poi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 59830] "Skipped only -1 while trying to skip 67116544 bytes. This should never happen." IOException in VBAMacroReader
Date Sat, 09 Jul 2016 06:21:39 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=59830

--- Comment #1 from Javen O'Neal <onealj@apache.org> ---
I added context as to why -1 is being returned (could not read bytes from input
stream) in r1751982.

Error occurred while reading section id 2
java.io.IOException: Error occurred while reading section id 2
        at
org.apache.poi.poifs.macros.VBAMacroReader.readMacros(VBAMacroReader.java:244)
        at
org.apache.poi.poifs.macros.VBAMacroReader.findMacros(VBAMacroReader.java:148)
        at
org.apache.poi.poifs.macros.VBAMacroReader.findMacros(VBAMacroReader.java:153)
        at
org.apache.poi.poifs.macros.VBAMacroReader.findMacros(VBAMacroReader.java:153)
        at
org.apache.poi.poifs.macros.VBAMacroReader.readMacros(VBAMacroReader.java:115)
        at
org.apache.poi.poifs.macros.TestVBAMacroReader.bug59830(TestVBAMacroReader.java:249)
Caused by: java.io.IOException: Skipped only -1 while trying to skip 67116544
bytes.  This should never happen.
        at
org.apache.poi.poifs.macros.VBAMacroReader.trySkip(VBAMacroReader.java:182)
        at
org.apache.poi.poifs.macros.VBAMacroReader.readMacros(VBAMacroReader.java:242)

>From the MS-OVBA spec [1], a value of 0x0002 corresponds to a PROJECTLCID
Record (section 2.3.4.2.1.2). The size of this record must be 0x00000004
according to the spec. See an example [2].
LCID is an abbreviation for language code identifier, "a 32-bit number that
identifies the user interface human language dialect or variation that is
supported by an application or a client computer" [3].
Is the 67116544 bytes number referring to the length of the PROJCTLCID record?

[1] https://msdn.microsoft.com/en-us/library/office/cc313094(v=office.12).aspx
[2] https://msdn.microsoft.com/en-us/library/dd952163(v=office.12).aspx
[3]
https://msdn.microsoft.com/en-us/library/dd908523(v=office.12).aspx#gt_c7f99c66-592f-4053-b62a-878c189653b6

I did not commit the doc file though. Would you be able to extract the
vbaProject.bin out of this malicious document? I'd feel more comfortable
committing a file that can't execute itself. Probably the easiest way to get
this file is to use Word to save-as to docm, then rename the docm with a .zip
extension, and then pull out the file named vbaProject.bin.

FYI, I think the infected file can only harm Windows computers, as the document
contains 3 macros that call powershell.exe on document open. Nonetheless,
please exercise caution.

It may also be helpful to see what POI can read from the document using
org.apache.poi.poifs.dev.POIFSDump.main. Keep in mind that the extracted files
will contain ascii and non-ascii characters, as the extracted files are likely
run-length encoded.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org


Mime
View raw message