--- a/nsprpub/TAG-INFO
+++ b/nsprpub/TAG-INFO
@@ -1,1 +1,1 @@
-NSPR_4_8_7_BETA2
+NSPR_4_8_7_RTM

--- a/nsprpub/config/prdepend.h
+++ b/nsprpub/config/prdepend.h
@@ -38,8 +38,9 @@
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSPR in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
 
+

--- a/nsprpub/config/rules.mk
+++ b/nsprpub/config/rules.mk
@@ -458,16 +458,24 @@ DUMMY_DEPEND_H = $(topsrcdir)/config/prd
 
 # END OF HACK
 
 ################################################################################
 # Special gmake rules.
 ################################################################################
 
 #
+# Disallow parallel builds with MSVC < 8 since it can't open the PDB file in
+# parallel.
+#
+ifeq (,$(filter-out 1200 1300 1310,$(MSC_VER)))
+.NOTPARALLEL:
+endif
+
+#
 # Re-define the list of default suffixes, so gmake won't have to churn through
 # hundreds of built-in suffix rules for stuff we don't need.
 #
 .SUFFIXES:
 .SUFFIXES: .a .$(OBJ_SUFFIX) .c .cpp .s .h .i .pl
 
 #
 # Fake targets.  Always run these rules, even if a file/directory with that

--- a/nsprpub/pr/include/prinit.h
+++ b/nsprpub/pr/include/prinit.h
@@ -58,21 +58,21 @@ PR_BEGIN_EXTERN_C
 /*
 ** NSPR's version is used to determine the likelihood that the version you
 ** used to build your component is anywhere close to being compatible with
 ** what is in the underlying library.
 **
 ** The format of the version string is
 **     "<major version>.<minor version>[.<patch level>] [<Beta>]"
 */
-#define PR_VERSION  "4.8.7 Beta"
+#define PR_VERSION  "4.8.7"
 #define PR_VMAJOR   4
 #define PR_VMINOR   8
 #define PR_VPATCH   7
-#define PR_BETA     PR_TRUE
+#define PR_BETA     PR_FALSE
 
 /*
 ** PRVersionCheck
 **
 ** The basic signature of the function that is called to provide version
 ** checking. The result will be a boolean that indicates the likelihood
 ** that the underling library will perform as the caller expects.
 **

--- a/security/coreconf/coreconf.dep
+++ b/security/coreconf/coreconf.dep
@@ -39,8 +39,9 @@
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
 
 
+

--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_12_9_BETA2
+NSS_3_12_9_RTM

--- a/security/nss/lib/freebl/jpake.c
+++ b/security/nss/lib/freebl/jpake.c
@@ -417,17 +417,18 @@ JPAKE_Round2(PLArenaPool * arena,
     if (x2s != NULL) {
         CHECK_MPI_OK( mp_init(&X2) );
         CHECK_MPI_OK( mp_init(&S) );
 
         SECITEM_TO_MPINT(*q, &Q);
         SECITEM_TO_MPINT(*x2, &X2);
         
         SECITEM_TO_MPINT(*s, &S);
-        if (mp_cmp(&S, &Q) >= 0) {
+        /* S must be in [1, Q-1] */
+        if (mp_cmp_z(&S) <= 0 || mp_cmp(&S, &Q) >= 0) {
             err = MP_BADARG;
             goto cleanup;
         }
 
         CHECK_MPI_OK( mp_mulmod(&X2, &S, &Q, &result) );
         MPINT_TO_SECITEM(&result, x2s, arena);
     }
 

--- a/security/nss/lib/freebl/win_rand.c
+++ b/security/nss/lib/freebl/win_rand.c
@@ -146,29 +146,31 @@ EnumSystemFilesInFolder(Handler func, PR
     HANDLE              lFindHandle;
     WIN32_FIND_DATAW    fdData;
     PRUnichar           szFileName[_MAX_PATH];
 
     if (maxDepth < 0)
     	return;
     // append *.* so we actually look for files.
     _snwprintf(szFileName, _MAX_PATH, L"%s\\*.*", szSysDir);
+    szFileName[_MAX_PATH - 1] = L'\0';
 
     lFindHandle = FindFirstFileW(szFileName, &fdData);
     if (lFindHandle == INVALID_HANDLE_VALUE)
         return;
     do {
 	iContinue = 1;
 	if (wcscmp(fdData.cFileName, L".") == 0 ||
             wcscmp(fdData.cFileName, L"..") == 0) {
 	    // skip "." and ".."
 	} else {
 	    // pass the full pathname to the callback
 	    _snwprintf(szFileName, _MAX_PATH, L"%s\\%s", szSysDir, 
 		       fdData.cFileName);
+	    szFileName[_MAX_PATH - 1] = L'\0';
 	    if (fdData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
 		if (++uFolders <= MAX_FOLDERS)
 		    EnumSystemFilesInFolder(func, szFileName, maxDepth - 1);
 	    } else {
 		iContinue = (++uFiles <= MAX_FILES) && !(*func)(szFileName);
 	    }
 	}
 	if (iContinue)

--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -31,17 +31,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: nss.h,v 1.81.2.3 2010/09/23 17:07:52 christophe.ravel.bugs%sun.com Exp $ */
+/* $Id: nss.h,v 1.81.2.4 2011/01/06 18:04:16 christophe.ravel.bugs%sun.com Exp $ */
 
 #ifndef __nss_h_
 #define __nss_h_
 
 /* The private macro _NSS_ECC_STRING is for NSS internal use only. */
 #ifdef NSS_ENABLE_ECC
 #ifdef NSS_ECC_MORE_THAN_SUITE_B
 #define _NSS_ECC_STRING " Extended ECC"
@@ -61,22 +61,22 @@
 
 /*
  * NSS's major version, minor version, patch level, build number, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION  "3.12.9.0" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
+#define NSS_VERSION  "3.12.9.0" _NSS_ECC_STRING _NSS_CUSTOMIZED
 #define NSS_VMAJOR   3
 #define NSS_VMINOR   12
 #define NSS_VPATCH   9
 #define NSS_VBUILD   0
-#define NSS_BETA     PR_TRUE
+#define NSS_BETA     PR_FALSE
 
 #ifndef RC_INVOKED
 
 #include "seccomon.h"
 
 typedef struct NSSInitParametersStr NSSInitParameters;
 
 /*

--- a/security/nss/lib/pki/pkistore.c
+++ b/security/nss/lib/pki/pkistore.c
@@ -30,17 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: pkistore.c,v $ $Revision: 1.33 $ $Date: 2008/06/06 01:19:30 $";
+static const char CVS_ID[] = "@(#) $RCSfile: pkistore.c,v $ $Revision: 1.33.40.1 $ $Date: 2010/12/17 20:14:38 $";
 #endif /* DEBUG */
 
 #ifndef PKIM_H
 #include "pkim.h"
 #endif /* PKIM_H */
 
 #ifndef PKI_H
 #include "pki.h"
@@ -645,17 +645,21 @@ nssCertificateStore_AddTrust (
 {
     NSSCertificate *cert;
     certificate_hash_entry *entry;
     cert = trust->certificate;
     PZ_Lock(store->lock);
     entry = (certificate_hash_entry *)
                               nssHash_Lookup(store->issuer_and_serial, cert);
     if (entry) {
-	entry->trust = nssTrust_AddRef(trust);
+	NSSTrust* newTrust = nssTrust_AddRef(trust);
+	if (entry->trust) {
+	    nssTrust_Destroy(entry->trust);
+	}
+	entry->trust = newTrust;
     }
     PZ_Unlock(store->lock);
     return (entry) ? PR_SUCCESS : PR_FAILURE;
 }
 
 NSS_IMPLEMENT NSSTrust *
 nssCertificateStore_FindTrustForCertificate (
   nssCertificateStore *store,
@@ -682,17 +686,21 @@ nssCertificateStore_AddSMIMEProfile (
 {
     NSSCertificate *cert;
     certificate_hash_entry *entry;
     cert = profile->certificate;
     PZ_Lock(store->lock);
     entry = (certificate_hash_entry *)
                               nssHash_Lookup(store->issuer_and_serial, cert);
     if (entry) {
-	entry->profile = nssSMIMEProfile_AddRef(profile);
+	nssSMIMEProfile* newProfile = nssSMIMEProfile_AddRef(profile);
+	if (entry->profile) {
+	    nssSMIMEProfile_Destroy(entry->profile);
+	}
+	entry->profile = newProfile;
     }
     PZ_Unlock(store->lock);
     return (entry) ? PR_SUCCESS : PR_FAILURE;
 }
 
 NSS_IMPLEMENT nssSMIMEProfile *
 nssCertificateStore_FindSMIMEProfileForCertificate (
   nssCertificateStore *store,

--- a/security/nss/lib/smime/cmsdecode.c
+++ b/security/nss/lib/smime/cmsdecode.c
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * CMS decoding.
  *
- * $Id: cmsdecode.c,v 1.9 2006/08/05 01:19:23 julien.pierre.bugs%sun.com Exp $
+ * $Id: cmsdecode.c,v 1.9.66.1 2010/12/23 18:03:41 kaie%kuix.de Exp $
  */
 
 #include "cmslocal.h"
 
 #include "cert.h"
 #include "key.h"
 #include "secasn1.h"
 #include "secitem.h"
@@ -458,16 +458,21 @@ nss_cms_decoder_work_data(NSSCMSDecoderC
      * to finish/flush the last block.  (This is an overly paranoid
      * check since all callers are in this file and simple inspection
      * proves they do it right.  But it could find a bug in future
      * modifications/development, that is why it is here.)
      */
     PORT_Assert ((data != NULL && len) || final);
 
     cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type);
+    if (!cinfo) {
+	/* The original programmer didn't expect this to happen */
+	p7dcx->error = SEC_ERROR_LIBRARY_FAILURE;
+	goto loser;
+    }
 
     if (cinfo->ciphcx != NULL) {
 	/*
 	 * we are decrypting.
 	 * 
 	 * XXX If we get an error, we do not want to do the digest or callback,
 	 * but we want to keep decoding.  Or maybe we want to stop decoding
 	 * altogether if there is a callback, because obviously we are not

--- a/security/nss/lib/smime/cmsencode.c
+++ b/security/nss/lib/smime/cmsencode.c
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * CMS encoding.
  *
- * $Id: cmsencode.c,v 1.6 2006/06/08 22:01:02 nelson%bolyard.com Exp $
+ * $Id: cmsencode.c,v 1.6.66.1 2010/12/23 18:03:41 kaie%kuix.de Exp $
  */
 
 #include "cmslocal.h"
 
 #include "cert.h"
 #include "key.h"
 #include "secasn1.h"
 #include "secoid.h"
@@ -420,16 +420,21 @@ nss_cms_encoder_work_data(NSSCMSEncoderC
      * check since all callers are in this file and simple inspection
      * proves they do it right.  But it could find a bug in future
      * modifications/development, that is why it is here.)
      */
     PORT_Assert ((data != NULL && len) || final);
 
     /* we got data (either from the caller, or from a lower level encoder) */
     cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
+    if (!cinfo) {
+	/* The original programmer didn't expect this to happen */
+	p7ecx->error = SEC_ERROR_LIBRARY_FAILURE;
+	return SECFailure;
+    }
 
     /* Update the running digest. */
     if (len && cinfo->digcx != NULL)
 	NSS_CMSDigestContext_Update(cinfo->digcx, data, len);
 
     /* Encrypt this chunk. */
     if (cinfo->ciphcx != NULL) {
 	unsigned int inlen;	/* length of data being encrypted */
@@ -623,16 +628,22 @@ NSS_CMSEncoder_Update(NSSCMSEncoderConte
     /* hand data to the innermost decoder */
     if (p7ecx->childp7ecx) {
 	/* recursion here */
 	rv = NSS_CMSEncoder_Update(p7ecx->childp7ecx, data, len);
     } else {
 	/* we are at innermost decoder */
 	/* find out about our inner content type - must be data */
 	cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
+	if (!cinfo) {
+	    /* The original programmer didn't expect this to happen */
+	    p7ecx->error = SEC_ERROR_LIBRARY_FAILURE;
+	    return SECFailure;
+	}
+
 	childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
 	if (childtype != SEC_OID_PKCS7_DATA)
 	    return SECFailure;
 	/* and we must not have preset data */
 	if (cinfo->content.data != NULL)
 	    return SECFailure;
 
 	/*  hand it the data so it can encode it (let DER trickle up the chain) */
@@ -723,16 +734,22 @@ NSS_CMSEncoder_Finish(NSSCMSEncoderConte
     rv = nss_cms_encoder_work_data(p7ecx, NULL, NULL, 0, PR_TRUE, (p7ecx->childp7ecx == NULL));
     if (rv != SECSuccess)
 	goto loser;
 
     p7ecx->childp7ecx = NULL;
 
     /* find out about our inner content type - must be data */
     cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
+    if (!cinfo) {
+	/* The original programmer didn't expect this to happen */
+	p7ecx->error = SEC_ERROR_LIBRARY_FAILURE;
+	rv = SECFailure;
+	goto loser;
+    }
     childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
     if (childtype == SEC_OID_PKCS7_DATA && cinfo->content.data == NULL) {
 	SEC_ASN1EncoderClearTakeFromBuf(p7ecx->ecx);
 	/* now that TakeFromBuf is off, this will kick this encoder to finish encoding */
 	rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0);
     }
 
     SEC_ASN1EncoderClearStreaming(p7ecx->ecx);

--- a/security/nss/lib/softoken/legacydb/lginit.c
+++ b/security/nss/lib/softoken/legacydb/lginit.c
@@ -31,17 +31,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: lginit.c,v 1.14 2009/02/03 23:18:48 julien.pierre.boogz%sun.com Exp $ */
+/* $Id: lginit.c,v 1.14.22.1 2011/01/06 19:55:02 wtc%google.com Exp $ */
 
 #include "lowkeyi.h"
 #include "pcert.h"
 #include "keydbi.h"
 #include "lgdb.h"
 #include "secoid.h"
 #include "prenv.h"
 
@@ -535,19 +535,21 @@ lg_init(SDB **pSdb, int flags, NSSLOWCER
 	goto loser;
     }
     lgdb_p->hashTable = PL_NewHashTable(64, lg_HashNumber, lg_CompareValues,
 			SECITEM_HashCompare, NULL, 0);
     if (lgdb_p->hashTable == NULL) {
 	goto loser;
     }
 
+    sdb->private = lgdb_p;
+    sdb->version = 0;
     sdb->sdb_type = SDB_LEGACY;
     sdb->sdb_flags = flags;
-    sdb->private = lgdb_p;
+    sdb->app_private = NULL;
     sdb->sdb_FindObjectsInit = lg_FindObjectsInit;
     sdb->sdb_FindObjects = lg_FindObjects;
     sdb->sdb_FindObjectsFinal = lg_FindObjectsFinal;
     sdb->sdb_GetAttributeValue = lg_GetAttributeValue;
     sdb->sdb_SetAttributeValue = lg_SetAttributeValue;
     sdb->sdb_CreateObject = lg_CreateObject;
     sdb->sdb_DestroyObject = lg_DestroyObject;
     sdb->sdb_GetMetaData = lg_GetMetaData;

--- a/security/nss/lib/softoken/sdb.c
+++ b/security/nss/lib/softoken/sdb.c
@@ -15,16 +15,17 @@
  *
  * The Initial Developer of the Original Code is
  * Red Hat, Inc.
  * Portions created by the Initial Developer are Copyright (C) 2005
  * the Initial Developer. All Rights Reserved.
  *
  * Contributor(s):
  *   Robert Relyea (rrelyea@redhat.com)
+ *   Meena Vyas (meena.vyas@oracle.com)
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  * in which case the provisions of the GPL or the LGPL are applicable instead
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
@@ -1905,30 +1906,33 @@ sdb_init(char *dbname, char *table, sdbD
     /* set the cache delay time. This is how long we will wait before we
      * decide the existing cache is stale. Currently set to 10 sec */
     sdb_p->updateInterval = PR_SecondsToInterval(10); 
     sdb_p->dbMon = PR_NewMonitor();
     /* these fields are protected by the lock */
     sdb_p->sqlXactDB = NULL;
     sdb_p->sqlXactThread = NULL;
     sdb->private = sdb_p;
+    sdb->version = 0;
     sdb->sdb_type = SDB_SQL;
     sdb->sdb_flags = flags | SDB_HAS_META;
+    sdb->app_private = NULL;
     sdb->sdb_FindObjectsInit = sdb_FindObjectsInit;
     sdb->sdb_FindObjects = sdb_FindObjects;
     sdb->sdb_FindObjectsFinal = sdb_FindObjectsFinal;
     sdb->sdb_GetAttributeValue = sdb_GetAttributeValue;
     sdb->sdb_SetAttributeValue = sdb_SetAttributeValue;
     sdb->sdb_CreateObject = sdb_CreateObject;
     sdb->sdb_DestroyObject = sdb_DestroyObject;
     sdb->sdb_GetMetaData = sdb_GetMetaData;
     sdb->sdb_PutMetaData = sdb_PutMetaData;
     sdb->sdb_Begin = sdb_Begin;
     sdb->sdb_Commit = sdb_Commit;
     sdb->sdb_Abort = sdb_Abort;
+    sdb->sdb_Reset = sdb_Reset;
     sdb->sdb_Close = sdb_Close;
     sdb->sdb_SetForkState = sdb_SetForkState;
 
     if (inTransaction) {
 	sqlerr = sqlite3_exec(sqlDB, COMMIT_CMD, NULL, 0, NULL);
 	if (sqlerr != SQLITE_OK) {
 	    error = sdb_mapSQLError(sdb_p->type, sqlerr);
 	    goto loser;

--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -52,16 +52,16 @@
 
 /*
  * Softoken's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION  "3.12.9.0" SOFTOKEN_ECC_STRING " Beta"
+#define SOFTOKEN_VERSION  "3.12.9.0" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR   3
 #define SOFTOKEN_VMINOR   12
 #define SOFTOKEN_VPATCH   9
 #define SOFTOKEN_VBUILD   0
-#define SOFTOKEN_BETA     PR_TRUE
+#define SOFTOKEN_BETA     PR_FALSE
 
 #endif /* _SOFTKVER_H_ */

--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -46,16 +46,16 @@
 
 /*
  * NSS utilities's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION  "3.12.9.0 Beta"
+#define NSSUTIL_VERSION  "3.12.9.0"
 #define NSSUTIL_VMAJOR   3
 #define NSSUTIL_VMINOR   12
 #define NSSUTIL_VPATCH   9
 #define NSSUTIL_VBUILD   0
-#define NSSUTIL_BETA     PR_TRUE
+#define NSSUTIL_BETA     PR_FALSE
 
 #endif /* __nssutil_h_ */

index e49d8bddfaba281d41a2491a3f8361bf11113a70..cca202a47e5203645bec5173ab9e53daa0fe3d5b
GIT binary patch
literal 1615
zc$|GyeM}Pv6z^TH1<JQAts>Zi2~w2uu22P?Mn1ZUOz0?7!xTBofrZkRUZH|aqzW=;
z!dL?;Ooc!&5k#4Zq__{KLkE)Sbj!#@&E}THp(5%gQ<=L%AhIRiAD4UI@BQBU9oYHF
zVCO|Ob5R6EeQZG!0Wa?OSk9%crZ+ty<G_>e7GAxk`iUok@OT`k>?Pd6jnB=%_(C*8
zLrB1n6$C;rEoISb^m)c5c#=^kC!`R_8r+5AX#<{aDW<J>3T3sKECs|0h<)jxNT)1?
zG;Yepi)jict@u`})l4ssjI`No@)9PPW`gB9Q(>gVOyXfW87w8DLBR%dg^OphCm2YY
z#-ni6HY;V!p>l97Y0&48R=vrHYc%iR330GM;z<BR5zLEyG8vJ8Xdo0(%2;J=CfE^g
zLI}Qm_r-h!L+s1mL=o=fl=DFHsuC5tCQ=5{Mp`IhKFnh~@fOa}5^`9=w!w~}l!tAR
z5kBC>8hJvOC?KL0OP9?CkFCWBz9K=al87QA6rdocm99cT0y99a$zs%#gfDorN*9r<
zhBV@9O*BP_LBy)uM4k#J3Qxfa23(Dm@B`uGMnoQJvQ$kPruGp4{*!Qvgh@swY2g$w
zrL>hQq^H-&6?w6so5@l$X<#8|APIi;1P~sF%b>(z^a9k5Ae<BJ+oVG$dgSpPE#qb0
zp<JC4MK15EH;8*R3Hx5G$9elT;b%0R71jKcqg7qe*8_I-=k;o1%x!}Uu9Y7=byWC!
zM|V?JJ9kCCb1+iT8!`N|vtHJ_SN-cPTS@6Rjxy?8UrW-rS$-L%Jv--bdTZ>5FWTZ8
zr45>quA<vH*He>vd+G+vp^4oW3;plyIC4BD=*C#QI^gu4qO>_G2)4x5+HE`C97h!$
ztL`3f6geMsRc+VqdX#^pz$g6p-xI!mR|5PxcW4q+gSDaA$8v(=Oa+yVeVKl@wqHJ6
zRVHZqB&B9~h`RX_G5YMzg(1;sNu|d%tEuRxr;*uhj_&v4>rgJjL0av|BL<Pt$=wDD
zF%&qH*B|JGi80Z!m_<ELzkHq}8ZOeR<{H;^<XzeZ?yT7x!?-A~8RA(%iZP6UWzEXw
zsA__x0K)*4RzvBEEmVZgVwg>ZX^R42shqJwBAWxpRszc__w4F5NcFf1agp#L9K!gn
z%<=MgE+`@ncpbZ5b{&GTw>1^QMP|NGkh11Cu(=@KDSEzF-Fw&>lDR#jDz%=YtG%<K
zAOXs!oe=~xgApR8Wk9Nf{yUUON1JE004rzQ(f?yW>dDt(Kv}>zQ{4mG0@*ED%^M*T
zHh@;_rY|J(sK`8hE(C!TT==}jUR=~46D1co!y5P=XRf5hG|4)XT|Nxr&4p0$!l~j0
zQ=Vyd(Gr@~5pp)w?0+Md<-?NiVuBw(hTBKpmMLq3pY+F`mY)B3tlOuNmbA5Uweo`w
z2|u|)<J@EUlZ3W4j|H1si~qP9OPaBR>5AP+XZL;;zqNhnGQIG#5!roPV`p8z+Vkd9
zh4sCb4`f{#*nWAXtmYqUZD98Kvev&g)}C86-Z$dDPg5aEDc`(X-q}>*v(70wi49~~
zzgB*fA9MFgt0ZCK(}B3?5dYuqQB7(0zu(k1`25hbW6NpB!}_z=avyk)J>U$K!y!kS
zvTo7m_eR!Ei06&}@~~oPxLxg<wVv<ssKOYt=wi@~^o;uWqIVPRl)x=jb@QrYPyU65
WIsO|CV5e%_8dePdSQ|cK>HilOyAE3b