[File] [PATCH] Magdir/archive Reduce TTComp false positives
Christos Zoulas
christos at zoulas.com
Sat May 31 14:57:54 UTC 2025
Applied, thanks!
christos
> On May 31, 2025, at 10:38 AM, A. IOOSS <erdnaxe at crans.org> wrote:
>
> Hello,
>
> While working on improving ARM Cortex-M matching, I noticed that some firmware images are detected as 'TTComp archive data, binary, 1K dictionary' which is very wrong. This happens because the image starts with '0004' which also match TTComp magic.
>
> Looking a bit closer at TTComp magic, I noticed that J. Jenderek pointed https://mark0.net/forum/index.php?topic=848 as a possible improvement to reduce false positives (thanks!).
> Attached you may find a patch that implements the matching on the last 2 bytes of TTComp files using this idea.
>
> This patch was tested using samples linked on http://fileformats.archiveteam.org/wiki/TTCOMP :
> ```
> BRTSWFTE.TTC: TTComp archive data
> CYBSWFTE.TTC: TTComp archive data
> GCBSWFTE.TTC: TTComp archive data
> GCISWFTE.TTC: TTComp archive data
> GCNSWFTE.TTC: TTComp archive data
> ```
>
> Thanks a lot,
> -- A.
> <ttcomp-fix.patch>--
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <https://mailman.astron.com/pipermail/file/attachments/20250531/066fc9e9/attachment.asc>
More information about the File
mailing list