olefile is a Python package to parse, read and write Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office 97-2003 documents, vbaProject.bin in MS Office 2007+ files, Image Composer and FlashPix files, Outlook messages, StickyNotes, several Microscopy file formats, McAfee antivirus quarantine files, etc.
When computing the offset of a sector from a large index in the DIFAT, in some cases an integer overflow may happen because the offset may be larger than 32 bits. In that case, it looks like MS Word or Windows truncates the offset at 32 bits, resulting in a smaller offset.
TODO:
[ ] Prepare sample files triggering the integer overflow, test them with MS Word, Excel, etc
[ ] Check what is the olefile behaviour in that case
[ ] Change olefile to match Word's behaviour
[ ] Provide a way for olefile callers to be informed when such an integer overflow happens (should be an alert that the file is suspicious)
According to this article, some malicious files use a trick that works with Word but might trigger errors in other parsers such as olefile: https://www.mimecast.com/blog/2019/03/the-return-of-the-equation-editor-exploit--difat-overflow Same on web archive: http://web.archive.org/web/20190307091006/https://www.mimecast.com/blog/2019/03/the-return-of-the-equation-editor-exploit--difat-overflow/
When computing the offset of a sector from a large index in the DIFAT, in some cases an integer overflow may happen because the offset may be larger than 32 bits. In that case, it looks like MS Word or Windows truncates the offset at 32 bits, resulting in a smaller offset.
TODO: