PyPI - dissect.apfs - Versions diffs - 1.2.dev1__tar.gz → 1.2.dev2__tar.gz - Mend

dissect.apfs 1.2.dev1tar.gz → 1.2.dev2tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (63) hide show

{dissect_apfs-1.2.dev1/dissect.apfs.egg-info → dissect_apfs-1.2.dev2}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dissect.apfs
-Version: 1.2.dev1
+Version: 1.2.dev2
 Summary: A Dissect module implementing a parser for the APFS file system, a commonly used Apple file system
 Author-email: Dissect Team <dissect@fox-it.com>
 License-Expression: AGPL-3.0-or-later

{dissect_apfs-1.2.dev1 → dissect_apfs-1.2.dev2}/dissect/apfs/stream.py RENAMED Viewed

@@ -88,26 +88,30 @@ class FileStream(AlignedStream):
         while length:
             logical_address, physical_address, extent_length, crypto_id = self._lookup(offset)
-            block = self.volume.container._read_block(physical_address, extent_length // self.align)
+            offset_in_extent = offset - logical_address
+            if offset_in_extent >= extent_length:
+                raise Error(
+                    f"Offset {offset:#x} is out of bounds for extent ({logical_address:#x}, {extent_length:#x})"
+                )
+            block_in_extent = offset_in_extent // self.align
+            read_length = min(extent_length - offset_in_extent, length)
+            block = self.volume.container._read_block(physical_address + block_in_extent, read_length // self.align)
             if self.volume.is_encrypted:
                 if not self.volume._cipher:
                     raise Error("Volume is encrypted, unlock it first")
                 if self.volume.is_onekey:
-                    block = self.volume._cipher.decrypt(block, crypto_id * self.volume.container.sectors_per_block)
+                    sector = (crypto_id + block_in_extent) * self.volume.container.sectors_per_block
+                    block = self.volume._cipher.decrypt(block, sector)
                 else:
                     raise Error("Multi-key encryption is not supported yet")
-            if offset_in_extent := offset - logical_address:
-                block = block[offset_in_extent:]
-            if length < len(block):
-                block = block[:length]
             result.append(block)
-            offset += min(extent_length, length)
-            length -= min(extent_length, length)
+            offset += read_length
+            length -= read_length
         return b"".join(result)

{dissect_apfs-1.2.dev1 → dissect_apfs-1.2.dev2/dissect.apfs.egg-info}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dissect.apfs
-Version: 1.2.dev1
+Version: 1.2.dev2
 Summary: A Dissect module implementing a parser for the APFS file system, a commonly used Apple file system
 Author-email: Dissect Team <dissect@fox-it.com>
 License-Expression: AGPL-3.0-or-later

{dissect_apfs-1.2.dev1 → dissect_apfs-1.2.dev2}/dissect.apfs.egg-info/SOURCES.txt RENAMED Viewed

@@ -53,6 +53,7 @@ tests/_data/corrupt.bin.gz
 tests/_data/encrypted.bin.gz
 tests/_data/jhfs_converted.bin.gz
 tests/_data/jhfs_encrypted.bin.gz
+tests/_data/large.bin.gz
 tests/_data/snapshot.bin.gz
 tests/_docs/Makefile
 tests/_docs/__init__.py

dissect_apfs-1.2.dev2/tests/_data/large.bin.gz ADDED Viewed

Binary file

{dissect_apfs-1.2.dev1 → dissect_apfs-1.2.dev2}/tests/test_apfs.py RENAMED Viewed

@@ -3,6 +3,7 @@ from __future__ import annotations
 import gzip
 import hashlib
 from typing import TYPE_CHECKING
+from unittest.mock import patch
 import pytest
@@ -379,3 +380,27 @@ def test_corrupt_checkpoints(caplog: pytest.LogCaptureFixture) -> None:
     assert caplog.messages[0] == "Skipping superblock xid=304: invalid OMAP"
     assert caplog.messages[1] == "Skipping superblock xid=303: Invalid nx_superblock checksum"
+def test_large_extents() -> None:
+    """Test APFS volumes with large extents."""
+    with gzip.open(absolute_path("_data/large.bin.gz"), "rb") as fh:
+        container = APFS(fh)
+        assert len(container.volumes) == 1
+        volume = container.volumes[0]
+        assert volume.name == "Large"
+        node = volume.get("yomomma.bin")
+        assert node.size == 512 * 1024 * 1024
+        fh = node.open()
+        # First extent is 128MiB
+        assert fh._lookup(0) == (0, 1070, 128 * 1024 * 1024, 0)
+        with patch.object(volume.container, "_read_block", wraps=volume.container._read_block) as mock_read_block:
+            assert fh.read(512) == b"\x67" * 512
+            # Check that we only read one block, not the entire 128MiB extent
+            mock_read_block.assert_called_once_with(1070, 1)