From: Christos Zoulas <christos@zoulas.com>
Date: Fri, 2 May 2014 00:26:49 +0000 (+0000)
Subject: From Christoph Biedl:
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=91bdb1f559a5fb07cf6685f848ca3370634225ec;p=file

From Christoph Biedl:
Debian bug #745546 et al: At the moment, the magic for "Macromedia
Flash data" and "Macromedia Flash Video" is just three printable
characters, no wonder this results in mis-detection of text files.

"Flash Video" is easy to fix, according to Wikipedia the forth
octet must have value 1.

"Flash data" is more work. The length information at offset 4 must be
non-zero, and the version number at offset 3 must be sound. According
to the pdf document, the latest version is 19, I found a few examples
in the lower twenties, so 32 should be a sane limit for the time
being. There are however quite a few files with version 255, and since
the virus scanners created an alert for all of them, they are now
reported as "suspicious".
---

diff --git a/magic/Magdir/flash b/magic/Magdir/flash
index fa22562c..b06f879e 100644
--- a/magic/Magdir/flash
+++ b/magic/Magdir/flash
@@ -1,6 +1,6 @@
 
 #------------------------------------------------------------------------------
-# $File: flash,v 1.10 2014/03/06 16:07:24 christos Exp $
+# $File: flash,v 1.11 2014/05/02 00:26:49 christos Exp $
 # flash:	file(1) magic for Macromedia Flash file format
 #
 # See
@@ -9,17 +9,27 @@
 #	http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/\
 #	en/devnet/swf/pdf/swf-file-format-spec.pdf page 27
 #
-0	string		FWS		Macromedia Flash data,
->3	byte		x		version %d
+
+0   name        swf-details
+>0	string		F		Macromedia Flash data
 !:mime	application/x-shockwave-flash
-0	string		CWS		Macromedia Flash data (compressed),
+>0	string		C		Macromedia Flash data (compressed)
 !:mime	application/x-shockwave-flash
->3	byte		x		version %d
-0	string		ZWS		Macromedia Flash data (lzma compressed),
+>0	string		Z		Macromedia Flash data (lzma compressed)
 !:mime	application/x-shockwave-flash
->3	byte		x		version %d
+>3   byte        x      \b, version %d
+
+1   string      WS
+>4  lelong      !0
+>>3 byte        255 Suspicious
+>>>0    use     swf-details
+
+>>3 ubyte       <32
+>>>3 ubyte      !0
+>>>>0   use     swf-details
+
 # From: Cal Peake <cp@absolutedigital.net>
-0	string		FLV		Macromedia Flash Video
+0	string		FLV\x01		Macromedia Flash Video
 !:mime	video/x-flv
 
 #