[File] [PATCH] Magdir/archive Reduce TTComp false positives

Jason Summers jason1 at pobox.com
Thu Jun 26 17:16:10 UTC 2025 

The patch does reduce false positives, but... it doesn't work very well,
does it? It no longer prints "binary" or "ASCII" or "dictionary", except by
accident.

It's trying to look back at the start of the file after looking at the end
of the file, but that fails, because looking at the end of the file changes
what offset "0" means.

This could be fixed with the new "OFFPOSITIVE" feature. I didn't test this,
but I think you can just change each ">>0 use ttcomp-display" line to be
">>+0 use ttcomp-display". Though this will not work in any released
version (5.46 or older).

My own version of this:
https://github.com/jsummers/myfilecmdmagic/blob/073aa4a2f9c734452156f61ed67102a7b58c012a/workshop/dclimplode2.magic

A more compatible fix could be to redesign it to make use of the "return
value" of the "use ttcomp" lines. My own version of this:
https://github.com/jsummers/myfilecmdmagic/blob/073aa4a2f9c734452156f61ed67102a7b58c012a/misc_magic/misc.magic#L455

On Sat, May 31, 2025 at 10:58 AM Christos Zoulas <christos at zoulas.com>
wrote:

> Applied, thanks!
>
> christos
>
> > On May 31, 2025, at 10:38 AM, A. IOOSS <erdnaxe at crans.org> wrote:
> >
> > Hello,
> >
> > While working on improving ARM Cortex-M matching, I noticed that some
> firmware images are detected as 'TTComp archive data, binary, 1K
> dictionary' which is very wrong. This happens because the image starts with
> '0004' which also match TTComp magic.
> >
> > Looking a bit closer at TTComp magic, I noticed that J. Jenderek pointed
> https://mark0.net/forum/index.php?topic=848 as a possible improvement to
> reduce false positives (thanks!).
> > Attached you may find a patch that implements the matching on the last 2
> bytes of TTComp files using this idea.
> >
> > This patch was tested using samples linked on
> http://fileformats.archiveteam.org/wiki/TTCOMP :
> > ```
> > BRTSWFTE.TTC: TTComp archive data
> > CYBSWFTE.TTC: TTComp archive data
> > GCBSWFTE.TTC: TTComp archive data
> > GCISWFTE.TTC: TTComp archive data
> > GCNSWFTE.TTC: TTComp archive data
> > ```
> >
> > Thanks a lot,
> > -- A.
> > <ttcomp-fix.patch>--
> > File mailing list
> > File at astron.com
> > https://mailman.astron.com/mailman/listinfo/file
>
> --
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file
>


-- 
Jason Summers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.astron.com/pipermail/file/attachments/20250626/b0b2a199/attachment.htm>

More information about the File mailing list