Merge pull request #1249 from volatilityfoundation/mft_size_smear_fix

Mft size smear fix

Author: ikelos

volatility3/framework/symbols/windows/extensions/mft.py

@@ -2,6 +2,8 @@
 # which is available at https://www.volatilityfoundation.org/license/vsl-v1.0
 #
 
+from typing import Optional
+
 from volatility3.framework import objects, constants, exceptions
 
 
@@ -26,7 +28,15 @@ def get_full_name(self) -> str:
 class MFTAttribute(objects.StructType):
     """This represents an MFT ATTRIBUTE"""
 
-    def get_resident_filename(self) -> str:
+    def get_resident_filename(self) -> Optional[str]:
+        # 4MB chosen as cutoff instead of 4KB to allow for recovery from format /L created file systems
+        # Length as 512 as its 256*2, which is the maximum size for an entire file path, so this is even generous
+        if (
+            self.Attr_Header.ContentOffset > 0x400000
+            or self.Attr_Header.NameLength > 512
+        ):
+            return None
+
         # To get the resident name, we jump to relative name offset and read name length * 2 bytes of data
         try:
             name = self._context.object(
@@ -41,7 +51,15 @@ def get_resident_filename(self) -> str:
         except exceptions.InvalidAddressException:
             return None
 
-    def get_resident_filecontent(self) -> bytes:
+    def get_resident_filecontent(self) -> Optional[bytes]:
+        # smear observed in mass testing of samples
+        # 4MB chosen as cutoff instead of 4KB to allow for recovery from format /L created file systems
+        if (
+            self.Attr_Header.ContentOffset > 0x400000
+            or self.Attr_Header.ContentLength > 0x400000
+        ):
+            return None
+
         # To get the resident content, we jump to relative content offset and read name length * 2 bytes of data
         try:
             bytesobj = self._context.object(