EmGGbpE9kaJUSsYF5IQEhAUhEbKQxUULAelE5RvZHYC/2DMuPOXxeo0x4LHmiXPV79Pn5A0DpY0H
Ku35UHCaDmKA6IwigWXpBEH8NN+LTDZssHWi82n2QwRwVohF1sfz46rEMadQyGow2EA2AQ+UMDQS
ba3ZWu8FSSLEIRuIIaMLK6iERipciKQETxqm5GkWIgPKqazOFumeJd7whivJoF1wETZR+Nb545jC
u0vmUJCKG6J3ME6lx/dR/vOaxfSMfsUtFU0jVeUwarucX4H7GXyJd+PyIhKJkyIXifIIp4dR1HVE
zaMEQxgIY3pXjt8gN/oDA6PRxta9GQfDY+ZhBTmiFB+NUMgF1Hh/FRNACkdDmjuPsXzZzxV4Jguk
QsWNZ4sUYjSlWCJ+junuhNaUUV9BueQ7on2u1ch24MmJPAwgs+dJL3jekmAqJxM2CrKKpT4pFpAw
cRLRIPOkGSYn1klpBq7xT1xMDI2zkyIuapn+sU71y0dNr5O6LEnaRNE7i4ysftxVhyb3LAGP76Vs
RYQs5G2Dide1AwuNKoOxn1mil0i9cffJDC56oKL0CzKdnZPgowYkmqKJKUSVBU/5oORhUzsapTk0
dVGFkiqQ7/m/0nH2S++eTo6m2yzNxFL58niYr1SlL8HdKVJI6kfz/taHMgkgMTUUU4H3qOejgH/E
T3kEIBzF8B1iUtK1iirF7pgU1YH5u2EO79J856n/CjrU/69P2XR28rcNZpdO9RTElj6LWP0ZntWW
VSqVRKRYqrAzYEnSfmkHZ5fQAPaj5hDQHNcQnv/ETwN/SfZwKUpIzupKYHcQuPAInBIsOKQpOohv
QMDHVHnX3eph/QkxiQVEE1aLncg+2f44bkpBE0dfH2FkKDp0nqnKpwBcEzgm/7OY3BJzh/X0Qm2x
9bGx/SUWtLC32yPaJW/T5P3wfIOScw+XqIROlZSWR4YECBgD+oHM879VMO5KU32XG4TxQ+CD1rVQ
+3vPnFPPoU7/XS8CcSHKbiFWXoKDZCEZiEhBhCj0KMenwBeAYHh56wBxLec0kbdUNsA99BSbMhUx
KMBGCyE+8entybj80nJNh6h3MBj8eo+t9q+3yKkVyB7rjkD7Oa1wjyAiDf1xHhpRwxVMpSpq6Om3
wR9eAN8xOehHzQlon8vUXvvlIfl5nEaEv6Anxz4wmQl2DzHIuIYRBUbBVDzHfnr2A2YiJNoFlohY
IJIkUEQRGiShIwiRBwQxCa3l2caryKU8OHG220qnrMuFK2i7lDBOaGOKgZrIYxOl/n1tEnyyTH2x
PT8+d8ibcbarnFgsUqTRhcnRano6SGIhL04mxJ4MvX+L0rIcmJyk3Zo1iURnEdyJJkXTpoNDuAgf
VdSQhhegiloIUSXtjkhkg4RKMGNOwOIHaNETdCjt+s/atC8pe+n3avYXu9kqOqf5lFKj5u5i+h+Z
RboOHCzqV27ffngnS86CJAiIDtMssAtDo4HIWX3fpqmK/V8gXSC2QROIifUPBEM4/O0vFJ9FM4uH
LhozxXCyiOZEun1LCw8rRgEWI2DzliwetU7zWXiWC4h98zSX1FWQ8VlyNpEt5LG1jzSf4FI4OmJJ
pDGTf4qXmEdY/f2k5Xfgy4conh6lHI3L+gxAeLGEFwmhcaX6NAUiYkFYBhQgom4sVICyxiqfD4A5
nFWXZ9Pr0fmT37OCeye3hOSmBJTNS0In6I8s4b4uXG6D1hB31KP8eWDY7rovUqUJpEUY+CIYDETK
y9Qw9GT9ZxMEwYrL1YUX8jFs42YrmRwBuKcz9RRNzRfqKFwvAlOQ03PEWScTU3dhKFyY5RBxXIAU
ggng9QBYYYj8obBwkNnMkNFP4Q6RqyUkzWVYerPCWVHGaSGappDWndzZdZvTWWuFJ4DuFPEaIxM5
JLUloBBsNBYhR+Bk8VsIKJ5Tm7NepHUjlmK6WxIcNpmFuKb3SWUysFNvAwIeDnZP0cIv7/xsffEr
3zZKas1xJ8Hgg34nhmx5v3Q8ZTMMN8KZJ7yFEARDDzgLyRNXh4tMvSgNBUTPF5HtAwl2FhQgUm4D
aKDqa7ulA44qmtsRkCQJEQkCQJFWRYpFikUIpEZBSRisUWLCEkimKKBqtccg+R9puXSZmgxOXCix
7Sv3CuFgnhEoiMZJuEjIbbUOO+Px+fU6wXCpCkQGcTWeQ070JBr5WKnotV4mjLgge5QorJNqbMfH
dHgSiCxVhIAlfAM5CaSaRhRAsNCSfnYExCRU9Kvj0nsfa6FQ4wJGQAkBkSQFBQUFBSKCgoKLIsIo
sFixYLFgsWKBFPGeXy9A8fzeOwwnmUs5Z9S6RJZ+/jyfni335NIjZ4arLtD9/EQ+CgOBfo0qmCQR
Mjl6iii1BQf3xiIIgkRGeX3SbZPQ5KZIhg4cHGqi+696Yl5uZkmCop3rqSdyRaf39q9cLsF9vxmY
Zmx0HgKA7DUYueBsvSwgcSFCchHKAYCGRq2kqiqn8ENnYKF8l5OlHxDJMUzCXvsKNFKlQ7lTeh4o
KgzL0mHomFhqQ7z7WfeuVE6GFixNxOyN8PYR6tIb9HVKTomGDIugES2SqTOZqKCrcJFdZP5CiI8h
wS0QlTDQomAhAjRQBh2plYoOg7FqZxVAaGwNAm+TwMCiHIyBZzTCYcxNjqWcU3JgooihDEkoU8Jk
yZFh0sQMlyAdxRMFHcQoIKPipVdDkzIUDQxUWA5JlsFhioodBNCcFw7ZIIBzPrTkcdmWgrLQrBRR
SXS1tl4WIhyRomMSVKCiCyszKg4UEw4ORyNBDQncZJQOiEnN1qzpvXfTXVy6rtbM0bCauRJxTaSo
sAQUTjeOSRbqX4/c+n2ff3bmTQk3vQkRzdyri+6NjGJBRfzi4yc5eu6xILsqUpS0SCzORpRMmheT
LwdpeSHXCTJUtE+7uMAvEcPBtSZhVK579tQFslGDQuSw4fjzxvSxI8bPhk71YO9mxVSiS81k2hxE
wiiPv72qUiQeBJtDNlVVQpI+Oa2INBPrOi9RbDcgSI0FjAlw0H5xE3RH/SIvw8a0BpV1tkGlzLgt
7FO8iPSQeYxegF2aSDCHCFBXQnjY1x9YC+EbJsmCUsp4t+GHgnnf8T8cCNSGX9Z/hy4TApSjy8rS
eUqQfHfInvXp5sIL5OREHgGsESncfWA/q8z+UMGL3bDYziBgYKkO9dCEncJ2WLITJN8QwaNKwU04
FnzfFpFxCIgN8mIvSdKeKWPa6kMVTNye6JieovnN93/i/So2JEnzgEUIj73WQ39fKJ51VHsQnqLs
snwNYJ7I835c3D2r0d/3dx+wPns2+BwPxEFE2qnqBxJuwj5ZYnCi8ZqhH2lNqMX5f4d3xqd7ScdE
fOCdzWXk9pdDs9b6xUUSWZRovH2qTvEMF0vyiuY+TUJrXEuFGC0Nmt5ZS7H5q+Up/CWnWH8EN4YG
dDWfU+ETZ3qLA15TlGxR3OxFwW5wXfzmwYdd7B+J62lMTzmxVGar+D2lRzJ73RXqjI+384nNJX8D
uQr6Qw9nIjh7+4B8fd50eQEsO84TrOssR86N47Xk+v8CIT85DxQ1j+KnpR4LFkyQEtxaW5pCm2uR
KWOsESDSI7CK1gnjhgYGGTiUgC7Hm9XRoPzRzB6tP4E1iVyHWKB7N/nVPL7QceCj869PgP09HuEN
Hfw9qjwh2HvoQ5ESIgiIICZCwksJQ86Hb8Xyv0BQdXj6jFHga1wOtHM2kDrIw6iwNkHPzwkfSiem
+sE2uzHKfoPlfI+BEHiKAw8RA9gYGQ+JQWRT8b7bTJPuwQ3Hn54eSwmkI9DwPVzb/Uj4cwIg9yBp
QOfnoKrv0g9EGE5naWOUTsO09J+pEJ8vz6/qkB6jA7tYewuHmJgWNsKCBMMehG5gri2nu9vWD7QB
yej5ANLjkdijvXeQdQoGxH+APbO0ar8Bgz3UofrUT0a0YM9lPhZttmT0STyO3+0sQ3TxmvzuT3G7
VRTR3xGEdZS44B5B+kYPrR6fjPlDLQ6dZUuRLEV1GnVPq5E3PkTZNH5X0/3TW1S99LPX61kyUW8F
znEmInl+j8H3fl9jNtR8SflPtR5PUpi7QIfihJTNOQ+oPbx2fQd6dD6Yh25TmUoAIGnXgPgMD27h
SYZTBN6uwlKNLDBMCWVbD7qkBezT7nN8dNk6+8Hm0oYENjEPp3ax9xKknsh9zLKDCJ0Qlzq4ifu7
HX77NEe3xhmj29ezKI8iH3fu9ZffMW65ZZVKpRaNYqK+729J0nQJsbJOZ4CF4hPV8ATyrp9aNIqb
EzlmyqDRopENUUMRA+RzHlOfN6WBcB8qL0ViHM9QfPzRD1BT/0Pr+WZdpsIqhgf/i7kinChIM5Ez
rgA=

Attachment: 46341x46341.png.gz
Description: GNU Zip compressed data


reply via email to

[Prev in Thread] Current Thread [Next in Thread]