GitList

libclamav/vba_extract.c

47bbbc56	/*
f893c0f3	* Extract VBA source code for component MS Office Documents
47bbbc56	*
2023340a	* Copyright (C) 2007-2008 Sourcefire, Inc. * * Authors: Trog, Nigel Horne
fa53d800	*
47bbbc56	* This program is free software; you can redistribute it and/or modify
2023340a	* it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation.
47bbbc56	* * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software
48b7b4a7	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, * MA 02110-1301, USA.
47bbbc56	*/
2023340a
fa53d800	#if HAVE_CONFIG_H #include "clamav-config.h" #endif
47bbbc56	#include <stdio.h> #include <string.h>
b58fdfc2	#ifdef HAVE_UNISTD_H
47bbbc56	#include <unistd.h>
b58fdfc2	#endif
47bbbc56	#include <fcntl.h> #include <stdlib.h> #include <ctype.h>
5f02033a	#include <zlib.h> #include "clamav.h"
47bbbc56
ca90717f	#include "others.h"
72ce4b70	#include "scanners.h"
9fe789f8	#include "vba_extract.h" #ifdef CL_DEBUG
c0195d1f	#include "mbox.h" #endif
fa53d800	#include "blob.h"
47bbbc56
9294cf21	#define PPT_LZW_BUFFSIZE 8192 #define VBA_COMPRESSION_WINDOW 4096
9fe789f8	#define MIDDLE_SIZE 20
16975455	#define MAX_VBA_COUNT 1000 /* If there's more than 1000 macros something's up! */
9294cf21
9fe789f8	#ifndef HAVE_ATTRIB_PACKED #define __attribute__(x)
ffd168d4	#endif
9fe789f8	/* * VBA (Visual Basic for Applications), versions 5 and 6 */
ffd168d4	struct vba56_header { unsigned char magic[2]; unsigned char version[4];
16975455	unsigned char ignore[28];
ffd168d4	};
9fe789f8	typedef struct {
24555841	uint32_t sig; const char *ver;
16975455	int big_endian; /* e.g. MAC Office */
47bbbc56	} vba_version_t;
9fe789f8	static int skip_past_nul(int fd);
16975455	static int read_uint16(int fd, uint16_t u, int big_endian); static int read_uint32(int fd, uint32_t u, int big_endian);
9fe789f8	static int seekandread(int fd, off_t offset, int whence, void *data, size_t len);
72ce4b70	static vba_project_t create_vba_project(int record_count, const char dir, struct uniq *U);
9fe789f8
e19ed67b	static uint16_t vba_endian_convert_16(uint16_t value, int big_endian)
31c42eb7	{
16975455	if (big_endian)
ffd168d4	return (uint16_t)be16_to_host(value);
75282b5c	else return le16_to_host(value);
337cb206	}
fa53d800
9fe789f8	/* Seems to be a duplicate of riff_endian_convert_32() */
e19ed67b	static uint32_t vba_endian_convert_32(uint32_t value, int big_endian)
31c42eb7	{
16975455	if (big_endian)
75282b5c	return be32_to_host(value); else return le32_to_host(value);
31c42eb7	}
337cb206
72ce4b70
fa53d800	static char *
16975455	get_unicode_name(const char *name, int size, int big_endian)
47bbbc56	{
9fe789f8	int i, increment; char newname, ret;
25ba8c63
69380565	if((name == NULL) \|\| (*name == '\0') \|\| (size <= 0))
9fe789f8	return NULL;
25ba8c63
ddc9e6c3	newname = (char )cli_malloc(size 7 + 1);
9fe789f8	if(newname == NULL) return NULL;
69380565
16975455	if((!big_endian) && (size & 0x1)) {
69380565	cli_dbgmsg("get_unicode_name: odd number of bytes %d\n", size); --size; }
16975455	increment = (big_endian) ? 1 : 2;
69380565	ret = newname;
9fe789f8	for(i = 0; i < size; i += increment) {
72ce4b70	if((!(name[i]&0x80)) && isprint(name[i])) { *ret++ = tolower(name[i]); } else {
9fe789f8	if((name[i] < 10) && (name[i] >= 0)) {
69380565	ret++ = '_'; ret++ = (char)(name[i] + '0'); } else {
9fe789f8	const uint16_t x = (uint16_t)((name[i] << 8) \| name[i + 1]);
ffd168d4
69380565	ret++ = '_'; ret++ = (char)('a'+((x&0xF))); ret++ = (char)('a'+((x>>4)&0xF)); ret++ = (char)('a'+((x>>8)&0xF));
9fe789f8	ret++ = 'a'; ret++ = 'a';
9e7e2c76	}
69380565	*ret++ = '_'; } }
9fe789f8	ret = '\0'; / Saves a lot of memory */ ret = cli_realloc(newname, (ret - newname) + 1); return ret ? ret : newname;
47bbbc56	}
349e0502
9fe789f8
349e0502	static void vba56_test_middle(int fd) {
9fe789f8	char test_middle[MIDDLE_SIZE];
fe0af0c1	/* MacOffice middle */
9fe789f8	static const uint8_t middle1_str[MIDDLE_SIZE] = {
dc890a72	0x00, 0x01, 0x0d, 0x45, 0x2e, 0xe1, 0xe0, 0x8f, 0x10, 0x1a, 0x85, 0x2e, 0x02, 0x60, 0x8c, 0x4d, 0x0b, 0xb4, 0x00, 0x00
349e0502	};
fe0af0c1	/* MS Office middle */
9fe789f8	static const uint8_t middle2_str[MIDDLE_SIZE] = {
fa53d800	0x00, 0x00, 0xe1, 0x2e, 0x45, 0x0d, 0x8f, 0xe0, 0x1a, 0x10,
fe0af0c1	0x85, 0x2e, 0x02, 0x60, 0x8c, 0x4d, 0x0b, 0xb4, 0x00, 0x00 };
349e0502
9fe789f8	if(cli_readn(fd, &test_middle, MIDDLE_SIZE) != MIDDLE_SIZE)
ffd168d4	return;
25ba8c63
9fe789f8	if((memcmp(test_middle, middle1_str, MIDDLE_SIZE) != 0) && (memcmp(test_middle, middle2_str, MIDDLE_SIZE) != 0)) {
dc890a72	cli_dbgmsg("middle not found\n");
9fe789f8	lseek(fd, -MIDDLE_SIZE, SEEK_CUR); } else
dc890a72	cli_dbgmsg("middle found\n");
349e0502	}
ac8154d9	static int
16975455	vba_read_project_strings(int fd, int big_endian)
dc890a72	{
9fe789f8	unsigned char *buf = NULL; uint16_t buflen = 0;
72ce4b70	int ret = 0;
9fe789f8	for(;;) { off_t offset;
d92098c8	uint16_t length; char *name;
72ce4b70	if(!read_uint16(fd, &length, big_endian)) break;
dc890a72	if (length < 6) { lseek(fd, -2, SEEK_CUR); break; }
9fe789f8	if(length > buflen) { unsigned char newbuf = (unsigned char )cli_realloc(buf, length); if(newbuf == NULL) { if(buf) free(buf);
72ce4b70	return 0;
9fe789f8	} buflen = length; buf = newbuf;
dc890a72	}
9fe789f8
dc890a72	offset = lseek(fd, 0, SEEK_CUR);
ffd168d4
9fe789f8	if(cli_readn(fd, buf, length) != (int)length) {
dc890a72	cli_dbgmsg("read name failed - rewinding\n"); lseek(fd, offset, SEEK_SET); break; }
16975455	name = get_unicode_name((const char *)buf, length, big_endian);
9fe789f8	cli_dbgmsg("length: %d, name: %s\n", length, (name) ? name : "[null]");
dc890a72
ac8154d9	if((name == NULL) \|\| (memcmp("*\\", name, 2) != 0) \|\|
72ce4b70	(strchr("ghcd", name[2]) == NULL)) {
16975455	/* Not a string */
dc890a72	lseek(fd, -(length+2), SEEK_CUR);
ac8154d9	if(name)
91aaa0ea	free(name);
dc890a72	break; } free(name);
ac8154d9
16975455	if(!read_uint16(fd, &length, big_endian)) {
9fe789f8	if(buf) free(buf);
72ce4b70	break;
9fe789f8	}
ac8154d9
72ce4b70	ret++;
ac8154d9	if ((length != 0) && (length != 65535)) { lseek(fd, -2, SEEK_CUR); continue; } offset = lseek(fd, 10, SEEK_CUR);
9fe789f8	cli_dbgmsg("offset: %lu\n", (unsigned long)offset);
dc890a72	vba56_test_middle(fd); }
9fe789f8	if(buf) free(buf);
72ce4b70	return ret;
dc890a72	}
349e0502
11d24f8a	vba_project_t *
72ce4b70	cli_vba_readdir(const char dir, struct uniq U, uint32_t which)
47bbbc56	{
9fe789f8	unsigned char *buf;
ffd168d4	const unsigned char vba56_signature[] = { 0xcc, 0x61 };
9fe789f8	uint16_t record_count, buflen, ffff, byte_count;
937ade08	uint32_t offset;
72ce4b70	int i, j, fd, big_endian = FALSE;
47bbbc56	vba_project_t *vba_project;
ffd168d4	struct vba56_header v56h;
72ce4b70	off_t seekback;
937ade08	char fullname[1024], *hash;
47bbbc56
11d24f8a	cli_dbgmsg("in cli_vba_readdir()\n");
f893c0f3
faa0d267	if(dir == NULL) return NULL;
9fe789f8	/* * _VBA_PROJECT files are embedded within office documents (OLE2) */
72ce4b70	if (!uniq_get(U, "_vba_project", 12, &hash)) return NULL;
58481352	snprintf(fullname, sizeof(fullname), "%s"PATHSEP"%s_%u", dir, hash, which);
72ce4b70	fullname[sizeof(fullname)-1] = '\0';
9fe789f8	fd = open(fullname, O_RDONLY\|O_BINARY);
47bbbc56
72ce4b70	if(fd == -1)
9fe789f8	return NULL;
47bbbc56
ffd168d4	if(cli_readn(fd, &v56h, sizeof(struct vba56_header)) != sizeof(struct vba56_header)) {
39ea36b7	close(fd);
47bbbc56	return NULL; }
ffd168d4	if (memcmp(v56h.magic, vba56_signature, sizeof(v56h.magic)) != 0) {
39ea36b7	close(fd);
47bbbc56	return NULL; }
72ce4b70	i = vba_read_project_strings(fd, TRUE); seekback = lseek(fd, 0, SEEK_CUR);
e357da7b	if (lseek(fd, sizeof(struct vba56_header), SEEK_SET) == -1) { close(fd);
72ce4b70	return NULL;
e357da7b	}
72ce4b70	j = vba_read_project_strings(fd, FALSE); if(!i && !j) {
39ea36b7	close(fd);
72ce4b70	cli_warnmsg("vba_readdir: Unable to guess VBA type\n");
47bbbc56	return NULL; }
72ce4b70	if (i > j) { big_endian = TRUE; lseek(fd, seekback, SEEK_SET); cli_dbgmsg("vba_readdir: Guessing big-endian\n"); } else { cli_dbgmsg("vba_readdir: Guessing little-endian\n"); }
fa53d800
47bbbc56	/* junk some more stuff */
e19ed67b	do
ffd168d4	if (cli_readn(fd, &ffff, 2) != 2) {
39ea36b7	close(fd);
47bbbc56	return NULL; }
e19ed67b	while(ffff != 0xFFFF);
cee86c13	/* check for alignment error */
9fe789f8	if(!seekandread(fd, -3, SEEK_CUR, &ffff, sizeof(uint16_t))) {
fa53d800	close(fd);
cee86c13	return NULL; }
9fe789f8	if (ffff != 0xFFFF)
cee86c13	lseek(fd, 1, SEEK_CUR);
fa53d800
16975455	if(!read_uint16(fd, &ffff, big_endian)) {
39ea36b7	close(fd);
47bbbc56	return NULL; }
9fe789f8	if(ffff != 0xFFFF)
ffd168d4	lseek(fd, ffff, SEEK_CUR);
9fe789f8
16975455	if(!read_uint16(fd, &ffff, big_endian)) {
39ea36b7	close(fd);
47bbbc56	return NULL; }
9fe789f8	if(ffff == 0xFFFF) ffff = 0; lseek(fd, ffff + 100, SEEK_CUR);
16975455	if(!read_uint16(fd, &record_count, big_endian)) {
39ea36b7	close(fd);
47bbbc56	return NULL; }
72ce4b70	cli_dbgmsg("vba_readdir: VBA Record count %d\n", record_count);
8bf5929e	if (record_count == 0) {
16975455	/* No macros, assume clean */
8bf5929e	close(fd);
ffd168d4	return NULL; }
16975455	if (record_count > MAX_VBA_COUNT) {
4c64f434	/* Almost certainly an error */
72ce4b70	cli_dbgmsg("vba_readdir: VBA Record count too big\n");
4c64f434	close(fd); return NULL; }
fa53d800
72ce4b70	vba_project = create_vba_project(record_count, dir, U);
9fe789f8	if(vba_project == NULL) {
bf34c7e7	close(fd); return NULL; }
9fe789f8	buf = NULL; buflen = 0;
ffd168d4	for(i = 0; i < record_count; i++) {
9fe789f8	uint16_t length;
e19ed67b	char *ptr;
9fe789f8
72ce4b70	vba_project->colls[i] = 0;
16975455	if(!read_uint16(fd, &length, big_endian))
ffd168d4	break;
dd1f3146	if (length == 0) {
72ce4b70	cli_dbgmsg("vba_readdir: zero name length\n");
ffd168d4	break; }
9fe789f8	if(length > buflen) { unsigned char newbuf = (unsigned char )cli_realloc(buf, length); if(newbuf == NULL) break; buflen = length; buf = newbuf;
47bbbc56	}
9fe789f8	if (cli_readn(fd, buf, length) != length) {
72ce4b70	cli_dbgmsg("vba_readdir: read name failed\n");
ffd168d4	break;
47bbbc56	}
e19ed67b	ptr = get_unicode_name((const char *)buf, length, big_endian);
72ce4b70	if(ptr == NULL) break; if (!(vba_project->colls[i]=uniq_get(U, ptr, strlen(ptr), &hash))) {
937ade08	cli_dbgmsg("vba_readdir: cannot find project %s (%s)\n", ptr, hash);
ffd168d4	break;
47bbbc56	}
937ade08	cli_dbgmsg("vba_readdir: project name: %s (%s)\n", ptr, hash);
72ce4b70	free(ptr); vba_project->name[i] = hash; if(!read_uint16(fd, &length, big_endian)) break;
47bbbc56	lseek(fd, length, SEEK_CUR);
72ce4b70	if(!read_uint16(fd, &ffff, big_endian))
ffd168d4	break; if (ffff == 0xFFFF) {
47bbbc56	lseek(fd, 2, SEEK_CUR);
72ce4b70	if(!read_uint16(fd, &ffff, big_endian))
ffd168d4	break;
9fe789f8	lseek(fd, ffff + 8, SEEK_CUR); } else lseek(fd, ffff + 10, SEEK_CUR);
47bbbc56
72ce4b70	if(!read_uint16(fd, &byte_count, big_endian))
ffd168d4	break; lseek(fd, (8 * byte_count) + 5, SEEK_CUR);
72ce4b70	if(!read_uint32(fd, &offset, big_endian))
ffd168d4	break;
72ce4b70	cli_dbgmsg("vba_readdir: offset: %u\n", (unsigned int)offset);
e19ed67b	vba_project->offset[i] = offset;
47bbbc56	lseek(fd, 2, SEEK_CUR); }
fa53d800
9fe789f8	if(buf) free(buf);
ffd168d4	close(fd);
fa53d800
ffd168d4	if(i < record_count) { free(vba_project->name);
72ce4b70	free(vba_project->colls);
ffd168d4	free(vba_project->dir); free(vba_project->offset); free(vba_project); return NULL;
47bbbc56	}
39ea36b7
ffd168d4	return vba_project;
47bbbc56	}
faa0d267	unsigned char *
11d24f8a	cli_vba_inflate(int fd, off_t offset, int *size)
47bbbc56	{
faa0d267	unsigned int pos, shift, mask, distance, clean;
47bbbc56	uint8_t flag;
faa0d267	uint16_t token;
fa53d800	blob *b;
47bbbc56	unsigned char buffer[VBA_COMPRESSION_WINDOW];
fa53d800
faa0d267	if(fd < 0) return NULL;
fa53d800	b = blobCreate(); if(b == NULL) return NULL; lseek(fd, offset+3, SEEK_SET); /* 1byte ?? , 2byte length ?? */
9fe789f8	clean = TRUE;
faa0d267	pos = 0;
fa53d800
5b25b5e8	while (cli_readn(fd, &flag, 1) == 1) {
faa0d267	for(mask = 1; mask < 0x100; mask<<=1) {
9fe789f8	unsigned int winpos = pos % VBA_COMPRESSION_WINDOW;
47bbbc56	if (flag & mask) {
faa0d267	uint16_t len;
9fe789f8	unsigned int srcpos;
faa0d267
9fe789f8	if(!read_uint16(fd, &token, FALSE)) {
fa53d800	blobDestroy(b);
9fe789f8	if(size)
ea399527	*size = 0;
39ea36b7	return NULL;
47bbbc56	}
faa0d267	shift = 12 - (winpos > 0x10) - (winpos > 0x20) - (winpos > 0x40) - (winpos > 0x80) - (winpos > 0x100) - (winpos > 0x200) - (winpos > 0x400) - (winpos > 0x800); len = (uint16_t)((token & ((1 << shift) - 1)) + 3);
47bbbc56	distance = token >> shift;
fa53d800
9fe789f8	srcpos = pos - distance - 1; if((((srcpos + len) % VBA_COMPRESSION_WINDOW) < winpos) && ((winpos + len) < VBA_COMPRESSION_WINDOW) && (((srcpos % VBA_COMPRESSION_WINDOW) + len) < VBA_COMPRESSION_WINDOW) && (len <= VBA_COMPRESSION_WINDOW)) { srcpos %= VBA_COMPRESSION_WINDOW; memcpy(&buffer[winpos], &buffer[srcpos], len); pos += len; } else
faa0d267	while(len-- > 0) {
9fe789f8	srcpos = (pos - distance - 1) % VBA_COMPRESSION_WINDOW; buffer[pos++ % VBA_COMPRESSION_WINDOW] = buffer[srcpos]; }
47bbbc56	} else {
9fe789f8	if((pos != 0) && (winpos == 0) && clean) {
5b25b5e8	if (cli_readn(fd, &token, 2) != 2) {
fa53d800	blobDestroy(b); if(size)
9fe789f8	*size = 0;
39ea36b7	return NULL;
47bbbc56	}
fa53d800	(void)blobAddData(b, buffer, VBA_COMPRESSION_WINDOW);
9fe789f8	clean = FALSE;
47bbbc56	break; }
9fe789f8	if(cli_readn(fd, &buffer[winpos], 1) == 1)
47bbbc56	pos++; }
9fe789f8	clean = TRUE;
47bbbc56	} }
9fe789f8	if(blobAddData(b, buffer, pos%VBA_COMPRESSION_WINDOW) < 0) {
fa53d800	blobDestroy(b); if(size)
9fe789f8	*size = 0;
fa53d800	return NULL; }
9fe789f8
fa53d800	if(size)
9fe789f8	size = (int)blobGetDataSize(b); return (unsigned char )blobToMem(b);
47bbbc56	}
7b9aed8c
9fe789f8	/* * See also cli_filecopy() */ static void ole_copy_file_data(int s, int d, uint32_t len)
892d2f56	{
9fe789f8	unsigned char data[FILEBUFF]; while(len > 0) {
16975455	int todo = MIN(sizeof(data), len);
9fe789f8
16975455	if(cli_readn(s, data, (unsigned int)todo) != todo)
9fe789f8	break;
16975455	if(cli_writen(d, data, (unsigned int)todo) != todo)
9fe789f8	break;
16975455	len -= todo;
9fe789f8	}
892d2f56	}
faa0d267	int
72ce4b70	cli_scan_ole10(int fd, cli_ctx *ctx)
892d2f56	{
72ce4b70	int ofd, ret;
892d2f56	uint32_t object_size;
9fe789f8	struct stat statbuf;
bbd6ca3f	char *fullname;
892d2f56
faa0d267	if(fd < 0)
72ce4b70	return CL_CLEAN;
faa0d267
72ce4b70	lseek(fd, 0, SEEK_SET);
9fe789f8	if(!read_uint32(fd, &object_size, FALSE))
72ce4b70	return CL_CLEAN;
fa53d800
9fe789f8	if(fstat(fd, &statbuf) == -1)
871177cd	return CL_ESTAT;
892d2f56
9fe789f8	if ((statbuf.st_size - object_size) >= 4) {
892d2f56	/* Probably the OLE type id */ if (lseek(fd, 2, SEEK_CUR) == -1) {
72ce4b70	return CL_CLEAN;
892d2f56	}
fa53d800
16975455	/* Attachment name */
9fe789f8	if(!skip_past_nul(fd))
72ce4b70	return CL_CLEAN;
fa53d800
16975455	/* Attachment full path */
9fe789f8	if(!skip_past_nul(fd))
72ce4b70	return CL_CLEAN;
fa53d800
16975455	/* ??? */
9fe789f8	if(lseek(fd, 8, SEEK_CUR) == -1)
72ce4b70	return CL_CLEAN;
fa53d800
16975455	/* Attachment full path */
9fe789f8	if(!skip_past_nul(fd))
72ce4b70	return CL_CLEAN;
fa53d800
9fe789f8	if(!read_uint32(fd, &object_size, FALSE))
72ce4b70	return CL_CLEAN;
892d2f56	}
33068e09	if(!(fullname = cli_gentemp(ctx ? ctx->engine->tmpdir : NULL))) {
72ce4b70	return CL_EMEM;
bbd6ca3f	}
16975455	ofd = open(fullname, O_RDWR\|O_CREAT\|O_TRUNC\|O_BINARY\|O_EXCL, S_IWUSR\|S_IRUSR);
ffd168d4	if (ofd < 0) {
bbd6ca3f	cli_warnmsg("cli_decode_ole_object: can't create %s\n", fullname); free(fullname);
871177cd	return CL_ECREAT;
892d2f56	}
72ce4b70	cli_dbgmsg("cli_decode_ole_object: decoding to %s\n", fullname);
892d2f56	ole_copy_file_data(fd, ofd, object_size);
c2d5447d	lseek(ofd, 0, SEEK_SET);
72ce4b70	ret = cli_magic_scandesc(ofd, ctx); close(ofd);
33068e09	if(ctx && !ctx->engine->keeptmp)
72ce4b70	if (cli_unlink(fullname))
871177cd	ret = CL_EUNLINK;
72ce4b70	free(fullname); return ret;
892d2f56	}
9fe789f8	/* * Powerpoint files */ typedef struct {
5f02033a	uint16_t type; uint32_t length; } atom_header_t;
9fe789f8	static int ppt_read_atom_header(int fd, atom_header_t *atom_header)
5f02033a	{
9fe789f8	uint16_t v; struct ppt_header { uint16_t ver; uint16_t type; uint32_t length; } h; cli_dbgmsg("in ppt_read_atom_header\n"); if(cli_readn(fd, &h, sizeof(struct ppt_header)) != sizeof(struct ppt_header)) { cli_dbgmsg("read ppt_header failed\n");
5f02033a	return FALSE; }
9fe789f8	v = vba_endian_convert_16(h.ver, FALSE);
16975455	cli_dbgmsg("\tversion: 0x%.2x\n", v & 0xF); cli_dbgmsg("\tinstance: 0x%.2x\n", v >> 4);
5f02033a
9fe789f8	atom_header->type = vba_endian_convert_16(h.type, FALSE); cli_dbgmsg("\ttype: 0x%.4x\n", atom_header->type); atom_header->length = vba_endian_convert_32(h.length, FALSE); cli_dbgmsg("\tlength: 0x%.8x\n", (int)atom_header->length); return TRUE;
5f02033a	}
9fe789f8	/*
16975455	* TODO: combine shared code with flatedecode() or cli_unzip_single() * Needs cli_unzip_single to have a "length" argument
9fe789f8	*/
16975455	static int ppt_unlzw(const char *dir, int fd, uint32_t length)
5f02033a	{
16975455	int ofd;
5f02033a	z_stream stream;
9fe789f8	unsigned char inbuff[PPT_LZW_BUFFSIZE], outbuff[PPT_LZW_BUFFSIZE];
9294cf21	char fullname[NAME_MAX + 1];
fa53d800
58481352	snprintf(fullname, sizeof(fullname) - 1, "%s"PATHSEP"ppt%.8lx.doc",
9294cf21	dir, (long)lseek(fd, 0L, SEEK_CUR));
fa53d800
16975455	ofd = open(fullname, O_WRONLY\|O_CREAT\|O_TRUNC\|O_BINARY\|O_EXCL, S_IWUSR\|S_IRUSR);
ffd168d4	if (ofd == -1) {
16975455	cli_warnmsg("ppt_unlzw: can't create %s\n", fullname);
ffd168d4	return FALSE; }
fa53d800
5f02033a	stream.zalloc = Z_NULL; stream.zfree = Z_NULL;
9fe789f8	stream.opaque = (void )NULL; stream.next_in = (Bytef )inbuff; stream.next_out = outbuff; stream.avail_out = sizeof(outbuff); stream.avail_in = MIN(length, PPT_LZW_BUFFSIZE);
fa53d800
9fe789f8	if(cli_readn(fd, inbuff, stream.avail_in) != (int)stream.avail_in) {
5f02033a	close(ofd);
c0a95e0c	cli_unlink(fullname);
5f02033a	return FALSE; } length -= stream.avail_in;
fa53d800
16975455	if(inflateInit(&stream) != Z_OK) { close(ofd);
c0a95e0c	cli_unlink(fullname);
16975455	cli_warnmsg("ppt_unlzw: inflateInit failed\n"); return FALSE;
5f02033a	}
fa53d800
5f02033a	do { if (stream.avail_out == 0) { if (cli_writen(ofd, outbuff, PPT_LZW_BUFFSIZE) != PPT_LZW_BUFFSIZE) { close(ofd); inflateEnd(&stream); return FALSE; } stream.next_out = outbuff; stream.avail_out = PPT_LZW_BUFFSIZE; } if (stream.avail_in == 0) { stream.next_in = inbuff;
b81763ab	stream.avail_in = MIN(length, PPT_LZW_BUFFSIZE);
9fe789f8	if (cli_readn(fd, inbuff, stream.avail_in) != (int)stream.avail_in) {
5f02033a	close(ofd); inflateEnd(&stream); return FALSE; } length -= stream.avail_in; }
9fe789f8	} while(inflate(&stream, Z_NO_FLUSH) == Z_OK);
fa53d800
a45c7039	if (cli_writen(ofd, outbuff, PPT_LZW_BUFFSIZE-stream.avail_out) != (int)(PPT_LZW_BUFFSIZE-stream.avail_out)) {
5f02033a	close(ofd); inflateEnd(&stream); return FALSE; }
9fe789f8	close(ofd); return inflateEnd(&stream) == Z_OK;
5f02033a	}
9fe789f8	static const char * ppt_stream_iter(int fd, const char *dir)
42034091	{
fa53d800	atom_header_t atom_header; while(ppt_read_atom_header(fd, &atom_header)) {
9fe789f8	if(atom_header.length == 0)
8c601f9f	return NULL;
9fe789f8	if(atom_header.type == 0x1011) {
16975455	uint32_t length;
9fe789f8
16975455	/* Skip over ID */ if(lseek(fd, sizeof(uint32_t), SEEK_CUR) == -1) { cli_dbgmsg("ppt_stream_iter: seek failed\n");
42034091	return NULL; }
9fe789f8	length = atom_header.length - 4;
16975455	cli_dbgmsg("length: %d\n", (int)length);
9fe789f8	if (!ppt_unlzw(dir, fd, length)) {
42034091	cli_dbgmsg("ppt_unlzw failed\n"); return NULL; } } else {
9fe789f8	off_t offset = lseek(fd, 0, SEEK_CUR);
3863b5ce	/* Check we don't wrap */
9d3c38ba	if ((offset + (off_t)atom_header.length) < offset) {
3863b5ce	break; } offset += atom_header.length;
9fe789f8	if (lseek(fd, offset, SEEK_SET) != offset) {
42034091	break; } } }
9fe789f8	return dir;
42034091	}
9fe789f8	char *
33068e09	cli_ppt_vba_read(int ifd, cli_ctx *ctx)
5f02033a	{
9fe789f8	char dir; const char ret;
fa53d800
9fe789f8	/* Create a directory to store the extracted OLE2 objects */
33068e09	dir = cli_gentemp(ctx ? ctx->engine->tmpdir : NULL);
11d24f8a	if(dir == NULL) return NULL;
9fe789f8	if(mkdir(dir, 0700)) {
11d24f8a	cli_errmsg("cli_ppt_vba_read: Can't create temporary directory %s\n", dir);
9fe789f8	free(dir); return NULL; }
72ce4b70	ret = ppt_stream_iter(ifd, dir);
9fe789f8	if(ret == NULL) { cli_rmdirs(dir); free(dir); return NULL; } return dir;
42034091	}
9fe789f8	/* * Word 6 macros */ typedef struct { unsigned char unused[12]; uint32_t macro_offset; uint32_t macro_len;
7b9aed8c	} mso_fib_t; typedef struct macro_entry_tag { uint32_t len; uint32_t offset;
b5231f5f	unsigned char key;
7b9aed8c	} macro_entry_t; typedef struct macro_info_tag {
9fe789f8	struct macro_entry_tag *entries;
b5231f5f	uint16_t count;
7b9aed8c	} macro_info_t;
9fe789f8	static int word_read_fib(int fd, mso_fib_t *fib)
7b9aed8c	{
9fe789f8	struct { uint32_t offset; uint32_t len; } macro_details;
fa53d800
9fe789f8	if(!seekandread(fd, 0x118, SEEK_SET, &macro_details, sizeof(macro_details))) { cli_dbgmsg("read word_fib failed\n");
7b9aed8c	return FALSE; }
9fe789f8	fib->macro_offset = vba_endian_convert_32(macro_details.offset, FALSE); fib->macro_len = vba_endian_convert_32(macro_details.len, FALSE);
fa53d800
7b9aed8c	return TRUE; }
9fe789f8	static int word_read_macro_entry(int fd, macro_info_t *macro_info)
7b9aed8c	{
faa0d267	int msize;
9fe789f8	int count = macro_info->count; macro_entry_t macro_entry; #ifdef HAVE_PRAGMA_PACK #pragma pack(1) #endif #ifdef HAVE_PRAGMA_PACK_HPPA #pragma pack 1 #endif struct macro { unsigned char version; unsigned char key; unsigned char ignore[10]; uint32_t len __attribute__ ((packed)); uint32_t state __attribute__ ((packed)); uint32_t offset __attribute__ ((packed)); } m; const struct macro n; #ifdef HAVE_PRAGMA_PACK #pragma pack() #endif #ifdef HAVE_PRAGMA_PACK_HPPA #pragma pack #endif if(count == 0) return TRUE; msize = count sizeof(struct macro); m = cli_malloc(msize); if(m == NULL)
7b9aed8c	return FALSE;
9fe789f8	if(cli_readn(fd, m, msize) != msize) { free(m); cli_warnmsg("read %d macro_entries failed\n", count);
7b9aed8c	return FALSE; }
9fe789f8	macro_entry = macro_info->entries; n = m;
faa0d267	do {
9fe789f8	macro_entry->key = n->key; macro_entry->len = vba_endian_convert_32(n->len, FALSE); macro_entry->offset = vba_endian_convert_32(n->offset, FALSE); macro_entry++; n++;
faa0d267	} while(--count > 0);
9fe789f8	free(m);
7b9aed8c	return TRUE; }
9fe789f8	static macro_info_t * word_read_macro_info(int fd, macro_info_t *macro_info)
7b9aed8c	{
9fe789f8	if(!read_uint16(fd, &macro_info->count, FALSE)) {
bf79f6c3	cli_dbgmsg("read macro_info failed\n");
9fe789f8	macro_info->count = 0;
7b9aed8c	return NULL; } cli_dbgmsg("macro count: %d\n", macro_info->count);
9fe789f8	if(macro_info->count == 0) return NULL; macro_info->entries = (macro_entry_t )cli_malloc(sizeof(macro_entry_t) macro_info->count); if(macro_info->entries == NULL) { macro_info->count = 0;
7b9aed8c	return NULL; }
9fe789f8	if(!word_read_macro_entry(fd, macro_info)) { free(macro_info->entries); macro_info->count = 0; return NULL;
7b9aed8c	} return macro_info; }
9fe789f8	static int word_skip_oxo3(int fd)
7b9aed8c	{ uint8_t count; if (cli_readn(fd, &count, 1) != 1) { cli_dbgmsg("read oxo3 record1 failed\n"); return FALSE; } cli_dbgmsg("oxo3 records1: %d\n", count);
fa53d800
9fe789f8	if(!seekandread(fd, count * 14, SEEK_CUR, &count, 1)) {
bf79f6c3	cli_dbgmsg("read oxo3 record2 failed\n");
7b9aed8c	return FALSE; }
9fe789f8	if(count == 0) { uint8_t twobytes[2]; if(cli_readn(fd, twobytes, 2) != 2) {
bf79f6c3	cli_dbgmsg("read oxo3 failed\n");
7b9aed8c	return FALSE; }
9fe789f8	if(twobytes[0] != 2) { lseek(fd, -2, SEEK_CUR);
7b9aed8c	return TRUE; }
9fe789f8	count = twobytes[1];
7b9aed8c	}
faa0d267	if(count > 0)
7b9aed8c	if (lseek(fd, (count*4)+1, SEEK_CUR) == -1) {
bf79f6c3	cli_dbgmsg("lseek oxo3 failed\n");
7b9aed8c	return FALSE; }
faa0d267
7b9aed8c	cli_dbgmsg("oxo3 records2: %d\n", count); return TRUE; }
ac8154d9	static int
9fe789f8	word_skip_menu_info(int fd)
7b9aed8c	{
ac8154d9	uint16_t count;
fa53d800
9fe789f8	if(!read_uint16(fd, &count, FALSE)) {
bf79f6c3	cli_dbgmsg("read menu_info failed\n");
ac8154d9	return FALSE;
7b9aed8c	}
ac8154d9	cli_dbgmsg("menu_info count: %d\n", count);
7b9aed8c
ac8154d9	if(count) if(lseek(fd, count * 12, SEEK_CUR) == -1) return FALSE; return TRUE;
7b9aed8c	}
a27be3c7	static int
9fe789f8	word_skip_macro_extnames(int fd)
7b9aed8c	{
9fe789f8	int is_unicode, nbytes;
7b9aed8c	int16_t size;
fa53d800
9fe789f8	if(!read_uint16(fd, (uint16_t *)&size, FALSE)) {
7b9aed8c	cli_dbgmsg("read macro_extnames failed\n");
a27be3c7	return FALSE;
7b9aed8c	} if (size == -1) { /* Unicode flag */
9fe789f8	if(!read_uint16(fd, (uint16_t *)&size, FALSE)) {
bf79f6c3	cli_dbgmsg("read macro_extnames failed\n");
a27be3c7	return FALSE;
7b9aed8c	}
a27be3c7	is_unicode = 1; } else is_unicode = 0;
7b9aed8c	cli_dbgmsg("ext names size: 0x%x\n", size);
9fe789f8	nbytes = size; while(nbytes > 0) {
a27be3c7	uint8_t length;
96911b50	off_t offset;
a27be3c7	if (cli_readn(fd, &length, 1) != 1) {
69435d2d	cli_dbgmsg("read macro_extnames failed\n");
a27be3c7	return FALSE;
7b9aed8c	}
69435d2d
96911b50	if(is_unicode)
d9a9e1fc	offset = (off_t)length * 2 + 1;
96911b50	else
d9a9e1fc	offset = (off_t)length;
96911b50
16975455	/* ignore numref as well */ if(lseek(fd, offset + sizeof(uint16_t), SEEK_CUR) == -1) {
96911b50	cli_dbgmsg("read macro_extnames failed to seek\n");
a27be3c7	return FALSE;
fa53d800	}
9fe789f8	nbytes -= size;
7b9aed8c	}
a27be3c7	return TRUE;
7b9aed8c	}
d9a9e1fc	static int
9fe789f8	word_skip_macro_intnames(int fd)
7b9aed8c	{
faa0d267	uint16_t count;
fa53d800
9fe789f8	if(!read_uint16(fd, &count, FALSE)) {
bf79f6c3	cli_dbgmsg("read macro_intnames failed\n");
d9a9e1fc	return FALSE;
7b9aed8c	}
16975455	cli_dbgmsg("intnames count: %u\n", (unsigned int)count);
fa53d800
faa0d267	while(count-- > 0) {
d9a9e1fc	uint8_t length; /* id */
9fe789f8	if(!seekandread(fd, sizeof(uint16_t), SEEK_CUR, &length, sizeof(uint8_t))) {
d9a9e1fc	cli_dbgmsg("skip_macro_intnames failed\n"); return FALSE; }
fa53d800
d9a9e1fc	/* Internal name, plus one byte of unknown data */ if(lseek(fd, length + 1, SEEK_CUR) == -1) { cli_dbgmsg("skip_macro_intnames failed\n"); return FALSE; }
7b9aed8c	}
d9a9e1fc	return TRUE;
7b9aed8c	}
faa0d267	vba_project_t *
72ce4b70	cli_wm_readdir(int fd)
7b9aed8c	{
72ce4b70	int done;
7b9aed8c	off_t end_offset;
ac8154d9	unsigned char info_id;
9fe789f8	macro_info_t macro_info;
a27be3c7	vba_project_t *vba_project; mso_fib_t fib;
faa0d267
72ce4b70	if (!word_read_fib(fd, &fib))
7b9aed8c	return NULL;
fa53d800
ac8154d9	if(fib.macro_len == 0) {
72ce4b70	cli_dbgmsg("wm_readdir: No macros detected\n");
ac8154d9	/* Must be clean */ return NULL; }
72ce4b70	cli_dbgmsg("wm_readdir: macro offset: 0x%.4x\n", (int)fib.macro_offset); cli_dbgmsg("wm_readdir: macro len: 0x%.4x\n\n", (int)fib.macro_len);
fa53d800
ac8154d9	/* Go one past the start to ignore start_id */ if (lseek(fd, fib.macro_offset + 1, SEEK_SET) != (off_t)(fib.macro_offset + 1)) {
72ce4b70	cli_dbgmsg("wm_readdir: lseek macro_offset failed\n");
7b9aed8c	return NULL; }
fa53d800
7b9aed8c	end_offset = fib.macro_offset + fib.macro_len;
a27be3c7	done = FALSE;
9fe789f8	memset(&macro_info, '\0', sizeof(macro_info));
fa53d800
16975455	while((lseek(fd, 0, SEEK_CUR) < end_offset) && !done) {
7b9aed8c	if (cli_readn(fd, &info_id, 1) != 1) {
72ce4b70	cli_dbgmsg("wm_readdir: read macro_info failed\n");
9fe789f8	break;
7b9aed8c	} switch (info_id) { case 0x01:
9fe789f8	if(macro_info.count) free(macro_info.entries); word_read_macro_info(fd, &macro_info); done = TRUE;
7b9aed8c	break; case 0x03:
9fe789f8	if(!word_skip_oxo3(fd))
7b9aed8c	done = TRUE; break; case 0x05:
9fe789f8	if(!word_skip_menu_info(fd))
7b9aed8c	done = TRUE; break; case 0x10:
9fe789f8	if(!word_skip_macro_extnames(fd))
7b9aed8c	done = TRUE; break; case 0x11:
9fe789f8	if(!word_skip_macro_intnames(fd))
7b9aed8c	done = TRUE; break;
16975455	case 0x40: /* end marker / case 0x12: / ??? */
ac8154d9	done = TRUE;
7b9aed8c	break; default:
72ce4b70	cli_dbgmsg("wm_readdir: unknown type: 0x%x\n", info_id);
ac8154d9	done = TRUE;
7b9aed8c	} }
fa53d800
a27be3c7
9fe789f8	if(macro_info.count == 0) return NULL;
72ce4b70	vba_project = create_vba_project(macro_info.count, "", NULL);
9fe789f8	if(vba_project) { vba_project->length = (uint32_t )cli_malloc(sizeof(uint32_t) macro_info.count); vba_project->key = (unsigned char )cli_malloc(sizeof(unsigned char) macro_info.count); if((vba_project->length != NULL) && (vba_project->key != NULL)) { int i; const macro_entry_t *m = macro_info.entries; for(i = 0; i < macro_info.count; i++) { vba_project->offset[i] = m->offset; vba_project->length[i] = m->len; vba_project->key[i] = m->key; m++; } } else {
7b9aed8c	free(vba_project->name);
72ce4b70	free(vba_project->colls);
7b9aed8c	free(vba_project->dir); free(vba_project->offset);
9fe789f8	if(vba_project->length) free(vba_project->length); if(vba_project->key) free(vba_project->key);
7b9aed8c	free(vba_project); vba_project = NULL; }
9fe789f8	} free(macro_info.entries);
a27be3c7
7b9aed8c	return vba_project; }
9fe789f8	unsigned char *
11d24f8a	cli_wm_decrypt_macro(int fd, off_t offset, uint32_t len, unsigned char key)
7b9aed8c	{ unsigned char *buff;
fa53d800
faa0d267	if(len == 0) return NULL; if(fd < 0)
2b459819	return NULL;
9fe789f8	buff = (unsigned char *)cli_malloc(len); if(buff == NULL)
7b9aed8c	return NULL;
9fe789f8	if(!seekandread(fd, offset, SEEK_SET, buff, len)) {
7b9aed8c	free(buff); return NULL; }
9fe789f8	if(key) { unsigned char *p;
faa0d267
9fe789f8	for(p = buff; p < &buff[len]; p++) *p ^= key; }
7b9aed8c	return buff; }
9fe789f8	/* * Keep reading bytes until we reach a NUL. Returns 0 if none is found */ static int skip_past_nul(int fd) {
f6f2869f	char *end; char smallbuf[128]; do { int nread = cli_readn(fd, smallbuf, sizeof(smallbuf)); if (nread <= 0) return FALSE; end = memchr(smallbuf, '\0', nread); if (end) { if (lseek(fd, 1 + (end-smallbuf) - nread, SEEK_CUR) < 0) return FALSE; return TRUE; } } while (1);
9fe789f8	} /* * Read 2 bytes as a 16-bit number, host byte order. Return success or fail */ static int
16975455	read_uint16(int fd, uint16_t *u, int big_endian)
9fe789f8	{ if(cli_readn(fd, u, sizeof(uint16_t)) != sizeof(uint16_t)) return FALSE;
16975455	u = vba_endian_convert_16(u, big_endian);
9fe789f8	return TRUE; } /* * Read 4 bytes as a 32-bit number, host byte order. Return success or fail */ static int
16975455	read_uint32(int fd, uint32_t *u, int big_endian)
9fe789f8	{ if(cli_readn(fd, u, sizeof(uint32_t)) != sizeof(uint32_t)) return FALSE;
16975455	u = vba_endian_convert_32(u, big_endian);
9fe789f8	return TRUE; } /* * Miss some bytes then read a bit / static int seekandread(int fd, off_t offset, int whence, void data, size_t len) { if(lseek(fd, offset, whence) == (off_t)-1) { cli_dbgmsg("lseek failed\n"); return FALSE; } return cli_readn(fd, data, (unsigned int)len) == (int)len; } /* * Create and initialise a vba_project structure / static vba_project_t
72ce4b70	create_vba_project(int record_count, const char dir, struct uniq U)
9fe789f8	{ vba_project_t ret; ret = (vba_project_t ) cli_malloc(sizeof(struct vba_project_tag)); if(ret == NULL) return NULL;
937ade08	ret->name = (char *)cli_malloc(sizeof(char ) * record_count);
72ce4b70	ret->colls = (uint32_t )cli_malloc(sizeof(uint32_t) record_count);
9fe789f8	ret->dir = cli_strdup(dir); ret->offset = (uint32_t )cli_malloc (sizeof(uint32_t) record_count); if((ret->name == NULL) \|\| (ret->dir == NULL) \|\| (ret->offset == NULL)) { if(ret->dir) free(ret->dir);
72ce4b70	if(ret->colls) free(ret->colls);
9fe789f8	if(ret->name) free(ret->name); if(ret->offset) free(ret->offset); free(ret); return NULL; } ret->count = record_count;
72ce4b70	ret->U = U;
9fe789f8	return ret; }