[File] [PATCH] Magdir/archive Reduce TTComp false positives
Christos Zoulas
christos at zoulas.com
Fri Jun 27 16:59:11 UTC 2025
Used >>+0 christos
christos
> On Jun 26, 2025, at 1:16 PM, Jason Summers <jason1 at pobox.com> wrote:
>
> The patch does reduce false positives, but... it doesn't work very well, does it? It no longer prints "binary" or "ASCII" or "dictionary", except by accident.
>
> It's trying to look back at the start of the file after looking at the end of the file, but that fails, because looking at the end of the file changes what offset "0" means.
>
> This could be fixed with the new "OFFPOSITIVE" feature. I didn't test this, but I think you can just change each ">>0 use ttcomp-display" line to be ">>+0 use ttcomp-display". Though this will not work in any released version (5.46 or older).
>
> My own version of this: https://github.com/jsummers/myfilecmdmagic/blob/073aa4a2f9c734452156f61ed67102a7b58c012a/workshop/dclimplode2.magic
>
> A more compatible fix could be to redesign it to make use of the "return value" of the "use ttcomp" lines. My own version of this: https://github.com/jsummers/myfilecmdmagic/blob/073aa4a2f9c734452156f61ed67102a7b58c012a/misc_magic/misc.magic#L455
>
>
> On Sat, May 31, 2025 at 10:58 AM Christos Zoulas <christos at zoulas.com <mailto:christos at zoulas.com>> wrote:
>
>> Applied, thanks!
>>
>> christos
>>
>> > On May 31, 2025, at 10:38 AM, A. IOOSS <erdnaxe at crans.org <mailto:erdnaxe at crans.org>> wrote:
>> >
>> > Hello,
>> >
>> > While working on improving ARM Cortex-M matching, I noticed that some firmware images are detected as 'TTComp archive data, binary, 1K dictionary' which is very wrong. This happens because the image starts with '0004' which also match TTComp magic.
>> >
>> > Looking a bit closer at TTComp magic, I noticed that J. Jenderek pointed https://mark0.net/forum/index.php?topic=848 as a possible improvement to reduce false positives (thanks!).
>> > Attached you may find a patch that implements the matching on the last 2 bytes of TTComp files using this idea.
>> >
>> > This patch was tested using samples linked on http://fileformats.archiveteam.org/wiki/TTCOMP :
>> > ```
>> > BRTSWFTE.TTC: TTComp archive data
>> > CYBSWFTE.TTC: TTComp archive data
>> > GCBSWFTE.TTC: TTComp archive data
>> > GCISWFTE.TTC: TTComp archive data
>> > GCNSWFTE.TTC: TTComp archive data
>> > ```
>> >
>> > Thanks a lot,
>> > -- A.
>> > <ttcomp-fix.patch>--
>> > File mailing list
>> > File at astron.com <mailto:File at astron.com>
>> > https://mailman.astron.com/mailman/listinfo/file
>>
>> --
>> File mailing list
>> File at astron.com <mailto:File at astron.com>
>> https://mailman.astron.com/mailman/listinfo/file
>
>
>
> --
> Jason Summers
>
>
>
>
>
> --
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file
> <sanitizer.log>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.astron.com/pipermail/file/attachments/20250627/5c7e7dc0/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <https://mailman.astron.com/pipermail/file/attachments/20250627/5c7e7dc0/attachment.asc>
More information about the File
mailing list