From 3247071fcb5a462ba49063e997241116aaa3be12 Mon Sep 17 00:00:00 2001
From: decalage2 <decalage@laposte.net>
Date: Thu, 8 Jun 2017 21:32:47 +0200
Subject: [PATCH] rtfobj: fixed issue #143 - bin objects with negative length are now ignored

---
 oletools/rtfobj.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/oletools/rtfobj.py b/oletools/rtfobj.py
index b2f9384..d9e0d6c 100644
--- a/oletools/rtfobj.py
+++ b/oletools/rtfobj.py
@@ -71,8 +71,9 @@ http://www.decalage.info/python/oletools
 #                        long parameter)
 # 2017-04-11       PL: - added detection of the OLE2Link vulnerability CVE-2017-0199
 # 2017-05-04       PL: - fixed issue #164 to handle linked OLE objects
+# 2017-06-08       PL: - fixed issue/PR #143: bin object with negative length
 
-__version__ = '0.51dev7'
+__version__ = '0.51dev8'
 
 # ------------------------------------------------------------------------------
 # TODO:
@@ -500,8 +501,11 @@ class RtfParser(object):
     def _bin(self, matchobject, param):
         binlen = int(param)
         if binlen < 0:
-            binlen = int(param.strip('-'))
-            
+            log.warn('Detected anti-analysis trick: \\bin object with negative length at index %X' % self.index)
+            # binlen = int(param.strip('-'))
+            # According to my tests, if the bin length is negative,
+            # it should be treated as a null length:
+            binlen=0
         log.debug('\\bin: reading %d bytes of binary data' % binlen)
         # TODO: handle optional space?
         # TODO: handle negative length, and length greater than data
--
libgit2 0.21.4