From Christoph Biedl:

Debian bug #745546 et al: At the moment, the magic for "Macromedia
Flash data" and "Macromedia Flash Video" is just three printable
characters, no wonder this results in mis-detection of text files.

"Flash Video" is easy to fix, according to Wikipedia the forth
octet must have value 1.

"Flash data" is more work. The length information at offset 4 must be
non-zero, and the version number at offset 3 must be sound. According
to the pdf document, the latest version is 19, I found a few examples
in the lower twenties, so 32 should be a sane limit for the time
being. There are however quite a few files with version 255, and since
the virus scanners created an alert for all of them, they are now
reported as "suspicious".

diff --git a/magic/Magdir/flash b/magic/Magdir/flash
index fa22562c5df63838ba4f0dbec5649600ce4a3335..b06f879efcd5d374b99429208729b46d109dac7a 100644 (file)
--- a/magic/Magdir/flash
+++ b/magic/Magdir/flash
@@ -1,6 +1,6 @@
 
 #------------------------------------------------------------------------------
-# $File: flash,v 1.10 2014/03/06 16:07:24 christos Exp $
+# $File: flash,v 1.11 2014/05/02 00:26:49 christos Exp $
 # flash:       file(1) magic for Macromedia Flash file format
 #
 # See
@@ -9,17 +9,27 @@
 #      http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/\
 #      en/devnet/swf/pdf/swf-file-format-spec.pdf page 27
 #
-0      string          FWS             Macromedia Flash data,
->3     byte            x               version %d
+
+0   name        swf-details
+>0     string          F               Macromedia Flash data
 !:mime application/x-shockwave-flash
-0      string          CWS             Macromedia Flash data (compressed),
+>0     string          C               Macromedia Flash data (compressed)
 !:mime application/x-shockwave-flash
->3     byte            x               version %d
-0      string          ZWS             Macromedia Flash data (lzma compressed),
+>0     string          Z               Macromedia Flash data (lzma compressed)
 !:mime application/x-shockwave-flash
->3     byte            x               version %d
+>3   byte        x      \b, version %d
+
+1   string      WS
+>4  lelong      !0
+>>3 byte        255 Suspicious
+>>>0    use     swf-details
+
+>>3 ubyte       <32
+>>>3 ubyte      !0
+>>>>0   use     swf-details
+
 # From: Cal Peake <cp@absolutedigital.net>
-0      string          FLV             Macromedia Flash Video
+0      string          FLV\x01         Macromedia Flash Video
 !:mime video/x-flv
 
 #