66590 – Number of blocks used by the property table missing from the file header

Bug 66590 - Number of blocks used by the property table missing from the file header

Summary: Number of blocks used by the property table missing from the file header

Status:	NEW

Alias:	None

Product:	POI
Classification:	Unclassified
Component:	POIFS (show other bugs)
Version:	5.2.3-FINAL
Hardware:	All All

Importance:	P2 enhancement with 4 votes (vote)
Target Milestone:	---
Assignee:	POI Developers List

URL:
Keywords:	PatchAvailable

Depends on:
Blocks:

Reported:	2023-05-02 23:44 UTC by Emmanuel Bourg
Modified:	2023-05-26 07:35 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Emmanuel Bourg 2023-05-02 23:44:09 UTC

I'm using POIFS to modify MSI files (for Authenticode signing with Jsign) and for some files the addition of an entry corrupts the file. I've tracked down the issue to the number of blocks used by the property table in the file header (at offset 0x28) which is not handled by POIFS. When the header is parsed the value of this field is ignored, and when the header is saved the actual number of blocks is never written.

This is problematic because msiexec.exe relies on this field to parse the content of the MSI files, it won't process the full stream of the property table even if its chain in the allocation table spans over more blocks. When the entry added by the signing process is located on a new block of the property table, the binary tree holding the properties is re-balanced and a part is grafted to the new entry. Since the number of blocks isn't updated in the header this part of the tree becomes unreachable and the file is corrupted.

Comment 1 PJ Fanning 2023-05-02 23:54:54 UTC

POI does not have explicit support for MSI files. There are no tests that I can find in our code base for MSI files. I don't see any mention of MSI in our docs.

If you would like to work on adding some MSI support and some test coverage, the POI community may be in a position to review it.

The POI Community is not very active and it is unlikely that someone else will volunteer to do this work for you.

Comment 2 Nick Burch 2023-05-03 06:57:24 UTC

The code to work with the file header is:
https://github.com/apache/poi/blob/trunk/poi/src/main/java/org/apache/poi/poifs/storage/HeaderBlock.java
And the offsets are defined in:
https://github.com/apache/poi/blob/trunk/poi/src/main/java/org/apache/poi/poifs/storage/HeaderBlockConstants.java

For most of the things tracked we have a start and a count, but for properties we only have the count

The documentation for the header is:
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cfb/05060311-bfce-4b12-874d-71fd4ce63aea

As PJ Fanning says, we don't have any MSI support, and no unit tests for it. If you want to work on this, we'll need test MSI files to go with the unit tests for the fix. As well as updating the header code to read/store the additional value, you'll also need to update other bits of POIFS code to tell the header of the new count. Good luck!

Comment 3 Emmanuel Bourg 2023-05-03 07:47:59 UTC

The fix is ready to be reviewed: https://github.com/apache/poi/pull/462

Comment 4 Emmanuel Bourg 2023-05-26 07:35:11 UTC

The fix is incomplete, according to the CFB specification the number of directory sectors must be set to zero for files using the format version 3 (with 512 byte sectors). I'll update the patch.