Mac Archive Type Sniffing

chrome/utility/safe_browsing/mac/udif.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/utility/safe_browsing/mac/udif.h"
 
 #include <CoreFoundation/CoreFoundation.h>
 #include <bzlib.h>
 #include <libkern/OSByteOrder.h>
 #include <uuid/uuid.h>
 
 #include <algorithm>
 #include <utility>
 
 #include "base/logging.h"
 #include "base/mac/foundation_util.h"
 #include "base/mac/scoped_cftyperef.h"
 #include "base/macros.h"
 #include "base/memory/ptr_util.h"
 #include "base/numerics/safe_math.h"
 #include "base/strings/sys_string_conversions.h"
 #include "chrome/utility/safe_browsing/mac/convert_big_endian.h"
 #include "chrome/utility/safe_browsing/mac/read_stream.h"
 #include "third_party/zlib/zlib.h"
 
 namespace safe_browsing {
 namespace dmg {
 
 #pragma pack(push, 1)

[vakh (use Gerrit instead), 2017/06/12 16:20:28]

Do we still need this preprocessor directive here?

[mortonm, 2017/06/12 16:35:54]

Yes -- I've moved the struct definition back into the .cc file and the directive
is necessary to make the struct the correct size.

 
-// The following structures come from the analysis provided by Jonathan Levin
-// at <http://newosxbook.com/DMG.html>.
-//
-// Note that all fields are stored in big endian.
-
-struct UDIFChecksum {
-  uint32_t type;
-  uint32_t size;
-  uint32_t data[32];
-};
-
 static void ConvertBigEndian(UDIFChecksum* checksum) {
   ConvertBigEndian(&checksum->type);
   ConvertBigEndian(&checksum->size);
   for (size_t i = 0; i < arraysize(checksum->data); ++i) {
     ConvertBigEndian(&checksum->data[i]);
   }
 }
 
-// The trailer structure for a UDIF file.
-struct UDIFResourceFile {
-  static const uint32_t kSignature = 'koly';
-  static const uint32_t kVersion = 4;
-
-  uint32_t signature;
-  uint32_t version;
-  uint32_t header_size;  // Size of this structure.
-  uint32_t flags;
-  uint64_t running_data_fork_offset;
-  uint64_t data_fork_offset;
-  uint64_t data_fork_length;
-  uint64_t rsrc_fork_offset;
-  uint64_t rsrc_fork_length;
-  uint32_t segment_number;
-  uint32_t segment_count;
-  uuid_t   segment_id;
-
-  UDIFChecksum data_checksum;
-
-  uint64_t plist_offset;  // Offset and length of the blkx plist.
-  uint64_t plist_length;
-
-  uint8_t  reserved1[64];
-
-  uint64_t code_signature_offset;
-  uint64_t code_signature_length;
-
-  uint8_t  reserved2[40];
-
-  UDIFChecksum master_checksum;
-
-  uint32_t image_variant;
-  uint64_t sector_count;
-
-  uint32_t reserved3;
-  uint32_t reserved4;
-  uint32_t reserved5;
-};
-
 static void ConvertBigEndian(uuid_t* uuid) {
   // UUID is never consulted, so do not swap.
 }
 
 static void ConvertBigEndian(UDIFResourceFile* file) {
   ConvertBigEndian(&file->signature);
   ConvertBigEndian(&file->version);
   ConvertBigEndian(&file->flags);
   ConvertBigEndian(&file->header_size);
   ConvertBigEndian(&file->running_data_fork_offset);
@@ skipping 241 matching lines @@
 
   DISALLOW_COPY_AND_ASSIGN(UDIFBlockChunkReadStream);
 };
 
 }  // namespace
 
 UDIFParser::UDIFParser(ReadStream* stream)
     : stream_(stream),
       partition_names_(),
       blocks_(),
-      block_size_(kSectorSize) {
-}
+      block_size_(kSectorSize),
+      trailer_successfully_parsed_(false) {}
 
 UDIFParser::~UDIFParser() {}
 
+bool UDIFParser::ParseTrailer() {
+  // Makes sure that trailer is only ever parsed single time during execution of
+  // constuctor, so position of ReadStream is not moved after constructor runs.
+  if (trailer_successfully_parsed_)
+    return true;
+
+  off_t trailer_start = stream_->Seek(-sizeof(trailer_), SEEK_END);
+  if (trailer_start == -1)
+    return false;
+
+  if (!stream_->ReadType(&trailer_)) {
+    DLOG(ERROR) << "Failed to read UDIFResourceFile";
+    return false;
+  }
+  ConvertBigEndian(&trailer_);
+
+  if (trailer_.signature != trailer_.kSignature) {
+    DLOG(ERROR) << "blkx signature does not match, is 0x" << std::hex
+                << trailer_.signature;
+    return false;
+  }
+  if (trailer_.version != trailer_.kVersion) {
+    DLOG(ERROR) << "blkx version does not match, is " << trailer_.version;
+    return false;
+  }
+
+  auto plist_end = base::CheckedNumeric<size_t>(trailer_.plist_offset) +
+                   trailer_.plist_length;
+  if (!plist_end.IsValid() ||
+      plist_end.ValueOrDie() > base::checked_cast<size_t>(trailer_start)) {
+    DLOG(ERROR) << "blkx plist extends past UDIF trailer";
+    return false;
+  }
+
+  return true;
+}
+
 bool UDIFParser::Parse() {
-  if (!ParseBlkx())
+  // First parses trailer and then parses blocks.
+  trailer_successfully_parsed_ = ParseTrailer();
+  if (!trailer_successfully_parsed_ || !ParseBlkx())

[vakh (use Gerrit instead), 2017/06/12 16:20:28]

shortcut this as: return trailer_successfully_parsed_ && ParseBlkx()

[mortonm, 2017/06/12 16:35:54]

Done.

     return false;
 
   return true;
 }
 
 size_t UDIFParser::GetNumberOfPartitions() {
   return blocks_.size();
 }
 
 std::string UDIFParser::GetPartitionName(size_t part_number) {
@@ skipping 32 matching lines @@
 }
 
 std::unique_ptr<ReadStream> UDIFParser::GetPartitionReadStream(
     size_t part_number) {
   DCHECK_LT(part_number, blocks_.size());
   return base::MakeUnique<UDIFPartitionReadStream>(stream_, block_size_,
                                                    blocks_[part_number].get());
 }
 
 bool UDIFParser::ParseBlkx() {
-  UDIFResourceFile trailer;
-  off_t trailer_start = stream_->Seek(-sizeof(trailer), SEEK_END);
-  if (trailer_start == -1)
+  if (!trailer_successfully_parsed_)
     return false;
 
-  if (!stream_->ReadType(&trailer)) {
-    DLOG(ERROR) << "Failed to read UDIFResourceFile";
-    return false;
-  }
-  ConvertBigEndian(&trailer);
+  std::vector<uint8_t> plist_bytes(trailer_.plist_length, 0);
 
-  if (trailer.signature != trailer.kSignature) {
-    DLOG(ERROR) << "blkx signature does not match, is 0x"
-                << std::hex << trailer.signature;
-    return false;
-  }
-  if (trailer.version != trailer.kVersion) {
-    DLOG(ERROR) << "blkx version does not match, is " << trailer.version;
-    return false;
-  }
-
-  auto plist_end = base::CheckedNumeric<size_t>(trailer.plist_offset) +
-                   trailer.plist_length;
-  if (!plist_end.IsValid() ||
-      plist_end.ValueOrDie() > base::checked_cast<size_t>(trailer_start)) {
-    DLOG(ERROR) << "blkx plist extends past UDIF trailer";
-    return false;
-  }
-
-  std::vector<uint8_t> plist_bytes(trailer.plist_length, 0);
-
-  if (stream_->Seek(trailer.plist_offset, SEEK_SET) == -1)
+  if (stream_->Seek(trailer_.plist_offset, SEEK_SET) == -1)
     return false;
 
-  if (!stream_->ReadExact(&plist_bytes[0], trailer.plist_length)) {
+  if (!stream_->ReadExact(&plist_bytes[0], trailer_.plist_length)) {
     DLOG(ERROR) << "Failed to read blkx plist data";
     return false;
   }
 
   base::ScopedCFTypeRef<CFDataRef> plist_data(
       CFDataCreateWithBytesNoCopy(kCFAllocatorDefault,
           &plist_bytes[0], plist_bytes.size(), kCFAllocatorNull));
   if (!plist_data) {
     DLOG(ERROR) << "Failed to create data from bytes";
     return false;
@@ skipping 410 matching lines @@
                 << chunk_->compressed_offset;
     return false;
   }
   return true;
 }
 
 }  // namespace
 
 }  // namespace dmg
 }  // namespace safe_browsing