HARDCODED FOR MY PARTICULAR TEST CASE, NEED TO CLEAN UP

libclamav/ole2_extract.c

@@ -86,6 +86,11 @@ typedef struct ole2_header_tag {
 
     uint16_t log2_big_block_size __attribute__((packed));   /* usually 9 (2^9 = 512) */
     uint32_t log2_small_block_size __attribute__((packed)); /* usually 6 (2^6 = 64) */
+    /*
+     * This is technically incorrect.  log2_small_block_size should be a uint16_t, and reserved should
+     * be 6 bytes.  This makes everything line up, but could potentially cause issues when switching byte order
+     * for log2_small_block_size.  Consider changing.
+     */
 
     int32_t reserved[2] __attribute__((packed));
     int32_t bat_count __attribute__((packed));
@@ -410,6 +415,7 @@ print_ole2_property(property_t *property)
 static void
 print_ole2_header(ole2_header_t *hdr)
 {
+#if 0
     if (!hdr || !cli_debug_flag) {
         return;
     }
@@ -437,6 +443,40 @@ print_ole2_header(ole2_header_t *hdr)
     cli_dbgmsg("XBat start:\t\t%d\n", hdr->xbat_start);
     cli_dbgmsg("XBat block count:\t%d\n", hdr->xbat_count);
     cli_dbgmsg("\n");
+
+
+
+#endif
+    fprintf(stderr, "\n");
+    fprintf(stderr, "Magic:\t\t\t0x%x%x%x%x%x%x%x%x\n",
+               hdr->magic[0], hdr->magic[1], hdr->magic[2], hdr->magic[3],
+               hdr->magic[4], hdr->magic[5], hdr->magic[6], hdr->magic[7]);
+
+    fprintf(stderr, "CLSID:\t\t\t{%x%x%x%x-%x%x-%x%x-%x%x-%x%x%x%x%x%x}\n",
+               hdr->clsid[0], hdr->clsid[1], hdr->clsid[2], hdr->clsid[3],
+               hdr->clsid[4], hdr->clsid[5], hdr->clsid[6], hdr->clsid[7],
+               hdr->clsid[8], hdr->clsid[9], hdr->clsid[10], hdr->clsid[11],
+               hdr->clsid[12], hdr->clsid[13], hdr->clsid[14], hdr->clsid[15]);
+
+    fprintf(stderr, "Minor version:\t\t0x%x\n", hdr->minor_version);
+    fprintf(stderr, "DLL version:\t\t0x%x\n", hdr->dll_version);
+    fprintf(stderr, "Byte Order:\t\t%d\n", hdr->byte_order);
+    fprintf(stderr, "Big Block Size:\t%i\n", hdr->log2_big_block_size);
+    fprintf(stderr, "Small Block Size:\t%i\n", hdr->log2_small_block_size);
+    fprintf(stderr, "BAT count:\t\t%d\n", hdr->bat_count);
+    fprintf(stderr, "Prop start:\t\t%d\n", hdr->prop_start);
+    fprintf(stderr, "SBAT cutoff:\t\t%d\n", hdr->sbat_cutoff);
+    fprintf(stderr, "SBat start:\t\t%d\n", hdr->sbat_start);
+    fprintf(stderr, "SBat block count:\t%d\n", hdr->sbat_block_count);
+    fprintf(stderr, "XBat start:\t\t%d\n", hdr->xbat_start);
+    fprintf(stderr, "XBat block count:\t%d\n", hdr->xbat_count);
+    fprintf(stderr, "\n");
+
+
+
+
+
+
     return;
 }
 
@@ -636,6 +676,7 @@ static int ole2_cmp_name(const char *const name, uint32_t name_size, const char
         decoded[j] = ((unsigned char)name[i + 1]) << 4;
         decoded[j] += name[i];
     }
+    //fprintf(stderr, "%s::%d::%s\n", __FUNCTION__, __LINE__, decoded);
 
     return strcasecmp(decoded, keyword);
 }

libclamav/ole2_extract_images.h

@@ -793,15 +793,106 @@ static void processOfficeArtFBSE(cli_ctx * ctx, ole2_header_t *hdr, OfficeArtRec
     offset += fbse.cbName;
 
     if (imageHeader->recLen == (sizeof(OfficeArtFBSEKnown) + fbse.cbName + fbse.size)) {
+fprintf(stderr, "%s::%d::Blip is embedded\n", __FUNCTION__, __LINE__);
         /* The BLIP is embedded in this record*/ 
         processOfficeArtBlip(ctx, &(ptr[offset]));
     } else {
         /* The BLIP is in the 'WordDocument' stream. */
         size_t size = fbse.size;
         const uint8_t * const ptr = load_pointer_to_stream_from_fmap(hdr, wordDocBlock, fbse.foDelay, size);
+fprintf(stderr, "%s::%d::Blip is in WordDocument stream, delay = %u (0x%x)\n", __FUNCTION__, __LINE__, fbse.foDelay, fbse.foDelay);
         processOfficeArtBlip(ctx, ptr);
     }
 
+#if 0
+    size_t i;
+    fprintf(stderr, "%s::%d::", __FUNCTION__, __LINE__);
+    for (i = 0; i < 16; i++) {
+        fprintf(stderr, "%02x ", ptr[i + offset]);
+    }
+    fprintf(stderr, "\n");
+#endif
+
+
+
+#if 1
+    fprintf(stderr, "%s::%d::before cpy\n", __FUNCTION__, __LINE__);
+    copy_OfficeArtRecordHeader(imageHeader, &(ptr[offset]));
+    offset += sizeof(OfficeArtRecordHeader);
+
+    copy_OfficeArtFBSEKnown (&fbse, &(ptr[offset]));
+    offset += sizeof(OfficeArtFBSEKnown );
+    recInst = getRecInst(imageHeader);
+
+    fprintf(stderr, "%s::%d::recInst = %d\n", __FUNCTION__, __LINE__, recInst);
+    fprintf(stderr, "%s::%d::fbse.btWin32 = %d\n", __FUNCTION__, __LINE__, fbse.btWin32);
+    fprintf(stderr, "%s::%d::fbse.btMacOS = %d\n", __FUNCTION__, __LINE__, fbse.btMacOS);
+
+    //here;
+
+
+    if ((recInst != fbse.btWin32) && (recInst != fbse.btMacOS)) {
+        cli_dbgmsg("ERROR Invalid recInst 0x%x\n", recInst);
+        return;
+    }
+    fprintf(stderr, "%s::%d\n", __FUNCTION__, __LINE__);
+    if (imageHeader->recType != 0xf007) {
+        cli_dbgmsg("ERROR Invalid recType 0x%x\n", imageHeader->recType);
+        return;
+    }
+    fprintf(stderr, "%s::%d\n", __FUNCTION__, __LINE__);
+
+    offset += fbse.cbName;
+
+    if (imageHeader->recLen == (sizeof(OfficeArtFBSEKnown) + fbse.cbName + fbse.size)) {
+fprintf(stderr, "%s::%d::Blip is embedded\n", __FUNCTION__, __LINE__);
+        /* The BLIP is embedded in this record*/ 
+        processOfficeArtBlip(ctx, &(ptr[offset]));
+    } else {
+        /* The BLIP is in the 'WordDocument' stream. */
+        size_t size = fbse.size;
+        const uint8_t * const ptr = load_pointer_to_stream_from_fmap(hdr, wordDocBlock, fbse.foDelay, size);
+fprintf(stderr, "%s::%d::Blip is in WordDocument stream, delay = %u (0x%x)\n", __FUNCTION__, __LINE__, fbse.foDelay, fbse.foDelay);
+        processOfficeArtBlip(ctx, ptr);
+    }
+
+#endif
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+    fprintf(stderr, "%s::%d::Looks like this might be IT!!!!\n", __FUNCTION__, __LINE__);
+
 }
 
 static void ole2_extract_images(cli_ctx * ctx, ole2_header_t * ole2Hdr, FibRgFcLcb97 * header, const uint8_t * ptr, property_t * wordDocBlock) {
@@ -875,6 +966,7 @@ static void ole2_extract_images(cli_ctx * ctx, ole2_header_t * ole2Hdr, FibRgFcL
      *
      * */
 #define OFFICE_ART_FBSE_REC_TYPE 0x2
+    fprintf(stderr, "%s::%d::imageCnt = %d\n", __FUNCTION__, __LINE__, imageCnt);
     for (i = 0; i < imageCnt; i++) {
         OfficeArtRecordHeader imageHeader;
         copy_OfficeArtRecordHeader(&imageHeader,  &(ptr[offset]));
@@ -884,11 +976,17 @@ static void ole2_extract_images(cli_ctx * ctx, ole2_header_t * ole2Hdr, FibRgFcL
             /* OfficeArtFBSE 
              * https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-odraw/2f2d7f5e-d5c4-4cb7-b230-59b3fe8f10d6
              */
+            fprintf(stderr, "%s::%d::calling processOfficeArtFBSE\n", __FUNCTION__, __LINE__);
             processOfficeArtFBSE(ctx, ole2Hdr, &imageHeader, &(ptr[offset]), wordDocBlock);
         } else {
+            fprintf(stderr, "%s::%d::calling processOfficeArtBlip\n", __FUNCTION__, __LINE__);
             processOfficeArtBlip(ctx, &(ptr[offset]));
         }
     }
+
+    //here;
+
+
 }
 
 
@@ -943,6 +1041,7 @@ void ole2_process_image_directory( cli_ctx * ctx, ole2_header_t * hdr, ole2_imag
 
         /*Call Extract */
         size_t offset = get_stream_data_offset(hdr, tableStream, tableStream->start_block);
+        /*TODO: Fix hardcoded 4k*/
         ptr = fmap_need_off_once(hdr->map, offset, 4096);
         if (NULL == ptr) {
             cli_dbgmsg("ERROR: Invalid offset for File Information Block %ld (0x%lx)\n", offset, offset);

libclamav/xlm_extract.c

@@ -4626,6 +4626,8 @@ cl_error_t cli_extract_xlm_macros_and_images(const char *dir, cli_ctx *ctx, char
     unsigned char *drawinggroup = NULL;
     size_t drawinggroup_len     = 0;
 
+    fprintf(stderr, "%s::%d::INHREE\n", __FUNCTION__, __LINE__);
+
     biff8_opcode previous_biff8_opcode = 0x0; // Initialize to 0x0, which isn't even in our enum.
                                               // This variable will allow the OPC_CONTINUE record
                                               // to know which record it is continuing.