Large data (>32k) in NormalSubstitution array
phaag opened this issue · 3 comments
phaag commented
Hi,
If data blocks in NormalSubstituations are bigger than 32K, the int16 Size value in the ValueDescriptor struct in structs.go overflows and parses wrong data.
Replacing int16 by uint16 for Size in ValueDescriptor (struct.go line 810) and replacing all depending Size int16 to uint16 in values.go for the various type definitions ( fix compiler errors ) as well as the type casts in values.go ( e.g. uint(a.Size/2) line 447, 477 ) fixes the problem.
Thx for implementing an evtx parser in Go!
qjerome commented
Hi,
Thank you very much for opening the issue and providing the solution :).
I will fix the thing soon.
Cheers,
qjerome commented
Hi,
I committed the changes, could you please test if those solve the issue?
Cheers,