boredzo
commented
5 months ago Here's nodeName from the item's catalog key:
[0] u_int8_t '\x01'
[1] u_int8_t 'S'
[2] u_int8_t 't'
[3] u_int8_t 'a'
[4] u_int8_t 'r'
[5] u_int8_t 't'
[6] u_int8_t 'u'
[7] u_int8_t 'p'
[8] u_int8_t ' '
[9] u_int8_t 'D'
[10] u_int8_t 'e'
[11] u_int8_t 's'
[12] u_int8_t 'k'
[13] u_int8_t 't'
[14] u_int8_t 'o'
[15] u_int8_t 'p'
[16] u_int8_t '\x02'
[17] u_int8_t '\0'
[18] u_int8_t '\0'
[19] u_int8_t '\0'
[20] u_int8_t 'L'
[21] u_int8_t 'M'
[22] u_int8_t 'O'
[23] u_int8_t 'P'
[24] u_int8_t 'J'
[25] u_int8_t 'S'
[26] u_int8_t 'H'
[27] u_int8_t 'L'
[28] u_int8_t '\0'
[29] u_int8_t '\0'
[30] u_int8_t '\0'
[31] u_int8_t '\0'The folder's contents are supposed to include "Desktop\x01", so that \x01 at the start is intriguing, but it could be a red herring. That first byte is supposed to be the length, but there's no way this is a one-byte-long length. That's followed by "Startup Desktop", then what appear to be four four-byte values: 0x02000000, 'LMOP', 'JSHL', and 0. 'LMOP' is the file type of the "Desktop 1\x01" file; 'JSHL' is the creator code of a number of files in the System Folder on this disk.
The catalog key's length is 23; that leaves 23 - 6 = 17 bytes for the filename, including the length byte. "Startup Desktop" is 15 characters; "Startup Desktop\x02" is 16 characters. Curiously, no such filename shows up in the catalog recounting given by analyze.
In fact, looking at that output, some of the other items are truncated similarly:
- 📄 “Letter to Mom
Parent ID: #17 (0x11)
- 📄 “Notes 8/24
Parent ID: #17 (0x11)
- 📄 “OVWT”, ID #36 (0x24), type 'APPL' creator 'MMTE', script code default
Parent ID: #17 (0x11)
- 📄 “Scrap Scene”, ID #37 (0x25), type 'VWSC' creator 'MMVW', script code default
Parent ID: #17 (0x11)
- 📄 “Scrapbook File”, ID #21 (0x15), type 'ZSYS' creator 'MACS', script code default
Parent ID: #17 (0x11)
- 📄 “Scrapbook File
Parent ID: #17 (0x11)I was dubious about "OVWT" as an actual filename on the disk, but it does show up in the Finder when mounting the disk in System 6.0.8.
Seems like one thing that needs to happen is analyze needs to escape filenames itself.
Anyway, going back to the alleged contents of this filename buffer: it should be noted, lldb is treating this as a Str31 and showing 32 bytes regardless of the actual length of the string, so it's actually overrunning the key structure. The 0x02, 0x00, 0x00, and 0x00 before the file type and creator look like kHFSFileRecord followed by an empty flags field and unused byte. So this is consistent with an HFSCatalogKey followed by an HFSCatalogFile. I think that suggests we're peering across a node boundary.
So a couple more things we need to do here:
- The length of the filename field of a key needs to be a constraint upon the number of characters drawn from that field when parsing its filename. (Currently we just trust the length byte.)
- We need to detect when the length byte is questionable. Ideally it should exactly match the number of bytes after it in the key record according to the key record's length. It certainly should never be more than that, and the name length being less than expected may indicate a problem. (Depending on how eagerly Mac OS HFS compacts the catalog if a file's name gets shortened.)
Using an uncompressed copy of the “Guided Tour of Macintosh Plus”* image from “Phil and Dave's Excellent CD” volume 1:
The filename shown as empty above is this file as reported by
list:^A being
less's escaping of the\x01byte at the end of that filename.I'm unsure whether this means the catalog is corrupt, impluse is misparsing it, or impluse is doing something else wrong.
The
(null)s are also concerning. It could be that NSString is refusing to decode this filename.