Peter M. Groen / oletools

Commit 3247071fcb5a462ba49063e997241116aaa3be12

Authored by decalage2
1 parent 7922da99

rtfobj: fixed issue #143 - bin objects with negative length are now ignored

Inline Side-by-side
Showing 1 changed file with 7 additions and 3 deletions
oletools/rtfobj.py
  View file @3247071
@@ -71,8 +71,9 @@ http://www.decalage.info/python/oletools @@ -71,8 +71,9 @@ http://www.decalage.info/python/oletools
71 # long parameter) 71 # long parameter)
72 # 2017-04-11 PL: - added detection of the OLE2Link vulnerability CVE-2017-0199 72 # 2017-04-11 PL: - added detection of the OLE2Link vulnerability CVE-2017-0199
73 # 2017-05-04 PL: - fixed issue #164 to handle linked OLE objects 73 # 2017-05-04 PL: - fixed issue #164 to handle linked OLE objects
  74 +# 2017-06-08 PL: - fixed issue/PR #143: bin object with negative length
74 75
75 -__version__ = '0.51dev7' 76 +__version__ = '0.51dev8'
76 77
77 # ------------------------------------------------------------------------------ 78 # ------------------------------------------------------------------------------
78 # TODO: 79 # TODO:
@@ -500,8 +501,11 @@ class RtfParser(object): @@ -500,8 +501,11 @@ class RtfParser(object):
500 def _bin(self, matchobject, param): 501 def _bin(self, matchobject, param):
501 binlen = int(param) 502 binlen = int(param)
502 if binlen < 0: 503 if binlen < 0:
503 - binlen = int(param.strip('-'))  
504 - 504 + log.warn('Detected anti-analysis trick: \\bin object with negative length at index %X' % self.index)
  505 + # binlen = int(param.strip('-'))
  506 + # According to my tests, if the bin length is negative,
  507 + # it should be treated as a null length:
  508 + binlen=0
505 log.debug('\\bin: reading %d bytes of binary data' % binlen) 509 log.debug('\\bin: reading %d bytes of binary data' % binlen)
506 # TODO: handle optional space? 510 # TODO: handle optional space?
507 # TODO: handle negative length, and length greater than data 511 # TODO: handle negative length, and length greater than data