Commit 3247071fcb5a462ba49063e997241116aaa3be12
1 parent
7922da99
rtfobj: fixed issue #143 - bin objects with negative length are now ignored
Showing
1 changed file
with
7 additions
and
3 deletions
oletools/rtfobj.py
| ... | ... | @@ -71,8 +71,9 @@ http://www.decalage.info/python/oletools |
| 71 | 71 | # long parameter) |
| 72 | 72 | # 2017-04-11 PL: - added detection of the OLE2Link vulnerability CVE-2017-0199 |
| 73 | 73 | # 2017-05-04 PL: - fixed issue #164 to handle linked OLE objects |
| 74 | +# 2017-06-08 PL: - fixed issue/PR #143: bin object with negative length | |
| 74 | 75 | |
| 75 | -__version__ = '0.51dev7' | |
| 76 | +__version__ = '0.51dev8' | |
| 76 | 77 | |
| 77 | 78 | # ------------------------------------------------------------------------------ |
| 78 | 79 | # TODO: |
| ... | ... | @@ -500,8 +501,11 @@ class RtfParser(object): |
| 500 | 501 | def _bin(self, matchobject, param): |
| 501 | 502 | binlen = int(param) |
| 502 | 503 | if binlen < 0: |
| 503 | - binlen = int(param.strip('-')) | |
| 504 | - | |
| 504 | + log.warn('Detected anti-analysis trick: \\bin object with negative length at index %X' % self.index) | |
| 505 | + # binlen = int(param.strip('-')) | |
| 506 | + # According to my tests, if the bin length is negative, | |
| 507 | + # it should be treated as a null length: | |
| 508 | + binlen=0 | |
| 505 | 509 | log.debug('\\bin: reading %d bytes of binary data' % binlen) |
| 506 | 510 | # TODO: handle optional space? |
| 507 | 511 | # TODO: handle negative length, and length greater than data | ... | ... |