Andre Pinter
08/29/2022, 6:22 PMdiff --git a/osquery/tables/forensic/carves.cpp b/osquery/tables/forensic/carves.cpp
index 1fcdb25af..80929ad13 100644
--- a/osquery/tables/forensic/carves.cpp
+++ b/osquery/tables/forensic/carves.cpp
@@ -53,8 +53,10 @@ void enumerateCarves(QueryData& results, const std::string& new_guid) {
r["time"] = INTEGER(tree.doc()["time"].GetUint64());
}
- if (tree.doc().HasMember("size")) {
+ if (tree.doc().HasMember("size") && tree.doc()["size"].IsInt()) {
r["size"] = INTEGER(tree.doc()["size"].GetInt());
+ } else if (tree.doc().HasMember("size") && tree.doc()["size"].IsString()) {
+ r["size"] = INTEGER(tree.doc()["size"].GetString());
}
stringToRow("sha256", r, tree);
From reading more of the codebase and the database code it seems like there's some friction where the update functions only take strings and then it seems its up to casts elsewhere in the codebase to turn them into the right types