You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When computing the offset of a sector from a large index in the DIFAT, in some cases an integer overflow may happen because the offset may be larger than 32 bits. In that case, it looks like MS Word or Windows truncates the offset at 32 bits, resulting in a smaller offset.
TODO:
Prepare sample files triggering the integer overflow, test them with MS Word, Excel, etc
Check what is the olefile behaviour in that case
Change olefile to match Word's behaviour
Provide a way for olefile callers to be informed when such an integer overflow happens (should be an alert that the file is suspicious)
The text was updated successfully, but these errors were encountered:
According to this article, some malicious files use a trick that works with Word but might trigger errors in other parsers such as olefile:
https://www.mimecast.com/blog/2019/03/the-return-of-the-equation-editor-exploit--difat-overflow
Same on web archive: http://web.archive.org/web/20190307091006/https://www.mimecast.com/blog/2019/03/the-return-of-the-equation-editor-exploit--difat-overflow/
When computing the offset of a sector from a large index in the DIFAT, in some cases an integer overflow may happen because the offset may be larger than 32 bits. In that case, it looks like MS Word or Windows truncates the offset at 32 bits, resulting in a smaller offset.
TODO:
The text was updated successfully, but these errors were encountered: