blah

Cisco-Talos · Aug 7, 2024 · 3d0461d · 3d0461d
1 parent 0f75b29
commit 3d0461d
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 11 deletions.
diff --git a/libclamav/ole2_extract.c b/libclamav/ole2_extract.c
@@ -76,6 +76,7 @@
 #pragma pack 1
 #endif
 
+#define NUM_DIFAT_ENTRIES 109
 // https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cfb/05060311-bfce-4b12-874d-71fd4ce63aea
 typedef struct __attribute__((packed)) ole2_header_tag {
     unsigned char magic[8]; /* should be: 0xd0cf11e0a1b11ae1 */
@@ -114,7 +115,7 @@ typedef struct __attribute__((packed)) ole2_header_tag {
     int32_t sbat_block_count __attribute__((packed));               //number of minifat sectors
     int32_t xbat_start __attribute__((packed));                     //first DIFAT sector location
     int32_t xbat_count __attribute__((packed));                     //number of difat sectors
-    int32_t bat_array[109] __attribute__((packed));                 //DIFAT
+    int32_t bat_array[NUM_DIFAT_ENTRIES] __attribute__((packed));                 //DIFAT
 
     /*
      * The following is not part of the ole2 header, but stuff we need in
@@ -2965,7 +2966,7 @@ cl_error_t cli_ole2_extract(const char *dirname, cli_ctx *ctx, struct uniq **fil
      * The random block that we *don't* want that is stuffed in the middel is in the DIFAT.
      * Need to skip it (1 << log2_big_block_size) and keep going.
      */
-    for (andy = 0; andy < 109; andy++) {
+    for (andy = 0; andy < NUM_DIFAT_ENTRIES; andy++) {
         if (-1 == hdr.bat_array[andy]) {
             break;
         }

diff --git a/libclamav/ole2_extract_images.h b/libclamav/ole2_extract_images.h
@@ -926,10 +926,20 @@ static void ole2_extract_images(cli_ctx * ctx, ole2_header_t * ole2Hdr, ole2_ima
         total_needed += get_block_size(ole2Hdr);
     }
 
-    fprintf(stderr, "%s::%d::TODO: Verify that total_needed + tableStreamOffset does not cross into a FAT block\n", __FUNCTION__, __LINE__);
-    fprintf(stderr, "%s::%d::Needs to be a while bytes_processed < ...\n", __FUNCTION__, __LINE__);
+    size_t idx;
+    for (idx = 0; idx < NUM_DIFAT_ENTRIES; idx++) {
+        if (-1 == ole2Hdr->bat_array[idx]) {
+            break;
+        }
 
-fprintf(stderr, "%s::%d::total_needed = %ld (0x%lx)\n", __FUNCTION__, __LINE__, total_needed, total_needed);
+        uint32_t reserved = (ole2Hdr->bat_array[idx]+1) << ole2Hdr->log2_big_block_size;
+        if ((reserved >= tableStreamOffset) && (reserved <= tableStreamOffset + total_needed)){
+            fprintf(stderr, "%s::%d::total_needed crosses over a FAT block that must be skipped!!!!!\n", __FUNCTION__, __LINE__);
+            fprintf(stderr, "%s::%d::This is not currently handled!!!!!\n", __FUNCTION__, __LINE__);
+            exit(11);
+        }
+
+    }
 
     ptr = fmap_need_off_once(ole2Hdr->map, tableStreamOffset, total_needed);
     if (NULL == ptr) {
@@ -947,12 +957,6 @@ fprintf(stderr, "%s::%d::total_needed = %ld (0x%lx)\n", __FUNCTION__, __LINE__,
         return;
     }
 
-    /*
-     * imageCnt needs to be determined based on the number of records here, not the 'imageCnt' inside the blipStoreRecordHeader
-     */
-
-    uint32_t imageCnt = getRecInst (&blipStoreRecordHeader);
-
     offset += sizeof(OfficeArtRecordHeader);
 
     /*Rec types taken from