From 3d0461dc84ab3fc9c2b15a199361d3c176ce6a9c Mon Sep 17 00:00:00 2001 From: Andy Ragusa Date: Tue, 6 Aug 2024 18:50:17 -0700 Subject: [PATCH] blah --- libclamav/ole2_extract.c | 5 +++-- libclamav/ole2_extract_images.h | 22 +++++++++++++--------- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/libclamav/ole2_extract.c b/libclamav/ole2_extract.c index 6a5568e678..810ef94b67 100644 --- a/libclamav/ole2_extract.c +++ b/libclamav/ole2_extract.c @@ -76,6 +76,7 @@ #pragma pack 1 #endif +#define NUM_DIFAT_ENTRIES 109 // https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cfb/05060311-bfce-4b12-874d-71fd4ce63aea typedef struct __attribute__((packed)) ole2_header_tag { unsigned char magic[8]; /* should be: 0xd0cf11e0a1b11ae1 */ @@ -114,7 +115,7 @@ typedef struct __attribute__((packed)) ole2_header_tag { int32_t sbat_block_count __attribute__((packed)); //number of minifat sectors int32_t xbat_start __attribute__((packed)); //first DIFAT sector location int32_t xbat_count __attribute__((packed)); //number of difat sectors - int32_t bat_array[109] __attribute__((packed)); //DIFAT + int32_t bat_array[NUM_DIFAT_ENTRIES] __attribute__((packed)); //DIFAT /* * The following is not part of the ole2 header, but stuff we need in @@ -2965,7 +2966,7 @@ cl_error_t cli_ole2_extract(const char *dirname, cli_ctx *ctx, struct uniq **fil * The random block that we *don't* want that is stuffed in the middel is in the DIFAT. * Need to skip it (1 << log2_big_block_size) and keep going. */ - for (andy = 0; andy < 109; andy++) { + for (andy = 0; andy < NUM_DIFAT_ENTRIES; andy++) { if (-1 == hdr.bat_array[andy]) { break; } diff --git a/libclamav/ole2_extract_images.h b/libclamav/ole2_extract_images.h index 51652edfc7..a6e1cef06a 100644 --- a/libclamav/ole2_extract_images.h +++ b/libclamav/ole2_extract_images.h @@ -926,10 +926,20 @@ static void ole2_extract_images(cli_ctx * ctx, ole2_header_t * ole2Hdr, ole2_ima total_needed += get_block_size(ole2Hdr); } - fprintf(stderr, "%s::%d::TODO: Verify that total_needed + tableStreamOffset does not cross into a FAT block\n", __FUNCTION__, __LINE__); - fprintf(stderr, "%s::%d::Needs to be a while bytes_processed < ...\n", __FUNCTION__, __LINE__); + size_t idx; + for (idx = 0; idx < NUM_DIFAT_ENTRIES; idx++) { + if (-1 == ole2Hdr->bat_array[idx]) { + break; + } -fprintf(stderr, "%s::%d::total_needed = %ld (0x%lx)\n", __FUNCTION__, __LINE__, total_needed, total_needed); + uint32_t reserved = (ole2Hdr->bat_array[idx]+1) << ole2Hdr->log2_big_block_size; + if ((reserved >= tableStreamOffset) && (reserved <= tableStreamOffset + total_needed)){ + fprintf(stderr, "%s::%d::total_needed crosses over a FAT block that must be skipped!!!!!\n", __FUNCTION__, __LINE__); + fprintf(stderr, "%s::%d::This is not currently handled!!!!!\n", __FUNCTION__, __LINE__); + exit(11); + } + + } ptr = fmap_need_off_once(ole2Hdr->map, tableStreamOffset, total_needed); if (NULL == ptr) { @@ -947,12 +957,6 @@ fprintf(stderr, "%s::%d::total_needed = %ld (0x%lx)\n", __FUNCTION__, __LINE__, return; } - /* - * imageCnt needs to be determined based on the number of records here, not the 'imageCnt' inside the blipStoreRecordHeader - */ - - uint32_t imageCnt = getRecInst (&blipStoreRecordHeader); - offset += sizeof(OfficeArtRecordHeader); /*Rec types taken from