[sleuthkit-developers] [ sleuthkit-Bugs-2900779 ] mactime sorting bug patch
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] [ sleuthkit-Bugs-2900779 ] mactime sorting bug patch
|
From: SourceForge.net <no...@so...> - 2009-11-19 22:38:04
|
Bugs item #2900779, was opened at 2009-11-19 17:38 Message generated for change (Tracker Item Submitted) made by carrier You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2900779&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Timeline Tools Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Brian Carrier (carrier) Assigned to: Nobody/Anonymous (nobody) Summary: mactime sorting bug patch Initial Comment: >From Hal Pomeranz: Brian-- I'm attaching a patch for mactime that addresses an issue that's been bugging me for a long time, but that I only just got around to fixing. The problem is that timeline dates from epoch+200000000 (1976-05-03) through epoch+999999999 (2001-09-09) sort *after* the dates starting from epoch+1000000000. If you look at the code, the timeline is sorted alphabetically on the keys from %time2macstr. Those keys are created in read_body() by concatenating "st_{m/a/c}time,$st_ino,$file", so mostly they get sorted by the MACtime value. But it's the same problem you have when you try to sort 1..10 alphabetically-- you get "1, 10, 2, ..." because it's an alpha sort not a numeric sort. The fix is to "zero-fill" the mactime values in the %time2macstr keys so they're a consistent length. Then the alpha sort works fine. As long as I was doing that, I also swapped the order of the last two key fields (now "$st_*time,$file,$st_ino") so that the timeline sorts first on time, and then by filename, and finally by inode number (which should never be used). Sorting by inode number before filename doesn't make much sense to me for human-readable output. Context diff attached... ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2900779&group_id=55685 |
