https://bz.apache.org/bugzilla/show_bug.cgi?id=59830
--- Comment #1 from Javen O'Neal <[email protected]> --- I added context as to why -1 is being returned (could not read bytes from input stream) in r1751982. Error occurred while reading section id 2 java.io.IOException: Error occurred while reading section id 2 at org.apache.poi.poifs.macros.VBAMacroReader.readMacros(VBAMacroReader.java:244) at org.apache.poi.poifs.macros.VBAMacroReader.findMacros(VBAMacroReader.java:148) at org.apache.poi.poifs.macros.VBAMacroReader.findMacros(VBAMacroReader.java:153) at org.apache.poi.poifs.macros.VBAMacroReader.findMacros(VBAMacroReader.java:153) at org.apache.poi.poifs.macros.VBAMacroReader.readMacros(VBAMacroReader.java:115) at org.apache.poi.poifs.macros.TestVBAMacroReader.bug59830(TestVBAMacroReader.java:249) Caused by: java.io.IOException: Skipped only -1 while trying to skip 67116544 bytes. This should never happen. at org.apache.poi.poifs.macros.VBAMacroReader.trySkip(VBAMacroReader.java:182) at org.apache.poi.poifs.macros.VBAMacroReader.readMacros(VBAMacroReader.java:242) >From the MS-OVBA spec [1], a value of 0x0002 corresponds to a PROJECTLCID Record (section 2.3.4.2.1.2). The size of this record must be 0x00000004 according to the spec. See an example [2]. LCID is an abbreviation for language code identifier, "a 32-bit number that identifies the user interface human language dialect or variation that is supported by an application or a client computer" [3]. Is the 67116544 bytes number referring to the length of the PROJCTLCID record? [1] https://msdn.microsoft.com/en-us/library/office/cc313094(v=office.12).aspx [2] https://msdn.microsoft.com/en-us/library/dd952163(v=office.12).aspx [3] https://msdn.microsoft.com/en-us/library/dd908523(v=office.12).aspx#gt_c7f99c66-592f-4053-b62a-878c189653b6 I did not commit the doc file though. Would you be able to extract the vbaProject.bin out of this malicious document? I'd feel more comfortable committing a file that can't execute itself. Probably the easiest way to get this file is to use Word to save-as to docm, then rename the docm with a .zip extension, and then pull out the file named vbaProject.bin. FYI, I think the infected file can only harm Windows computers, as the document contains 3 macros that call powershell.exe on document open. Nonetheless, please exercise caution. It may also be helpful to see what POI can read from the document using org.apache.poi.poifs.dev.POIFSDump.main. Keep in mind that the extracted files will contain ascii and non-ascii characters, as the extracted files are likely run-length encoded. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
