@@ -124,6 +124,7 @@ static const struct ftmap_s {

     { "CL_TYPE_XML_XL",		CL_TYPE_XML_XL		},

     { "CL_TYPE_HWP3",		CL_TYPE_HWP3		},

     { "CL_TYPE_XML_HWP",	CL_TYPE_XML_HWP		},

+    { "CL_TYPE_HWPOLE2",	CL_TYPE_HWPOLE2		},

     { NULL,			CL_TYPE_IGNORED		}

 };

@@ -112,6 +112,7 @@ typedef enum {

     CL_TYPE_XML_WORD,

     CL_TYPE_XML_XL,

     CL_TYPE_XML_HWP,

+    CL_TYPE_HWPOLE2,

     CL_TYPE_OTHER, /* on-the-fly, used for target 14 (OTHER) */

     CL_TYPE_IGNORED /* please don't add anything below */

@@ -190,6 +190,7 @@ static const char *ftypes_int[] = {

   "1:0:3c3f786d6c2076657273696f6e3d22312e3022*3c??3a576f726b626f6f6b:Microsoft Excel 2003 XML Document:CL_TYPE_ANY:CL_TYPE_XML_XL:80",

   "0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_GRAPHICS:81",

   "0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_GRAPHICS:81",

+  "0:4:d0cf11e0a1b11ae1:HWP embedded OLE2:CL_TYPE_ANY:CL_TYPE_HWPOLE2",

   "0:0:48575020446F63756D656E742046696C652056332E3030201A0102030405:HWP 3.x Document:CL_TYPE_ANY:CL_TYPE_HWP3:82",

   "1:0:efbbbf3c3f786d6c2076657273696f6e3d22312e3022*3c4857504d4c:HWPML Document:CL_TYPE_ANY:CL_TYPE_XML_HWP:82",

   NULL

@@ -54,7 +54,7 @@

 #define HWP5_DEBUG 0

 #define HWP3_DEBUG 1

-#define HWPML_DEBUG 1

+#define HWPML_DEBUG 0

 #if HWP5_DEBUG

 #define hwp5_debug(...) cli_dbgmsg(__VA_ARGS__)

 #else

@@ -179,6 +179,28 @@ static int decompress_and_callback(cli_ctx *ctx, fmap_t *input, off_t at, size_t

     return ret;

 }

+/*** HWPOLE2 ***/

+int cli_scanhwpole2(cli_ctx *ctx)

+{

+    fmap_t *map = *ctx->fmap;

+    uint32_t usize, asize;

+

+    asize = (uint32_t)(map->len - sizeof(usize));

+

+    if (fmap_readn(map, &usize, 0, sizeof(usize)) != sizeof(usize)) {

+        cli_errmsg("HWPOLE2: Failed to read uncompressed ole2 filesize\n");

+        return CL_EREAD;

+    }

+

+    if (usize != asize)

+        cli_warnmsg("HWPOLE2: Mismatched uncompressed prefix and size: %u != %u\n", usize, asize);

+    else

+        cli_dbgmsg("HWPOLE2: Matched uncompressed prefix and size: %u == %u\n", usize, asize);

+

+    return cli_map_scandesc(map, 4, map->len, ctx, CL_TYPE_ANY);

+    //return cli_map_scandesc(map, 4, map->len, ctx, CL_TYPE_OLE2);

+}

+

 /*** HWP5 ***/

 int cli_hwp5header(cli_ctx *ctx, hwp5_header_t *hwp5)

@@ -253,40 +275,16 @@ int cli_hwp5header(cli_ctx *ctx, hwp5_header_t *hwp5)

 static int hwp5_cb(void *cbdata, int fd, cli_ctx *ctx)

 {

-    int ret, ole2 = *(int *)cbdata;

+    int ret;

     if (fd < 0 || !ctx)

         return CL_ENULLARG;

-    /* trim off 32-bit prefix for OLE2 streams */

-    if (ole2) {

-        STATBUF statbuf;

-        fmap_t *map;

-

-        if (FSTAT(fd, &statbuf) == -1) {

-            cli_errmsg("HWP5.x: Can't stat file descriptor\n");

-            return CL_ESTAT;

-        }

-

-        map = fmap(fd, 0, statbuf.st_size);

-        if (!map) {

-            cli_errmsg("HWP5.x: Failed to get fmap for ole2 stream\n");

-            return CL_EMAP;

-        }

-

-        ret = cli_map_scandesc(map, 4, 0, ctx, CL_TYPE_ANY);

-        funmap(map);

-    } else {

-        ret = cli_magic_scandesc(fd, ctx);

-    }

-

-    return ret;

+    return cli_magic_scandesc(fd, ctx);

 }

 int cli_scanhwp5_stream(cli_ctx *ctx, hwp5_header_t *hwp5, char *name, int fd)

 {

-    int ole2;

-

     hwp5_debug("HWP5.x: NAME: %s\n", name);

     if (fd < 0) {

@@ -299,12 +297,6 @@ int cli_scanhwp5_stream(cli_ctx *ctx, hwp5_header_t *hwp5, char *name, int fd)

         !strncmp(name, "defaultjscript", 14) || !strncmp(name, "section", 7) ||

         !strncmp(name, "viewtext", 8) || !strncmp(name, "docinfo", 7)) {

-        ole2 = 0;

-        if (strstr(name, ".ole")) {

-            cli_dbgmsg("HWP5.x: Detected embedded OLE2 stream\n");

-            ole2 = 1;

-        }

-

         if (hwp5->flags & HWP5_PASSWORD) {

             cli_dbgmsg("HWP5.x: Password encrypted stream, scanning as-is\n");

             return cli_magic_scandesc(fd, ctx);

@@ -329,7 +321,7 @@ int cli_scanhwp5_stream(cli_ctx *ctx, hwp5_header_t *hwp5, char *name, int fd)

                 cli_errmsg("HWP5.x: Failed to get fmap for input stream\n");

                 return CL_EMAP;

             }

-            ret = decompress_and_callback(ctx, input, 0, 0, "HWP5.x", hwp5_cb, &ole2);

+            ret = decompress_and_callback(ctx, input, 0, 0, "HWP5.x", hwp5_cb, NULL);

             funmap(input);

             return ret;

         }

@@ -44,6 +44,9 @@ typedef struct hwp5_header {

     /* uint8_t reserved[216] */

 } hwp5_header_t;

+/* HWP EMBEDDED OLE2 - 4-byte prefixed OLE2 */

+int cli_scanhwpole2(cli_ctx *ctx);

+

 /* HWP 5.0 - OLE2 */

 int cli_hwp5header(cli_ctx *ctx, hwp5_header_t *hwp5);

 int cli_scanhwp5_stream(cli_ctx *ctx, hwp5_header_t *hwp5, char *name, int fd);

@@ -2685,7 +2685,8 @@ static int magic_scandesc(cli_ctx *ctx, cli_file_t type)

                 type == CL_TYPE_XML_WORD ||

                 type == CL_TYPE_XML_XL ||

                 type == CL_TYPE_HWP3 ||

-                type == CL_TYPE_XML_HWP) {

+                type == CL_TYPE_XML_HWP ||

+                type == CL_TYPE_HWPOLE2) {

                 ctx->properties = json_object_new_object();

                 if (NULL == ctx->properties) {

                     cli_errmsg("magic_scandesc: no memory for json properties object\n");

@@ -2847,6 +2848,10 @@ static int magic_scandesc(cli_ctx *ctx, cli_file_t type)

         ret = cli_scanhwp3(ctx);

         break;

+    case CL_TYPE_HWPOLE2:

+        ret = cli_scanhwpole2(ctx);

+        break;

+

     case CL_TYPE_XML_WORD:

         ret = cli_scanmsxml(ctx);

         break;