Add smear checks in MFT parsing code

atcuno · atcuno · commit 660e8a7b8938 · 2024-09-02T15:09:20.000-05:00
diff --git a/volatility3/framework/symbols/windows/extensions/mft.py b/volatility3/framework/symbols/windows/extensions/mft.py
@@ -29,7 +29,10 @@ class MFTAttribute(objects.StructType):
     def get_resident_filename(self) -> str:
         # 4MB chosen as cutoff instead of 4KB to allow for recovery from format /L created file systems
         # Length as 512 as its 256*2, which is the maximum size for an entire file path, so this is even generous
-        if self.Attr_Header.ContentOffset > 4194304 or self.Attr_Header.NameLength > 512:
+        if (
+            self.Attr_Header.ContentOffset > 4194304
+            or self.Attr_Header.NameLength > 512
+        ):
             return None
 
         # To get the resident name, we jump to relative name offset and read name length * 2 bytes of data
@@ -49,7 +52,10 @@ def get_resident_filename(self) -> str:
     def get_resident_filecontent(self) -> bytes:
         # smear observed in mass testing of samples
         # 4MB chosen as cutoff instead of 4KB to allow for recovery from format /L created file systems
-        if self.Attr_Header.ContentOffset > 4194304 or self.Attr_Header.ContentLength > 4194304:
+        if (
+            self.Attr_Header.ContentOffset > 4194304
+            or self.Attr_Header.ContentLength > 4194304
+        ):
             return None
 
         # To get the resident content, we jump to relative content offset and read name length * 2 bytes of data
