Document Streams
The file is made up of a number of POIFS streams. A typical
file will be made up as follows:
Root Entry -
Objects -
(no children)
SummaryInformation <(0x05)SummaryInformation>
DocumentSummaryInformation <(0x05)DocumentSummaryInformation>
Escher -
EscherStm
EscherDelayStm
Quill -
QuillSub -
CONTENTS
CompObj <(0x01)CompObj>
Envelope
Contents
Internal <(0x03)Internal>
CompObj <(0x01)CompObj>
VBA -
(no children)
Changing Text
If you make a change to the text of a file, but not change
how much text there is, then the CONTENTS stream
will undergo a small change, and the Contents stream
will undergo a large change.
If you make a change to the text of a file, and change the
amount of text there is, then both the Contents and
the CONTENTS streams change.
Changing Shapes
If you alter the size of a textbox, but make no text changes,
then both Contents and CONTENTS streams
change. There are no changes to the Escher streams.
If you set the background colour of a textbox, but make
no changes to the text, (to finish off)
Structure of CONTENTS
First we have "CHNKINK ", followed by 24 bytes.
Next we have 20 sequences of 24 bytes each. If the first two bytes
at 0x1800, then that sequence entry exists, but if it's 0x0000 then
the entry doesn't exist. If it does exist, we then have 4 bytes of
upper case ASCII text, followed by three little endian shorts.
The first of these seems to be the count of that type, the second is
usually 1, the third is usually zero. The we have another 4 bytes of
upper case ASCII text, normally but not always the same as the first
text. Finally, we have an unsigned little endian 32 bit offset to
the start of the data for this, then an unsigned little endian
32 bit offset of the length of this section.
Normally, the first sequence entry is for TEXT, and the text data
will start at 0x200. After that is normally two or three STSH entries
(so the first short has values 0, then 1, then 2). After that it
seems to vary.
At 0x200 we have the text, stored as little endian 16 bit unicode.
After the text comes all sorts of other stuff, presumably as
described by the sequences.
For a contents stream of length 7168 / 0x1c00 bytes, the start
looks something like:
CHNKINK // "CHNKINK "
04 00 07 00 // Normally 04 00 07 00
13 00 00 03 // Normally ## 00 00 03
00 02 00 00 // Normally 00 ## 00 00
00 1c 00 00 // Normally length of the stream
f8 01 13 00 // Normally f8 01 11/13 00
ff ff ff ff // Normally seems to be ffffffff
18 00
TEXT 00 00 01 00 00 00 // TEXT 0 1 0
TEXT 00 02 00 00 d0 03 00 00 // TEXT from: 200 (512), len: 3d0 (976)
18 00
STSH 00 00 01 00 00 00 // STSH 0 1 0
STSH d0 05 00 00 1e 00 00 00 // STSH from: 5d0 (1488), len: 1e (30)
18 00
STSH 01 00 01 00 00 00 // STSH 1 1 0
STSH ee 05 00 00 b8 01 00 00 // STSH from: 5ee (1518), len: 1b8 (440)
18 00
STSH 02 00 01 00 00 00 // STSH 2 1 0
STSH a6 07 00 00 3c 00 00 00 // STSH from: 7a6 (1958), len: 3c (60)
18 00
FDPP 00 00 01 00 00 00 // FDPP 0 1 0
FDPP 00 08 00 00 00 02 00 00 // FDPP from: 800 (2048), len: 200 (512)
18 00
FDPC 00 00 01 00 00 00 // FDPC 0 1 0
FDPC 00 0a 00 00 00 02 00 00 // FDPC from: a00 (2560), len: 200 (512)
18 00
FDPC 01 00 01 00 00 00 // FDPC 1 1 0
FDPC 00 0c 00 00 00 02 00 00 // FDPC from: c00 (3072), len: 200 (512)
18 00
SYID 00 00 01 00 00 00 // SYID 0 1 0
SYID 00 0e 00 00 20 00 00 00 // SYID from: e00 (3584), len: 20 (32)
18 00
SGP 00 00 01 00 00 00 // SGP 0 1 0
SGP 20 0e 00 00 0a 00 00 00 // SGP from: e20 (3616), len: a (10)
18 00
INK 00 00 01 00 00 00 // INK 0 1 0
INK 2a 0e 00 00 04 00 00 00 // INK from: e2a (3626), len: 4 (4)
18 00
BTEP 00 00 01 00 00 00 // BTEP 0 1 0
PLC 2e 0e 00 00 18 00 00 00 // PLC from: e2e (3630), len: 18 (24)
18 00
BTEC 00 00 01 00 00 00 // BTEC 0 1 0
PLC 46 0e 00 00 20 00 00 00 // PLC from: e46 (3654), len: 20 (32)
18 00
FONT 00 00 01 00 00 00 // FONT 0 1 0
FONT 66 0e 00 00 48 03 00 00 // FONT from: e66 (3686), len: 348 (840)
18 00
TCD 03 00 01 00 00 00 // TCD 3 1 0
PLC ae 11 00 00 24 00 00 00 // PLC from: 11ae (4526), len: 24 (36)
18 00
TOKN 04 00 01 00 00 00 // TOKN 4 1 0
PLC d2 11 00 00 0a 01 00 00 // PLC from: 11d2 (4562), len: 10a (266)
18 00
TOKN 05 00 01 00 00 00 // TOKN 5 1 0
PLC dc 12 00 00 2a 01 00 00 // PLC from: 12dc (4828), len: 12a (298)
18 00
STRS 00 00 01 00 00 00 // STRS 0 1 0
PLC 06 14 00 00 46 00 00 00 // PLC from: 1406 (5126), len: 46 (70)
18 00
MCLD 00 00 01 00 00 00 // MCLD 0 1 0
MCLD 4c 14 00 00 16 06 00 00 // MCLD from: 144c (5196), len: 616 (1558)
18 00
PL 00 00 01 00 00 00 // PL 0 1 0
PL 62 1a 00 00 48 00 00 00 // PL from: 1a62 (6754), len: 48 (72)
00 00 // Blank entry follows
00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
(the text will then start)
We think that the first 4 bytes of text describes the
the function of the data at the offset. The first short is
then the count of that type, eg the 2nd will have 1. We
think that the second 4 bytes of text describes the format
of data block at the offset. The format of the text block
is easy, but we're still trying to figure out the others.
Structure of TEXT bit
This is very simple. All the text for the document is
stored in a single bit of the Quill CONTENTS. The text
is stored as little endian 16 bit unicode strings.
Structure of PLC bit
The first four bytes seem to hold the count of the
entries in the bit, and the second four bytes seem to hold
the type. There is then some pre-data, and then data for
each of the entries, the exact format dependant on the type.
Type 0 has 4 2 byte unsigned ints, then a pair of 2 byte
unsigned ints for each entry.
Type 4 has 4 2 byte unsigned ints, then a pair of 4 byte
unsigned ints for each entry.
Type 8 has 7 2 byte unsigned ints, then a pair of 4 byte
unsigned ints for each entry.
Type 12 holds hyperlinks, and is very much more complex.
See org.apache.poi.hpbf.model.qcbits.QCPLCBit
for our best guess as to how the contents match up.
by Nick Burch