From 761d6a1254c97c1e0562d6c9c1094a07634be98e Mon Sep 17 00:00:00 2001 From: David McDonald Date: Fri, 8 Mar 2024 20:41:49 -0600 Subject: [PATCH] (bugfix) Fix off-by-6 bug in assemble.rs This fixes an off-by-six bug in assemble.rs that was causing string-cache miss backup parsing to fail. When the string cache is populated in `string_cache.rs`, from the given offset in the chunk header, a `BinXmlNameLink` (which is 6 total bytes in size) is read from the cursor, followed by the `BinXmlName`. On cache misses, `assemble.rs` was not reading the `BinXmlNameLink` which was in turn failing to advance the cursor by the number of bytes required. This commit adds 6 to the offset in `assemble.rs`, fixing this problem. --- src/binxml/assemble.rs | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/binxml/assemble.rs b/src/binxml/assemble.rs index 6ac6c55c..10fe1beb 100644 --- a/src/binxml/assemble.rs +++ b/src/binxml/assemble.rs @@ -240,6 +240,8 @@ pub fn create_record_model<'a>( Ok(model) } +const BINXML_NAME_LINK_SIZE: u32 = 6; + fn expand_string_ref<'a>( string_ref: &BinXmlNameRef, chunk: &'a EvtxChunk<'a>, @@ -249,7 +251,11 @@ fn expand_string_ref<'a>( None => { let mut cursor = Cursor::new(chunk.data); let cursor_ref = cursor.borrow_mut(); - try_seek!(cursor_ref, string_ref.offset, "Cache missed string")?; + try_seek!( + cursor_ref, + string_ref.offset + BINXML_NAME_LINK_SIZE, + "Cache missed string" + )?; let string = BinXmlName::from_stream(cursor_ref)?; Ok(Cow::Owned(string))