[Libguestfs] [PATCH] Add read support for "big data" blocks to hivex

[Hilko Bengen]

---
 lib/hivex.c | 81 +++++++++++++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 66 insertions(+), 15 deletions(-)

diff --git a/lib/hivex.c b/lib/hivex.c
index efc27f8..e3c1e05 100644
--- a/lib/hivex.c
+++ b/lib/hivex.c
@@ -208,6 +208,19 @@ struct ntreg_sk_record {
   char sec_desc[1];             /* security info follows */
 } __attribute__((__packed__));
 
+struct ntreg_db_record {
+  int32_t seg_len;              /* length (always -ve because used) */
+  char id[2];                   /* "db" */
+  uint16_t nr_blocks;
+  uint32_t blocklist_offset;
+  uint32_t unknown1;
+} __attribute__((__packed__));
+
+struct ntreg_db_block {
+  int32_t seg_len;
+  char data[1];
+} __attribute__((__packed__));
+
 static uint32_t
 header_checksum (const hive_h *h)
 {
@@ -1418,22 +1431,60 @@ hivex_value_value (hive_h *h, hive_value_h value,
    * instead.
    */
   size_t blen = block_len (h, data_offset, NULL);
-  if (len > blen - 4 /* subtract 4 for block header */) {
-    if (h->msglvl >= 2)
-      fprintf (stderr, "hivex_value_value: warning: declared data length "
-               "is longer than the block it is in "
-               "(data 0x%zx, data len %zu, block len %zu)\n",
-               data_offset, len, blen);
-    len = blen - 4;
-
-    /* Return the smaller length to the caller too. */
-    if (len_rtn)
-      *len_rtn = len;
+  if (len <= blen - 4 /* subtract 4 for block header */) {
+    char *data = (char *) h->addr + data_offset + 4;
+    memcpy (ret, data, len);
+    return ret;
+  } else {
+    if (!IS_VALID_BLOCK (h, data_offset) || !BLOCK_ID_EQ (h, data_offset, "db")) {
+      if (h->msglvl >= 2)
+        fprintf (stderr, "hivex_value_value: warning: declared data length "
+                 "is longer than the amount of data found in big-data blocks "
+                 "(data 0x%zx, data len %zu)\n",
+                 data_offset, len);
+      errno = EINVAL;
+      free (ret);
+      return NULL;
+    }
+    struct ntreg_db_record *db =
+      (struct ntreg_db_record *) ((char *) h->addr + data_offset);
+    size_t blocklist_offset = le32toh (db->blocklist_offset);
+    blocklist_offset += 0x1000;
+    size_t nr_blocks = le16toh (db->nr_blocks);
+    if (!IS_VALID_BLOCK (h, blocklist_offset)) {
+      if (h->msglvl >= 2)
+        fprintf (stderr, "hivex_value_value: warning: blocklist is not a "
+                 "valid block "
+                 "(db block 0x%zx, blocklist 0x%zx)\n",
+                 data_offset, blocklist_offset);
+      errno = EINVAL;
+      free (ret);
+      return NULL;
+    }
+    struct ntreg_value_list *bl =
+      (struct ntreg_value_list *) ((char *) h->addr + blocklist_offset);
+    size_t i, off;
+    for (i=off=0; i < nr_blocks; ++i) {
+      uint32_t subblock_offset = le32toh (bl->offset[i]);
+      subblock_offset += 0x1000;
+      if (!IS_VALID_BLOCK (h, subblock_offset)) {
+        if (h->msglvl >= 2)
+          fprintf (stderr, "hivex_value_value: warning: big data block is not "
+                   "valid (db block 0x%zx, block list 0x%zx, data block 0x%zx)\n",
+                   data_offset, blocklist_offset, subblock_offset);
+      }
+      int32_t seg_len = block_len(h, subblock_offset, NULL);
+      struct ntreg_db_block *subblock =
+        (struct ntreg_db_block *) ((char *) h->addr + subblock_offset);
+      int32_t sz = seg_len - 8; /* don't copy the last 4 bytes */
+      if (off + sz > len) {
+        sz = len - off;
+      }
+      memcpy (ret + off, subblock->data, sz);
+      off += sz;
+    }
+    return ret;
   }
-
-  char *data = (char *) h->addr + data_offset + 4;
-  memcpy (ret, data, len);
-  return ret;
 }
 
 static char *
-- 
1.8.3.1