created PptParser.read_vba_storage for uncompressed data storages

Christian Herdtweck
1 parent a60d9f3e
Showing 2 changed files with 23 additions and 2 deletions
oletools/olevba.py
oletools/ppt_parser.py
@@ -2218,8 +2218,7 @@ class VBA_Parser(object):
                     storage_decomp = ppt.decompress_vba_storage(storage)
                     n_compressed += 1
                 else:
-                    log.warning('just guessing here: decompressed storage = storage?')
-                    storage_decomp = storage.read_all()  # not implemented yet
+                    storage_decomp = ppt.read_vba_storage_data(storage)
                 self.ole_subfiles.append(VBA_Parser(None, storage_decomp,
                                                     container='PptParser'))
             log.info('File is PPT with {} vba infos ({} with macros) and {} '
@@ -1490,6 +1490,28 @@ class PptParser(object):
                 stream.close()
+    def read_vba_storage_data(self, storage):
+        """ return data pointed to by uncompressed storage """
+
+        log.debug('reading uncompressed VBA OLE data stream')
+        stream = None
+        try:
+            log.debug('opening stream')
+            stream = self.ole.openstream(MAIN_STREAM_NAME)
+
+            log.debug('reading {} bytes starting at {}'
+                      .format(storage.data_size, storage.data_offset))
+            stream.seek(storage.data_offset, os.SEEK_SET)
+            data = stream.read(storage.data_size)
+
+            return data
+
+        finally:
+            if stream is not None:
+                log.debug('closing stream')
+                stream.close()
+
+
 def iterative_decompress(stream, size, chunk_size=4096):
     """ decompress data from stream chunk-wise """