pyaff4
pyaff4 copied to clipboard
aff4
Critical: Fixes ZipFileHeader Struct and Zip64 Header creation - Implements switch to enable creation of large sized ZipSegments and ZIP_STORED containers
As per title, fixes the ZipFileHeader Struct, by changing file_size and compress_size to uint32. Else packing struct fails when file size is > 2GB.
Also introduces an optional switch to enable creation of zip based containers with arbitrary file sizes. This allows creation of containers fully compatible with archive management tools for decompression if needed, as well as ability to import the container as ZIP file in any forensic tool that might not support AFF4-L directly. Default behaviour is left untouched.
After playing around with first modifications, I noticed that files larger than 4GB (requiring zip64 headers) were corrupted. Investigating highlighted that the code creates the local file header in two passes, first one not having the file size. In such a case, only the basic header is written followed by file data. If the file passes 4GB, the final header would require using a zip64 extension, which is appended to the local file header, but overwrites the first bytes of the file.
The hotfix actually reserves the space and writes the zip64 header all the time, independently of the size, and only marks the fields to be looked up in the zip64 header if needed - Should still be compliant with zip specification as the zip64 header is simply ignored if not needed.