[File] Regression in Chrome extension detection

Christoph Biedl astron.com.bwoj at manchmal.in-ulm.de
Sat Jul 6 13:18:36 UTC 2019


Hi there,

the logic in the second hunk of

| commit c2ef6d0e6226d10621e9e67999dd2c3ee35d79a0 (HEAD, refs/bisect/bad)
| Author: Christos Zoulas <christos at zoulas.com>
| Date:   Tue Apr 9 18:34:15 2019 +0000
|
|     PR/73: enkeli: Require the actual central directory record, not just the
|     end of central directory for zip.
|
| @@ -53,7 +53,7 @@
|  >>0    leshort         x               v?[%#x]
|
|  # Zip End Of Central Directory record
| --22    string          PK\005\006      Zip archive data
| +-22    string          PK\005\006
|  #>4    leshort         >1              \b, %d disks
|  #>6    leshort         >1              \b, central directory disk %d
|  #>8    leshort         >1              \b, %d central directories on this disk

is not clear to me.

As a result, this block now is

| # Zip End Of Central Directory record
| -22           string          PK\005\006
| >(16.l)       use             zipcd
| >20           pstring/l       >0              \b, %s

So if the first line matches, it file will happily print any
non-empty ASCIIZ string starting at offset 20.

To make things worse, this change introduces a new strength line

| Strength =  71 at 63: , %s []

which defeats several other and betters rules. That's why for example
the detection of Chrome extensions is now broken:

-Google Chrome extension, version 2
+, \206H\206\367\015\001\001\001\005

Care to take a look?

    Christoph


More information about the File mailing list