search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.49k stars 709 forks source link

No formula function name is extracted after xlm extracting #615

Open JoeyHasALittleLamb opened 2 years ago

JoeyHasALittleLamb commented 2 years ago

Describe the bug

No formula function name is extracted after xlm extracting. (image 1red arrow below) the function name is parsing to “” , the address is 0xff96 which is the root case. 0x0096 should be the right address after hex dump the original file.

By reviewing code(image2), i think xlm_extract.c:line 4004 should be ———> uint16_t func_id = (uint8_t)(data[data_pos + 2]) | (uint8_t)((data[data_pos + 3] << 8)); Re-scan again, the formula function name is extracted correctly..(image 3)

How to reproduce the problem

Xlm sample file downloaded from VT, scan it.

Attachments

screenshot-20220615-093443 Image1 image Image2 image Image3

micahsnyder commented 2 years ago

Hi @JoeyHasALittleLamb

Just from reading the code and reading your suggested change, I think you may be right. But I will have to test it. Are you comfortable with submitting a pull request with the suggested change so you can get credit for the commit?
Also, can you please provide a link to the file on VT that you're testing with so we can verify the fix?

Regards, Micah