diff --git a/libclamav/ole2_extract.c b/libclamav/ole2_extract.c index c7a10f3bab..1e8c9ad49f 100644 --- a/libclamav/ole2_extract.c +++ b/libclamav/ole2_extract.c @@ -983,6 +983,8 @@ static int ole2_walk_property_tree(ole2_header_t *hdr, const char *dir, int32_t prop_block[idx].start_block = ole2_endian_convert_32(prop_block[idx].start_block); prop_block[idx].size = ole2_endian_convert_32(prop_block[idx].size); + //fprintf(stderr, "%s::%d::start_block = %d (0x%x)\n", __FUNCTION__, __LINE__, prop_block[idx].start_block, prop_block[idx].start_block); + if ((64 < prop_block[idx].name_size) || (prop_block[idx].name_size % 2)) { cli_dbgmsg("ERROR: Invalid name_size %d\n", prop_block[idx].name_size); continue; @@ -994,20 +996,6 @@ static int ole2_walk_property_tree(ole2_header_t *hdr, const char *dir, int32_t memcpy(&(pImageDirectory->word_block), &(prop_block[idx]), sizeof((pImageDirectory->word_block))); pImageDirectory->bFibRgFcLcb97Header_initialized = getFibRgFcLcb97Header(&(prop_block[idx]), hdr, &(pImageDirectory->fibRgFcLcb97Header)); } - -#if 0 - { - size_t i; - here; - fprintf(stderr, "%s::%d::", __FUNCTION__, __LINE__ ); - for (i = sizeof(property_t); i < 1024; i++){ - fprintf(stderr, "%02x ", name[i]); - } - fprintf(stderr, "\n"); - } -#endif - - } else if (0 == ole2_cmp_name(prop_block[idx].name, prop_block[idx].name_size, "WorkBook")) { test_for_xls_encryption(&(prop_block[idx]), hdr, pEncryptionStatus); } else if (0 == ole2_cmp_name(prop_block[idx].name, prop_block[idx].name_size, "PowerPoint Document")) { @@ -1026,6 +1014,18 @@ static int ole2_walk_property_tree(ole2_header_t *hdr, const char *dir, int32_t memcpy(&(pImageDirectory->table_stream_0_block), &(prop_block[idx]), sizeof(pImageDirectory->table_stream_0_block)); pImageDirectory->table_stream_0_initialized = true; } +} else { + not finding it anywhere, try looking in the table stream; + size_t i; +uint32_t data_offset = get_stream_data_offset(hdr, &(prop_block[idx]), prop_block[idx].start_block); +uint8_t * ptr = fmap_need_off_once(hdr->map, data_offset, 4096); +fprintf(stderr, "%s::%d::%p", __FUNCTION__, __LINE__, ptr); +fprintf(stderr, "%s::%d::", __FUNCTION__, __LINE__); +for (i = 0; i < 25; i++){ + fprintf(stderr, "%02x ", ptr[i]); +} +fprintf(stderr, "\n"); + } ole2_listmsg("printing ole2 property\n"); @@ -2902,6 +2902,9 @@ cl_error_t cli_ole2_extract(const char *dirname, cli_ctx *ctx, struct uniq **fil fprintf(stderr, "%s::%d::Number of FAT sectors = %d (0x%x)\n", __FUNCTION__, __LINE__, hdr.prop_start, hdr.prop_start); fprintf(stderr, "%s::%d::Transaction sector Number = %d (0x%x)\n", __FUNCTION__, __LINE__, hdr.signature, hdr.signature); + fprintf(stderr, "%s::%d::First directory sector = %d (0x%x)\n", __FUNCTION__, __LINE__, hdr.signature * (1 << hdr.log2_big_block_size), hdr.signature * (1 << hdr.log2_big_block_size)); + + diff --git a/libclamav/ole2_extract_images.h b/libclamav/ole2_extract_images.h index 16ad0103f8..b58f086a1f 100644 --- a/libclamav/ole2_extract_images.h +++ b/libclamav/ole2_extract_images.h @@ -988,7 +988,7 @@ void ole2_process_image_directory( cli_ctx * ctx, ole2_header_t * hdr, ole2_imag fprintf(stderr, "\n%s::%d::tableStream->size = %d (0x%x)\n", __FUNCTION__, __LINE__, tableStream->size, tableStream->size); fprintf(stderr, "%s::%d::tableStream->type = %d (0x%x)\n", __FUNCTION__, __LINE__, tableStream->type, tableStream->type); fprintf(stderr, "%s::%d::tableStream->next = %d (0x%x)\n", __FUNCTION__, __LINE__, tableStream->next, tableStream->next); -fprintf(stderr, "%s::%d::Fix hardcoded 4k, probably with tableStream->size\n", __FUNCTION__, __LINE__); +fprintf(stderr, "%s::%d::Fix hardcoded 4k, probably with tableStream->size or block size\n", __FUNCTION__, __LINE__); if (NULL == ptr) { cli_dbgmsg("ERROR: Invalid offset for File Information Block %ld (0x%lx)\n", offset, offset); goto done;