configure.ac | 2 +- doc/file.man | 17 +- magic/Header | 8 +- magic/Magdir/adventure | 16 -- magic/Magdir/animation | 15 +- magic/Magdir/archive | 192 +++++++++++------------ magic/Magdir/audio | 16 +- magic/Magdir/cafebabe | 22 +-- magic/Magdir/cddb | 2 +- magic/Magdir/clipper | 2 - magic/Magdir/commands | 20 ++- magic/Magdir/compress | 75 ++++++++- magic/Magdir/database | 7 - magic/Magdir/erlang | 6 +- magic/Magdir/filesystems | 80 +++++----- magic/Magdir/games | 2 +- magic/Magdir/graphviz | 8 +- magic/Magdir/images | 18 +-- magic/Magdir/linux | 33 ++-- magic/Magdir/lisp | 8 +- magic/Magdir/lua | 4 +- magic/Magdir/m4 | 2 + magic/Magdir/macintosh | 374 -------------------------------------------- magic/Magdir/mcrypt | 60 ++++++- magic/Magdir/modem | 6 +- magic/Magdir/msdos | 66 +++++--- magic/Magdir/os400 | 37 ----- magic/Magdir/palm | 118 +++++++------- magic/Magdir/perl | 30 ++-- magic/Magdir/python | 16 +- magic/Magdir/revision | 11 ++ magic/Magdir/ruby | 4 +- magic/Magdir/scientific | 18 +-- magic/Magdir/selinux | 32 ++++ magic/Magdir/sendmail | 4 +- magic/Magdir/sgml | 24 +-- magic/Magdir/softquad | 6 - magic/Magdir/tex | 22 +-- magic/Magdir/windows | 8 +- magic/Magdir/wordprocessors | 11 ++ magic/Makefile.am | 27 +++- python/setup.py | 2 +- src/Makefile.am | 2 +- src/apprentice.c | 6 +- src/ascmagic.c | 35 ++++- src/compress.c | 18 ++- src/file.h | 2 +- src/fsmagic.c | 3 +- src/funcs.c | 16 ++ src/is_tar.c | 2 +- src/names.h | 2 - src/readelf.c | 38 +++-- src/softmagic.c | 28 ++-- 53 files changed, 710 insertions(+), 873 deletions(-) diff --git a/configure.ac b/configure.ac index ae674ff..b3f4d25 100644 --- a/configure.ac +++ b/configure.ac @@ -50,7 +50,7 @@ AC_SUBST(fsect) AM_CONDITIONAL(FSECT5, test x$fsect = x5) AC_SUBST(WARNINGS) -AC_GNU_SOURCE +AC_USE_SYSTEM_EXTENSIONS dnl Checks for programs. AC_PROG_CC diff --git a/doc/file.man b/doc/file.man index 197700f..d6c1644 100644 --- a/doc/file.man +++ b/doc/file.man @@ -51,7 +51,9 @@ meaning anything else (data is usually or non-printable). Exceptions are well-known file formats (core files, tar archives) that are known to contain binary data. -When modifying magic files or the program itself, make sure to +When adding local definitions to the file +.Pa /etc/magic , +make sure to .Em "preserve these keywords" . Users depend on knowing that all the readable files in a directory have the word @@ -401,12 +403,6 @@ will be distributed periodically. The order of entries in the magic file is significant. Depending on what system you are using, the order that they are put together may be incorrect. -If your old -.Nm -command uses a magic file, -keep the old magic file around for comparison purposes -(rename it to -.Pa __MAGIC__.orig ). .Sh EXAMPLES .Bd -literal -offset indent $ file file.c file /dev/{wd0a,hda} @@ -548,3 +544,10 @@ on .Dv ftp.astron.com in the directory .Dv /pub/file/file-X.YZ.tar.gz +.Pp +This +.Nm +version adds a number of new magix entries. +It can be obtained from +.Dv git://git.altlinux.org/people/ldv/packages/file.git +and its mirrors. diff --git a/magic/Header b/magic/Header index 3ca9b0e..8bda86f 100644 --- a/magic/Header +++ b/magic/Header @@ -1,5 +1,5 @@ -# Magic # Magic data for file(1) command. -# Machine-generated from src/cmd/file/magdir/*; edit there only! -# Format is described in magic(files), where: -# files is 5 on V7 and BSD, 4 on SV, and ?? in the SVID. +# Format is described in magic(5). +# Don't edit this file, edit /etc/magic or send your suggested inclusions to +# this file as a wishlist bug against file (using the reportbug utility). + diff --git a/magic/Magdir/adventure b/magic/Magdir/adventure index 7b30c49..ba591ef 100644 --- a/magic/Magdir/adventure +++ b/magic/Magdir/adventure @@ -13,22 +13,6 @@ >2 byte <10 version 2.6%d -# Infocom (see z-machine) -#------------------------------------------------------------------------------ -# Z-machine: file(1) magic for Z-machine binaries. -# -# This will match ${TEX_BASE}/texmf/omega/ocp/char2uni/inbig5.ocp which -# appears to be a version-0 Z-machine binary. -# -# The (false match) message is to correct that behavior. Perhaps it is -# not needed. -# -16 belong&0xfe00f0f0 0x3030 Infocom game data ->0 ubyte 0 (false match) ->0 ubyte >0 (Z-machine %d, ->>2 ubeshort x Release %d / ->>18 string >\0 Serial %.6s) - #------------------------------------------------------------------------------ # Glulx: file(1) magic for Glulx binaries. # diff --git a/magic/Magdir/animation b/magic/Magdir/animation index 443338a..4a7c48d 100644 --- a/magic/Magdir/animation +++ b/magic/Magdir/animation @@ -695,16 +695,27 @@ # Microsoft Advanced Streaming Format (ASF) 0 belong 0x3026b275 Microsoft ASF +!:mime video/x-ms-asf # MNG Video Format, +# 0x8a M N G 0x0d 0x0a 0x1a 0x0a [4-byte pad] +# M H D R [4-byte width][4-byte height][4-byte ticks][4-byte layers] +# [4-byte frame][4-byte time][4-byte profile] 0 string \x8aMNG MNG video data, !:mime video/x-mng >4 belong !0x0d0a1a0a CORRUPTED, >4 belong 0x0d0a1a0a ->>16 belong x %ld x ->>20 belong x %ld +>>16 belong x %ld x +>>20 belong x %ld, +>>24 belong x %ld tps, +>>28 belong x %ld layers, +>>32 belong x %ld frames, +>>36 belong x %ld time, +>>40 belong x profile = %ld # JNG Video Format, +# 0x8b J N G 0x0d 0x0a 0x1a 0x0a [4-byte pad] +# J H D R [4-byte width][4-byte height] 0 string \x8bJNG JNG video data, !:mime video/x-jng >4 belong !0x0d0a1a0a CORRUPTED, diff --git a/magic/Magdir/archive b/magic/Magdir/archive index b75fac0..eb32b99 100644 --- a/magic/Magdir/archive +++ b/magic/Magdir/archive @@ -162,84 +162,84 @@ # probably many can be enhanced by finding some 0-byte or control char near the start # idarc calls this Crush/Uncompressed... *shrug* -0 string CRUSH Crush archive data +#0 string CRUSH Crush archive data # Squeeze It (.sqz) -0 string HLSQZ Squeeze It archive data +#0 string HLSQZ Squeeze It archive data # SQWEZ -0 string SQWEZ SQWEZ archive data +#0 string SQWEZ SQWEZ archive data # HPack (.hpk) -0 string HPAK HPack archive data +#0 string HPAK HPack archive data # HAP -0 string \x91\x33HF HAP archive data +#0 string \x91\x33HF HAP archive data # MD/MDCD -0 string MDmd MDCD archive data +#0 string MDmd MDCD archive data # LIM -0 string LIM\x1a LIM archive data +#0 string LIM\x1a LIM archive data # SAR -3 string LH5 SAR archive data +#3 string LH5 SAR archive data # BSArc/BS2 -0 string \212\3SB \0 BSArc/BS2 archive data +#0 string \212\3SB \0 BSArc/BS2 archive data # MAR -2 string =-ah MAR archive data +#2 string =-ah MAR archive data # ACB -0 belong&0x00f800ff 0x00800000 ACB archive data +#0 belong&0x00f800ff 0x00800000 ACB archive data # CPZ # TODO, this is what idarc says: 0 string \0\0\0 CPZ archive data # JRC -0 string JRchive JRC archive data +#0 string JRchive JRC archive data # Quantum -0 string DS\0 Quantum archive data +#0 string DS\0 Quantum archive data # ReSOF -0 string PK\3\6 ReSOF archive data +#0 string PK\3\6 ReSOF archive data # QuArk -0 string 7\4 QuArk archive data +#0 string 7\4 QuArk archive data # YAC -14 string YC YAC archive data +#14 string YC YAC archive data # X1 -0 string X1 X1 archive data -0 string XhDr X1 archive data +#0 string X1 X1 archive data +#0 string XhDr X1 archive data # CDC Codec (.dqt) -0 belong&0xffffe000 0x76ff2000 CDC Codec archive data +#0 belong&0xffffe000 0x76ff2000 CDC Codec archive data # AMGC -0 string \xad6" AMGC archive data +#0 string \xad6" AMGC archive data # NuLIB -0 string NõFélå NuLIB archive data +#0 string NõFélå NuLIB archive data # PakLeo -0 string LEOLZW PAKLeo archive data +#0 string LEOLZW PAKLeo archive data # ChArc -0 string SChF ChArc archive data +#0 string SChF ChArc archive data # PSA -0 string PSA PSA archive data +#0 string PSA PSA archive data # CrossePAC -0 string DSIGDCC CrossePAC archive data +#0 string DSIGDCC CrossePAC archive data # Freeze -0 string \x1f\x9f\x4a\x10\x0a Freeze archive data +#0 string \x1f\x9f\x4a\x10\x0a Freeze archive data # KBoom -0 string ¨MP¨ KBoom archive data +#0 string ¨MP¨ KBoom archive data # NSQ, must go after CDC Codec -0 string \x76\xff NSQ archive data +#0 string \x76\xff NSQ archive data # DPA -0 string Dirk\ Paehl DPA archive data +#0 string Dirk\ Paehl DPA archive data # BA # TODO: idarc says "bytes 0-2 == bytes 3-5" # TTComp -0 string \0\6 TTComp archive data +#0 string \0\6 TTComp archive data # ESP, could this conflict with Easy Software Products' (e.g.ESP ghostscript) documentation? -0 string ESP ESP archive data +#0 string ESP ESP archive data # ZPack 0 string \1ZPK\1 ZPack archive data # Sky -0 string \xbc\x40 Sky archive data +#0 string \xbc\x40 Sky archive data # UFA -0 string UFA UFA archive data +#0 string UFA UFA archive data # Dry -0 string =-H2O DRY archive data +#0 string =-H2O DRY archive data # FoxSQZ -0 string FOXSQZ FoxSQZ archive data +#0 string FOXSQZ FoxSQZ archive data # AR7 -0 string ,AR7 AR7 archive data +#0 string ,AR7 AR7 archive data # PPMZ -0 string PPMZ PPMZ archive data +#0 string PPMZ PPMZ archive data # MS Compress 4 string \x88\xf0\x27 MS Compress archive data # updated by Joerg Jenderek @@ -253,32 +253,32 @@ # MP3 (archiver, not lossy audio compression) 0 string MP3\x1a MP3-Archiver archive data # ZET -0 string OZÝ ZET archive data +#0 string OZÝ ZET archive data # TSComp 0 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data # ARQ 0 string gW\4\1 ARQ archive data # Squash -3 string OctSqu Squash archive data +#3 string OctSqu Squash archive data # Terse 0 string \5\1\1\0 Terse archive data # PUCrunch 0 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 PUCrunch archive data # UHarc -0 string UHA UHarc archive data +#0 string UHA UHarc archive data # ABComp -0 string \2AB ABComp archive data -0 string \3AB2 ABComp archive data +#0 string \2AB ABComp archive data +#0 string \3AB2 ABComp archive data # CMP -0 string CO\0 CMP archive data +#0 string CO\0 CMP archive data # Splint -0 string \x93\xb9\x06 Splint archive data +#0 string \x93\xb9\x06 Splint archive data # InstallShield 0 string \x13\x5d\x65\x8c InstallShield Z archive Data # Gather -1 string GTH Gather archive data +#1 string GTH Gather archive data # BOA -0 string BOA BOA archive data +#0 string BOA BOA archive data # RAX 0 string ULEB\xa RAX archive data # Xtreme @@ -286,22 +286,22 @@ # Pack Magic 0 string @â\1\0 Pack Magic archive data # BTS -0 belong&0xfeffffff 0x1a034465 BTS archive data +#0 belong&0xfeffffff 0x1a034465 BTS archive data # ELI 5750 -0 string Ora\ ELI 5750 archive data +#0 string Ora\ ELI 5750 archive data # QFC -0 string \x1aFC\x1a QFC archive data -0 string \x1aQF\x1a QFC archive data +#0 string \x1aFC\x1a QFC archive data +#0 string \x1aQF\x1a QFC archive data # PRO-PACK -0 string RNC PRO-PACK archive data +#0 string RNC PRO-PACK archive data # 777 -0 string 777 777 archive data +#0 string 777 777 archive data # LZS221 -0 string sTaC LZS221 archive data +#0 string sTaC LZS221 archive data # HPA -0 string HPA HPA archive data +#0 string HPA HPA archive data # Arhangel -0 string LG Arhangel archive data +#0 string LG Arhangel archive data # EXP1, uses bzip2 0 string 0123456789012345BZh EXP1 archive data # IMP @@ -309,25 +309,25 @@ # NRV 0 string \x00\x9E\x6E\x72\x76\xFF NRV archive data # Squish -0 string \x73\xb2\x90\xf4 Squish archive data +#0 string \x73\xb2\x90\xf4 Squish archive data # Par -0 string PHILIPP Par archive data -0 string PAR Par archive data +#0 string PHILIPP Par archive data +#0 string PAR Par archive data # HIT -0 string UB HIT archive data +#0 string UB HIT archive data # SBX -0 belong&0xfffff000 0x53423000 SBX archive data +#0 belong&0xfffff000 0x53423000 SBX archive data # NaShrink -0 string NSK NaShrink archive data +#0 string NSK NaShrink archive data # SAPCAR 0 string #\ CAR\ archive\ header SAPCAR archive data 0 string CAR\ 2.00RG SAPCAR archive data # Disintegrator -0 string DST Disintegrator archive data +#0 string DST Disintegrator archive data # ASD -0 string ASD ASD archive data +#0 string ASD ASD archive data # InstallShield CAB -0 string ISc( InstallShield CAB +#0 string ISc( InstallShield CAB # TOP4 0 string T4\x1a TOP4 archive data # BatComp left out: sig looks like COM executable @@ -335,32 +335,32 @@ # BlakHole 0 string BH\5\7 BlakHole archive data # BIX -0 string BIX0 BIX archive data +#0 string BIX0 BIX archive data # ChiefLZA -0 string ChfLZ ChiefLZA archive data +#0 string ChfLZ ChiefLZA archive data # Blink -0 string Blink Blink archive data +#0 string Blink Blink archive data # Logitech Compress -0 string \xda\xfa Logitech Compress archive data +#0 string \xda\xfa Logitech Compress archive data # ARS-Sfx (FIXME: really a SFX? then goto COM/EXE) -1 string (C)\ STEPANYUK ARS-Sfx archive data +#1 string (C)\ STEPANYUK ARS-Sfx archive data # AKT/AKT32 -0 string AKT32 AKT32 archive data -0 string AKT AKT archive data +#0 string AKT32 AKT32 archive data +#0 string AKT AKT archive data # NPack -0 string MSTSM NPack archive data +#0 string MSTSM NPack archive data # PFT 0 string \0\x50\0\x14 PFT archive data # SemOne -0 string SEM SemOne archive data +#0 string SEM SemOne archive data # PPMD 0 string \x8f\xaf\xac\x84 PPMD archive data # FIZ -0 string FIZ FIZ archive data +#0 string FIZ FIZ archive data # MSXiE 0 belong&0xfffff0f0 0x4d530000 MSXiE archive data # DeepFreezer -0 belong&0xfffffff0 0x797a3030 DeepFreezer archive data +#0 belong&0xfffffff0 0x797a3030 DeepFreezer archive data # DC 0 string =2 byte x \b, version %i ->3 byte x \b.%i +#0 string DZ Dzip archive data +#>2 byte x \b, version %i +#>3 byte x \b.%i # ZZip archiver (.zz) 0 string ZZ\ \0\0 ZZip archive data -0 string ZZ0 ZZip archive data +#0 string ZZ0 ZZip archive data # PAQ archiver (.paq) 0 string \xaa\x40\x5f\x77\x1f\xe5\x82\x0d PAQ archive data -0 string PAQ PAQ archive data ->3 byte&0xf0 0x30 ->>3 byte x (v%c) +#0 string PAQ PAQ archive data +#>3 byte&0xf0 0x30 +#>>3 byte x (v%c) # JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP) 0xe string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data 0 string JARCS JAR (ARJ Software, Inc.) archive data @@ -469,7 +469,7 @@ >7 byte 9 os: VAX/VMS >3 byte >0 %d] # [JW] idarc says this is also possible -2 leshort 0xea60 ARJ archive data +#2 leshort 0xea60 ARJ archive data # HA archiver (Greg Roelofs, newt@uchicago.edu) # This is a really bad format. A file containing HAWAII will match this... diff --git a/magic/Magdir/audio b/magic/Magdir/audio index 3a9c176..ba4a56a 100644 --- a/magic/Magdir/audio +++ b/magic/Magdir/audio @@ -116,7 +116,7 @@ # Real Audio (Magic .ra\0375) 0 belong 0x2e7261fd RealAudio sound file !:mime audio/x-pn-realaudio -0 string .RMF RealMedia file +0 string .RMF\0\0\0 RealMedia file !:mime application/vnd.rn-realmedia #video/x-pn-realvideo #video/vnd.rn-realvideo @@ -135,8 +135,8 @@ #0 string FAR Module sound data #>4 string >\15 Title: "%s" -0x2c string SCRM ScreamTracker III Module sound data ->0 string >\0 Title: "%s" +#0x2c string SCRM ScreamTracker III Module sound data +#>0 string >\0 Title: "%s" # Gravis UltraSound patches # From @@ -286,11 +286,11 @@ # SGI SoundTrack 0 string _SGI_SoundTrack SGI SoundTrack project file # ID3 version 2 tags -0 string ID3 Audio file with ID3 version 2. +0 string ID3 Audio file with ID3 version 2 # ??? Normally such a file is an MP3 file, but this will give false positives !:mime audio/mpeg ->3 ubyte <0xff \b%d -#>4 ubyte <0xff \b%d tag +>3 ubyte <0xff \b.%d +>>4 ubyte <0xff \b.%d tag >2584 string fLaC \b, FLAC encoding >>2588 byte&0x7f >0 \b, unknown version >>2588 byte&0x7f 0 \b @@ -527,7 +527,7 @@ # From Gürkan Sengün , http://www.linuks.mine.nu 0 string RAWADATA RdosPlay RAW -1068 string RoR AMUSIC Adlib Tracker +#1068 string RoR AMUSIC Adlib Tracker 0 string JCH EdLib @@ -551,7 +551,7 @@ >15 byte =0 lossy, >16 byte x mid-side -384 string LockStream LockStream Embedded file (mostly MP3 on old Nokia phones) +#384 string LockStream LockStream Embedded file (mostly MP3 on old Nokia phones) # format VQF (proprietary codec for sound) # some infos on the header file available at : diff --git a/magic/Magdir/cafebabe b/magic/Magdir/cafebabe index db385ea..7d4a09f 100644 --- a/magic/Magdir/cafebabe +++ b/magic/Magdir/cafebabe @@ -12,16 +12,16 @@ # (and use as a hack). Let's not use 18, because the Mach-O people # might add another one or two as time goes by... # -0 beshort 0xcafe ->2 beshort 0xbabe +0 belong 0xcafebabe !:mime application/x-java-applet ->>2 belong >30 compiled Java class data, ->>>6 beshort x version %d. ->>>4 beshort x \b%d ->>4 belong 1 Mach-O fat file with 1 architecture ->>4 belong >1 ->>>4 belong <20 Mach-O fat file with %ld architectures ->2 beshort 0xd00d JAR compressed with pack200, ->>5 byte x version %d. ->>4 byte x \b%d +>4 belong >30 compiled Java class data, +>>6 beshort x version %d. +>>4 beshort x \b%d +>4 belong 1 Mach-O fat file with 1 architecture +>4 belong >1 +>>4 belong <20 Mach-O fat file with %ld architectures + +0 belong 0xcafed00d JAR compressed with pack200, +>5 byte x version %d. +>4 byte x \b%d !:mime application/x-java-pack200 diff --git a/magic/Magdir/cddb b/magic/Magdir/cddb index 42ca416..de2eb41 100644 --- a/magic/Magdir/cddb +++ b/magic/Magdir/cddb @@ -7,4 +7,4 @@ # CDDB-enabled CD player applications. # -0 search/1/b #\040xmcd CDDB(tm) format CD text data +0 string/b #\040xmcd CDDB(tm) format CD text data diff --git a/magic/Magdir/clipper b/magic/Magdir/clipper index c325cb8..17483dc 100644 --- a/magic/Magdir/clipper +++ b/magic/Magdir/clipper @@ -60,5 +60,3 @@ >54 byte 2 -Cssw >54 byte 3 -Cspw >54 byte 4 -Cscb -4 string pipe CLIPPER instruction trace -4 string prof CLIPPER instruction profile diff --git a/magic/Magdir/commands b/magic/Magdir/commands index 0942802..391cf54 100644 --- a/magic/Magdir/commands +++ b/magic/Magdir/commands @@ -3,7 +3,7 @@ # commands: file(1) magic for various shells and interpreters # #0 string : shell archive or script for antique kernel text -0 string/b #!\ /bin/sh POSIX shell script text executable +0 string/b #!\ /bin/sh Bourne shell script text executable !:mime text/x-shellscript 0 string/b #!\ /bin/csh C shell script text executable !:mime text/x-shellscript @@ -12,6 +12,8 @@ !:mime text/x-shellscript 0 string/b #!\ /bin/tcsh Tenex C shell script text executable !:mime text/x-shellscript +0 string/b #!\ /usr/bin/tcsh Tenex C shell script text executable +!:mime text/x-shellscript 0 string/b #!\ /usr/local/tcsh Tenex C shell script text executable !:mime text/x-shellscript 0 string/b #!\ /usr/local/bin/tcsh Tenex C shell script text executable @@ -56,26 +58,28 @@ # bash shell magic, from Peter Tobias (tobias@server.et-inf.fho-emden.de) 0 string/b #!\ /bin/bash Bourne-Again shell script text executable !:mime text/x-shellscript +0 string/b #!\ /usr/bin/bash Bourne-Again shell script text executable +!:mime text/x-shellscript 0 string/b #!\ /usr/local/bin/bash Bourne-Again shell script text executable !:mime text/x-shellscript # using env -0 string #!/usr/bin/env a ->15 string >\0 %s script text executable -0 string #!\ /usr/bin/env a ->16 string >\0 %s script text executable +0 string/B #!/usr/bin/env\ +>&0 string >\0 %s script text executable +0 string/B #!\ /usr/bin/env\ +>&0 string >\0 %s script text executable # PHP scripts # Ulf Harnhammar -0 search/1/c =3 byte&0xC =0x08 >>10 string x \b, was "%s" >3 byte &0x10 \b, has comment +>3 byte &0x20 \b, encrypted +>4 ledate >0 \b, last modified: %s +>8 byte 2 \b, max compression +>8 byte 4 \b, max speed >9 byte =0x00 \b, from FAT filesystem (MS-DOS, OS/2, NT) >9 byte =0x01 \b, from Amiga >9 byte =0x02 \b, from VMS @@ -43,11 +47,6 @@ >9 byte =0x0B \b, from NTFS filesystem (NT) >9 byte =0x0C \b, from QDOS >9 byte =0x0D \b, from Acorn RISCOS ->3 byte &0x10 \b, comment ->3 byte &0x20 \b, encrypted ->4 ledate >0 \b, last modified: %s ->8 byte 2 \b, max compression ->8 byte 4 \b, max speed # packed data, Huffman (minimum redundancy) codes on a byte-by-byte basis 0 string \037\036 packed data @@ -76,6 +75,11 @@ !:mime application/x-bzip2 >3 byte >47 \b, block size = %c00k +# lzip +0 string LZIP lzip compressed data +!:mime application/x-lzip +>4 byte x \b, version: %d + # squeeze and crunch # Michael Haardt 0 beshort 0x76FF squeezed data, @@ -189,6 +193,25 @@ # bug #364260) #0 string ]\000\000\200\000 LZMA compressed data +# LZMA (Lempel-Ziv-Markov chain-Algorithm) file format supported by: +# - 7-Zip +# - LZMA SDK +# - LZMA Utils +# +# Note that this is different format than the original format created +# by LZMA_Alone from older versions of LZMA SDK. These files are +# non-trivial to detect, because they have no magic bytes. +# +# This magic has been put into the public domain by Lasse Collin. +# Last updated: 2007-08-12 +0x00 string \xFFLZMA\x00 lzma compressed data, +>0x06 byte&0x10 0x00 single-block stream +>0x06 byte&0x10 0x10 multi-block stream + +# http://tukaani.org/xz/xz-file-format.txt +0 ustring \xFD7zXZ\x00 xz compressed data +!:mime application/x-xz + # AFX compressed files (Wolfram Kleff) 2 string -afx- AFX compressed file data @@ -202,3 +225,45 @@ >4 byte x - version %d >5 byte x \b.%d >6 belong x (%d bytes) + +# https://github.com/ckolivas/lrzip/blob/master/doc/magic.header.txt +0 string LRZI LRZIP compressed data +>4 byte x - version %d +>5 byte x \b.%d +!:mime application/x-lrzip + +# http://fastcompression.blogspot.fi/2013/04/lz4-streaming-format-final.html +0 lelong 0x184d2204 LZ4 compressed data (v1.4+) +!:mime application/x-lz4 +# Added by osm0sis@xda-developers.com +0 lelong 0x184c2103 LZ4 compressed data (v1.0-v1.3) +!:mime application/x-lz4 +0 lelong 0x184c2102 LZ4 compressed data (v0.1-v0.9) +!:mime application/x-lz4 + +# Zstandard compressed data +# https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md +0 lelong 0xFD2FB522 Zstandard compressed data (v0.2) +!:mime application/x-zstd +0 lelong 0xFD2FB523 Zstandard compressed data (v0.3) +!:mime application/x-zstd +0 lelong 0xFD2FB524 Zstandard compressed data (v0.4) +!:mime application/x-zstd +0 lelong 0xFD2FB525 Zstandard compressed data (v0.5) +!:mime application/x-zstd +0 lelong 0xFD2FB526 Zstandard compressed data (v0.6) +!:mime application/x-zstd +0 lelong 0xFD2FB527 Zstandard compressed data (v0.7) +!:mime application/x-zstd +0 lelong 0xFD2FB528 Zstandard compressed data (v0.8+) +!:mime application/x-zstd + +# https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md +0 lelong 0xEC30A437 Zstandard dictionary +!:mime application/x-zstd-dictionary +>4 lelong x (ID %u) + +# Snappy framing format +# http://code.google.com/p/snappy/source/browse/trunk/framing_format.txt +0 string \377\006\0\0sNaPpY snappy framed data +!:mime application/x-snappy-framed diff --git a/magic/Magdir/database b/magic/Magdir/database index 2e6ad2f..288fae1 100644 --- a/magic/Magdir/database +++ b/magic/Magdir/database @@ -208,13 +208,6 @@ >32 lelong 0x2601196D version 6, little-endian >>36 lelong x hash size %d bytes -# SE Linux policy database -0 lelong 0xf97cff8c SE Linux policy ->16 lelong x v%d ->20 lelong 1 MLS ->24 lelong x %d symbols ->28 lelong x %d ocons - # ICE authority file data (Wolfram Kleff) 2 string ICE ICE authority data diff --git a/magic/Magdir/erlang b/magic/Magdir/erlang index 59f55ec..c3224d2 100644 --- a/magic/Magdir/erlang +++ b/magic/Magdir/erlang @@ -12,7 +12,7 @@ >8 string BEAM Erlang BEAM file # 4.2 version may have a copyright notice! -4 string Tue Jan 22 14:32:44 MET 1991 Erlang JAM file - version 4.2 -79 string Tue Jan 22 14:32:44 MET 1991 Erlang JAM file - version 4.2 +#4 string Tue Jan 22 14:32:44 MET 1991 Erlang JAM file - version 4.2 +#79 string Tue Jan 22 14:32:44 MET 1991 Erlang JAM file - version 4.2 -4 string 1.0 Fri Feb 3 09:55:56 MET 1995 Erlang JAM file - version 4.3 +#4 string 1.0 Fri Feb 3 09:55:56 MET 1995 Erlang JAM file - version 4.3 diff --git a/magic/Magdir/filesystems b/magic/Magdir/filesystems index 36c2f72..2aed88c 100644 --- a/magic/Magdir/filesystems +++ b/magic/Magdir/filesystems @@ -3,29 +3,6 @@ # filesystems: file(1) magic for different filesystems # 0 string \366\366\366\366 PC formatted floppy with no filesystem -# Sun disk labels -# From /usr/include/sun/dklabel.h: -0774 beshort 0xdabe -# modified by Joerg Jenderek, because original test -# succeeds for Cabinet archive dao360.dl_ with negative blocks ->0770 long >0 Sun disk label ->>0 string x '%s ->>>31 string >\0 \b%s ->>>>63 string >\0 \b%s ->>>>>95 string >\0 \b%s ->>0 string x \b' ->>0734 short >0 %d rpm, ->>0736 short >0 %d phys cys, ->>0740 short >0 %d alts/cyl, ->>0746 short >0 %d interleave, ->>0750 short >0 %d data cyls, ->>0752 short >0 %d alt cyls, ->>0754 short >0 %d heads/partition, ->>0756 short >0 %d sectors/track, ->>0764 long >0 start cyl %ld, ->>0770 long x %ld blocks -# Is there a boot block written 1 sector in? ->512 belong&077777777 0600407 \b, boot block present # Joerg Jenderek: Smart Boot Manager backup file is 41 byte header + first sectors of disc # (http://btmgr.sourceforge.net/docs/user-guide-3.html) 0 string SBMBAKUP_ Smart Boot Manager backup file @@ -135,7 +112,8 @@ # variables according to grub-0.97/stage1/stage1.S or # http://www.gnu.org/software/grub/manual/grub.html#Embedded-data # usual values are marked with comments to get only informations of strange GRUB loaders ->0 ulelong 0x009048EB +>342 search/60 \0Geom\0 +#>0 ulelong x %x=0x009048EB , 0x2a9048EB 0 >>0x41 ubyte <2 >>>0x3E ubyte >2 \b; GRand Unified Bootloader # 0x3 for 0.5.95,0.93,0.94,0.96 0x4 for 1.90 @@ -1027,6 +1005,8 @@ # ext2/ext3 filesystems - Andreas Dilger # ext4 filesystem - Eric Sandeen +# volume label and UUID Russell Coker +# http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/ 0x438 leshort 0xEF53 Linux >0x44c lelong x rev %d >0x43e leshort x \b.%d @@ -1042,25 +1022,32 @@ # else large RO_COMPAT? >>>0x464 lelong >0x0000007 ext4 filesystem data # else large INCOMPAT? ->>0x460 lelong >0x000003f ext4 filesystem data +>>0x460 lelong >0x000003f ext4 filesystem data +>0x468 belong x \b, UUID=%x +>0x46c beshort x \b-%x +>0x46e beshort x \b-%x +>0x470 beshort x \b-%x +>0x472 belong x \b-%x +>0x476 beshort x \b%x +>0x478 string >0 \b, volume name "%s" # General flags for any ext* fs ->0x460 lelong &0x0000004 (needs journal recovery) ->0x43a leshort &0x0000002 (errors) +>0x460 lelong &0x0000004 (needs journal recovery) +>0x43a leshort &0x0000002 (errors) # INCOMPAT flags ->0x460 lelong &0x0000001 (compressed) -#>0x460 lelong &0x0000002 (filetype) -#>0x460 lelong &0x0000010 (meta bg) ->0x460 lelong &0x0000040 (extents) ->0x460 lelong &0x0000080 (64bit) -#>0x460 lelong &0x0000100 (mmp) -#>0x460 lelong &0x0000200 (flex bg) +>0x460 lelong &0x0000001 (compressed) +#>0x460 lelong &0x0000002 (filetype) +#>0x460 lelong &0x0000010 (meta bg) +>0x460 lelong &0x0000040 (extents) +>0x460 lelong &0x0000080 (64bit) +#>0x460 lelong &0x0000100 (mmp) +#>0x460 lelong &0x0000200 (flex bg) # RO_INCOMPAT flags -#>0x464 lelong &0x0000001 (sparse super) ->0x464 lelong &0x0000002 (large files) ->0x464 lelong &0x0000008 (huge files) -#>0x464 lelong &0x0000010 (gdt checksum) -#>0x464 lelong &0x0000020 (many subdirs) -#>0x463 lelong &0x0000040 (extra isize) +#>0x464 lelong &0x0000001 (sparse super) +>0x464 lelong &0x0000002 (large files) +>0x464 lelong &0x0000008 (huge files) +#>0x464 lelong &0x0000010 (gdt checksum) +#>0x464 lelong &0x0000020 (many subdirs) +#>0x463 lelong &0x0000040 (extra isize) # SGI disk labels - Nathan Scott 0 belong 0x0BE5A941 SGI disk label (volume header) @@ -1178,6 +1165,7 @@ # reiserfs - russell@coker.com.au 0x10034 string ReIsErFs ReiserFS V3.5 0x10034 string ReIsEr2Fs ReiserFS V3.6 +0x10034 string ReIsEr3Fs ReiserFS V3.6.19 >0x1002c leshort x block size %d >0x10032 leshort &2 (mounted or unclean) >0x10000 lelong x num blocks %d @@ -1327,3 +1315,15 @@ # dvdisaster's .ecc # From: "Nelson A. de Oliveira" 0 string *dvdisaster* dvdisaster error correction file + +# Type: CROM filesystem +# From: Werner Fink +0 string CROMFS CROMFS +>6 string >\0 \b version %2.2s, +>8 ulequad >0 \b block data at %lld, +>16 ulequad >0 \b fblock table at %lld, +>24 ulequad >0 \b inode table at %lld, +>32 ulequad >0 \b root at %lld, +>40 ulelong >0 \b fblock size = %ld, +>44 ulelong >0 \b block size = %ld, +>48 ulequad >0 \b bytes = %lld diff --git a/magic/Magdir/games b/magic/Magdir/games index 32ccdfe..7c914f3 100644 --- a/magic/Magdir/games +++ b/magic/Magdir/games @@ -32,7 +32,7 @@ # Quake -0 string PACK Quake I or II world or extension +#0 string PACK Quake I or II world or extension #0 string -1\x0a Quake I demo #>30 string x version %.4s diff --git a/magic/Magdir/graphviz b/magic/Magdir/graphviz index cf47f4e..09f1f5c 100644 --- a/magic/Magdir/graphviz +++ b/magic/Magdir/graphviz @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ # graphviz: file(1) magic for http://www.graphviz.org/ -0 regex/100 [\r\n\t\ ]*graph[\r\n\t\ ]*.*\\{ graphviz graph text -!:mime text/vnd.graphviz -0 regex/100 [\r\n\t\ ]*digraph[\r\n\t\ ]*.*\\{ graphviz digraph text -!:mime text/vnd.graphviz +#0 regex/100 [\r\n\t\ ]*graph[\r\n\t\ ]*.*\\{ graphviz graph text +#!:mime text/vnd.graphviz +#0 regex/100 [\r\n\t\ ]*digraph[\r\n\t\ ]*.*\\{ graphviz digraph text +#!:mime text/vnd.graphviz diff --git a/magic/Magdir/images b/magic/Magdir/images index cccc70b..b50c165 100644 --- a/magic/Magdir/images +++ b/magic/Magdir/images @@ -159,10 +159,10 @@ 0 string BEGMF clear text Computer Graphics Metafile # MGR bitmaps (Michael Haardt, u31b3hs@pool.informatik.rwth-aachen.de) -0 string yz MGR bitmap, modern format, 8-bit aligned -0 string zz MGR bitmap, old format, 1-bit deep, 16-bit aligned -0 string xz MGR bitmap, old format, 1-bit deep, 32-bit aligned -0 string yx MGR bitmap, modern format, squeezed +#0 string yz MGR bitmap, modern format, 8-bit aligned +#0 string zz MGR bitmap, old format, 1-bit deep, 16-bit aligned +#0 string xz MGR bitmap, old format, 1-bit deep, 32-bit aligned +#0 string yx MGR bitmap, modern format, squeezed # Fuzzy Bitmap (FBM) images 0 string %bitmap\0 FBM image data @@ -528,11 +528,11 @@ # Bio-Rad .PIC is an image format used by microscope control systems # and related image processing software used by biologists. # From: Vebjorn Ljosa -54 leshort 12345 Bio-Rad .PIC Image File ->0 leshort >0 %hd x ->2 leshort >0 %hd, ->4 leshort =1 1 image in file ->4 leshort >1 %hd images in file +#54 leshort 12345 Bio-Rad .PIC Image File +#>0 leshort >0 %hd x +#>2 leshort >0 %hd, +#>4 leshort =1 1 image in file +#>4 leshort >1 %hd images in file # From Jan "Yenya" Kasprzak # The description of *.mrw format can be found at diff --git a/magic/Magdir/linux b/magic/Magdir/linux index aaedff4..7d449b3 100644 --- a/magic/Magdir/linux +++ b/magic/Magdir/linux @@ -56,11 +56,19 @@ # Linux swap file with swsusp1 image, from Jeff Bailey 4076 string SWAPSPACE2S1SUSPEND Linux/i386 swap file (new style) with SWSUSP1 image # according to man page of mkswap (8) March 1999 -4086 string SWAPSPACE2 Linux/i386 swap file (new style) ->0x400 long x %d (4K pages) ->0x404 long x size %d pages ->>4086 string SWAPSPACE2 ->>>1052 string >\0 Label %s +# volume label and UUID Russell Coker +# http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/ +4086 string SWAPSPACE2 Linux/i386 swap file (new style), +>0x400 long x version %d (4K pages), +>0x404 long x size %d pages, +>1052 string \0 no label, +>1052 string >\0 LABEL=%s, +>0x40c belong x UUID=%x +>0x410 beshort x \b-%x +>0x412 beshort x \b-%x +>0x414 beshort x \b-%x +>0x416 belong x \b-%x +>0x41a beshort x \b%x # ECOFF magic for OSF/1 and Linux (only tested under Linux though) # # from Erik Troan (ewt@redhat.com) examining od dumps, so this @@ -188,14 +196,6 @@ 0 string OOOM User-Mode-Linux's Copy-On-Write disk image >4 belong x version %d -# SE Linux policy database -# From: Mike Frysinger -0 lelong 0xf97cff8c SE Linux policy ->16 lelong x v%d ->20 lelong 1 MLS ->24 lelong x %d symbols ->28 lelong x %d ocons - # Linux Logical Volume Manager (LVM) # Emmanuel VARAGNAT # @@ -239,13 +239,6 @@ >8 lelong x version %d, >12 lelong x chunk_size %d -# SE Linux policy database -0 lelong 0xf97cff8c SE Linux policy ->16 lelong x v%d ->20 lelong 1 MLS ->24 lelong x %d symbols ->28 lelong x %d ocons - # LUKS: Linux Unified Key Setup, On-Disk Format, http://luks.endorphin.org/spec # Anthon van der Neut (anthon@mnt.org) 0 string LUKS\xba\xbe LUKS encrypted file, diff --git a/magic/Magdir/lisp b/magic/Magdir/lisp index 60b740a..e701cdf 100644 --- a/magic/Magdir/lisp +++ b/magic/Magdir/lisp @@ -5,14 +5,18 @@ # updated by Joerg Jenderek # GRR: This lot is too weak -#0 string ;; +0 string ;; # windows INF files often begin with semicolon and use CRLF as line end # lisp files are mainly created on unix system with LF as line end -#>2 search/2048 !\r Lisp/Scheme program text +>2 search/2048 !\r Lisp/Scheme program text #>2 search/2048 \r Windows INF file 0 search/256 (if\ Lisp/Scheme program text !:mime text/x-lisp +0 search/256 (cons\ Lisp/Scheme program text +!:mime text/x-lisp +0 search/256 (list\ Lisp/Scheme program text +!:mime text/x-lisp 0 search/256 (setq\ Lisp/Scheme program text !:mime text/x-lisp 0 search/256 (defvar\ Lisp/Scheme program text diff --git a/magic/Magdir/lua b/magic/Magdir/lua index 9aa87b1..ec91d80 100644 --- a/magic/Magdir/lua +++ b/magic/Magdir/lua @@ -4,9 +4,9 @@ # From: Reuben Thomas , Seo Sanghyeon # Lua scripts -0 search/1/b #!\ /usr/bin/lua Lua script text executable +0 string/b #!\ /usr/bin/lua Lua script text executable !:mime text/x-lua -0 search/1/b #!\ /usr/local/bin/lua Lua script text executable +0 string/b #!\ /usr/local/bin/lua Lua script text executable !:mime text/x-lua 0 search/1 #!/usr/bin/env\ lua Lua script text executable !:mime text/x-lua diff --git a/magic/Magdir/m4 b/magic/Magdir/m4 new file mode 100644 index 0000000..86c8465 --- /dev/null +++ b/magic/Magdir/m4 @@ -0,0 +1,2 @@ +0 string #\ This\ is\ a\ frozen\ state\ file\ g +>30 string generated\ by\ GNU\ M4\ GNU M4 frozen state file diff --git a/magic/Magdir/macintosh b/magic/Magdir/macintosh deleted file mode 100644 index 77187a3..0000000 --- a/magic/Magdir/macintosh +++ /dev/null @@ -1,374 +0,0 @@ - -#------------------------------------------------------------------------------ -# macintosh description -# -# BinHex is the Macintosh ASCII-encoded file format (see also "apple") -# Daniel Quinlan, quinlan@yggdrasil.com -11 string must\ be\ converted\ with\ BinHex BinHex binary text -!:mime application/mac-binhex40 ->41 string x \b, version %.3s - -# Stuffit archives are the de facto standard of compression for Macintosh -# files obtained from most archives. (franklsm@tuns.ca) -0 string SIT! StuffIt Archive (data) ->2 string x : %s -0 string SITD StuffIt Deluxe (data) ->2 string x : %s -0 string Seg StuffIt Deluxe Segment (data) ->2 string x : %s - -# Newer StuffIt archives (grant@netbsd.org) -0 string StuffIt StuffIt Archive -!:mime application/x-stuffit -#>162 string >0 : %s - -# Macintosh Applications and Installation binaries (franklsm@tuns.ca) -# GRR: Too weak -#0 string APPL Macintosh Application (data) -#>2 string x \b: %s - -# Macintosh System files (franklsm@tuns.ca) -# GRR: Too weak -#0 string zsys Macintosh System File (data) -#0 string FNDR Macintosh Finder (data) -#0 string libr Macintosh Library (data) -#>2 string x : %s -#0 string shlb Macintosh Shared Library (data) -#>2 string x : %s -#0 string cdev Macintosh Control Panel (data) -#>2 string x : %s -#0 string INIT Macintosh Extension (data) -#>2 string x : %s -#0 string FFIL Macintosh Truetype Font (data) -#>2 string x : %s -#0 string LWFN Macintosh Postscript Font (data) -#>2 string x : %s - -# Additional Macintosh Files (franklsm@tuns.ca) -# GRR: Too weak -#0 string PACT Macintosh Compact Pro Archive (data) -#>2 string x : %s -#0 string ttro Macintosh TeachText File (data) -#>2 string x : %s -#0 string TEXT Macintosh TeachText File (data) -#>2 string x : %s -#0 string PDF Macintosh PDF File (data) -#>2 string x : %s - -# MacBinary format (Eric Fischer, enf@pobox.com) -# -# Unfortunately MacBinary doesn't really have a magic number prior -# to the MacBinary III format. The checksum is really the way to -# do it, but the magic file format isn't up to the challenge. -# -# 0 byte 0 -# 1 byte # filename length -# 2 string # filename -# 65 string # file type -# 69 string # file creator -# 73 byte # Finder flags -# 74 byte 0 -# 75 beshort # vertical posn in window -# 77 beshort # horiz posn in window -# 79 beshort # window or folder ID -# 81 byte # protected? -# 82 byte 0 -# 83 belong # length of data segment -# 87 belong # length of resource segment -# 91 belong # file creation date -# 95 belong # file modification date -# 99 beshort # length of comment after resource -# 101 byte # new Finder flags -# 102 string mBIN # (only in MacBinary III) -# 106 byte # char. code of file name -# 107 byte # still more Finder flags -# 116 belong # total file length -# 120 beshort # length of add'l header -# 122 byte 129 # for MacBinary II -# 122 byte 130 # for MacBinary III -# 123 byte 129 # minimum version that can read fmt -# 124 beshort # checksum -# -# This attempts to use the version numbers as a magic number, requiring -# that the first one be 0x80, 0x81, 0x82, or 0x83, and that the second -# be 0x81. This works for the files I have, but maybe not for everyone's. - -# Unfortunately, this magic is quite weak - MPi -#122 beshort&0xFCFF 0x8081 Macintosh MacBinary data - -# MacBinary I doesn't have the version number field at all, but MacBinary II -# has been in use since 1987 so I hope there aren't many really old files -# floating around that this will miss. The original spec calls for using -# the nulls in 0, 74, and 82 as the magic number. -# -# Another possibility, that would also work for MacBinary I, is to use -# the assumption that 65-72 will all be ASCII (0x20-0x7F), that 73 will -# have bits 1 (changed), 2 (busy), 3 (bozo), and 6 (invisible) unset, -# and that 74 will be 0. So something like -# -# 71 belong&0x80804EFF 0x00000000 Macintosh MacBinary data -# -# >73 byte&0x01 0x01 \b, inited -# >73 byte&0x02 0x02 \b, changed -# >73 byte&0x04 0x04 \b, busy -# >73 byte&0x08 0x08 \b, bozo -# >73 byte&0x10 0x10 \b, system -# >73 byte&0x10 0x20 \b, bundle -# >73 byte&0x10 0x40 \b, invisible -# >73 byte&0x10 0x80 \b, locked - -#>65 string x \b, type "%4.4s" - -#>65 string 8BIM (PhotoShop) -#>65 string ALB3 (PageMaker 3) -#>65 string ALB4 (PageMaker 4) -#>65 string ALT3 (PageMaker 3) -#>65 string APPL (application) -#>65 string AWWP (AppleWorks word processor) -#>65 string CIRC (simulated circuit) -#>65 string DRWG (MacDraw) -#>65 string EPSF (Encapsulated PostScript) -#>65 string FFIL (font suitcase) -#>65 string FKEY (function key) -#>65 string FNDR (Macintosh Finder) -#>65 string GIFf (GIF image) -#>65 string Gzip (GNU gzip) -#>65 string INIT (system extension) -#>65 string LIB\ (library) -#>65 string LWFN (PostScript font) -#>65 string MSBC (Microsoft BASIC) -#>65 string PACT (Compact Pro archive) -#>65 string PDF\ (Portable Document Format) -#>65 string PICT (picture) -#>65 string PNTG (MacPaint picture) -#>65 string PREF (preferences) -#>65 string PROJ (Think C project) -#>65 string QPRJ (Think Pascal project) -#>65 string SCFL (Defender scores) -#>65 string SCRN (startup screen) -#>65 string SITD (StuffIt Deluxe) -#>65 string SPn3 (SuperPaint) -#>65 string STAK (HyperCard stack) -#>65 string Seg\ (StuffIt segment) -#>65 string TARF (Unix tar archive) -#>65 string TEXT (ASCII) -#>65 string TIFF (TIFF image) -#>65 string TOVF (Eudora table of contents) -#>65 string WDBN (Microsoft Word word processor) -#>65 string WORD (MacWrite word processor) -#>65 string XLS\ (Microsoft Excel) -#>65 string ZIVM (compress (.Z)) -#>65 string ZSYS (Pre-System 7 system file) -#>65 string acf3 (Aldus FreeHand) -#>65 string cdev (control panel) -#>65 string dfil (Desk Acessory suitcase) -#>65 string libr (library) -#>65 string nX^d (WriteNow word processor) -#>65 string nX^w (WriteNow dictionary) -#>65 string rsrc (resource) -#>65 string scbk (Scrapbook) -#>65 string shlb (shared library) -#>65 string ttro (SimpleText read-only) -#>65 string zsys (system file) - -#>69 string x \b, creator "%4.4s" - -# Somewhere, Apple has a repository of registered Creator IDs. These are -# just the ones that I happened to have files from and was able to identify. - -#>69 string 8BIM (Adobe Photoshop) -#>69 string ALD3 (PageMaker 3) -#>69 string ALD4 (PageMaker 4) -#>69 string ALFA (Alpha editor) -#>69 string APLS (Apple Scanner) -#>69 string APSC (Apple Scanner) -#>69 string BRKL (Brickles) -#>69 string BTFT (BitFont) -#>69 string CCL2 (Common Lisp 2) -#>69 string CCL\ (Common Lisp) -#>69 string CDmo (The Talking Moose) -#>69 string CPCT (Compact Pro) -#>69 string CSOm (Eudora) -#>69 string DMOV (Font/DA Mover) -#>69 string DSIM (DigSim) -#>69 string EDIT (Macintosh Edit) -#>69 string ERIK (Macintosh Finder) -#>69 string EXTR (self-extracting archive) -#>69 string Gzip (GNU gzip) -#>69 string KAHL (Think C) -#>69 string LWFU (LaserWriter Utility) -#>69 string LZIV (compress) -#>69 string MACA (MacWrite) -#>69 string MACS (Macintosh operating system) -#>69 string MAcK (MacKnowledge terminal emulator) -#>69 string MLND (Defender) -#>69 string MPNT (MacPaint) -#>69 string MSBB (Microsoft BASIC (binary)) -#>69 string MSWD (Microsoft Word) -#>69 string NCSA (NCSA Telnet) -#>69 string PJMM (Think Pascal) -#>69 string PSAL (Hunt the Wumpus) -#>69 string PSI2 (Apple File Exchange) -#>69 string R*ch (BBEdit) -#>69 string RMKR (Resource Maker) -#>69 string RSED (Resource Editor) -#>69 string Rich (BBEdit) -#>69 string SIT! (StuffIt) -#>69 string SPNT (SuperPaint) -#>69 string Unix (NeXT Mac filesystem) -#>69 string VIM! (Vim editor) -#>69 string WILD (HyperCard) -#>69 string XCEL (Microsoft Excel) -#>69 string aCa2 (Fontographer) -#>69 string aca3 (Aldus FreeHand) -#>69 string dosa (Macintosh MS-DOS file system) -#>69 string movr (Font/DA Mover) -#>69 string nX^n (WriteNow) -#>69 string pdos (Apple ProDOS file system) -#>69 string scbk (Scrapbook) -#>69 string ttxt (SimpleText) -#>69 string ufox (Foreign File Access) - -# Just in case... - -102 string mBIN MacBinary III data with surprising version number - -# sas magic from Bruce Foster (bef@nwu.edu) -# -#0 string SAS SAS -#>8 string x %s -0 string SAS SAS ->24 string DATA data file ->24 string CATALOG catalog ->24 string INDEX data file index ->24 string VIEW data view -# sas 7+ magic from Reinhold Koch (reinhold.koch@roche.com) -# -0x54 string SAS SAS 7+ ->0x9C string DATA data file ->0x9C string CATALOG catalog ->0x9C string INDEX data file index ->0x9C string VIEW data view - -# spss magic for SPSS system and portable files, -# from Bruce Foster (bef@nwu.edu). - -0 long 0xc1e2c3c9 SPSS Portable File ->40 string x %s - -0 string $FL2 SPSS System File ->24 string x %s - -# Macintosh filesystem data -# From "Tom N Harris" -# Fixed HFS+ and Partition map magic: Ethan Benson -# The MacOS epoch begins on 1 Jan 1904 instead of 1 Jan 1970, so these -# entries depend on the data arithmetic added after v.35 -# There's also some Pascal strings in here, ditto... - -# The boot block signature, according to IM:Files, is -# "for HFS volumes, this field always contains the value 0x4C4B." -# But if this is true for MFS or HFS+ volumes, I don't know. -# Alternatively, the boot block is supposed to be zeroed if it's -# unused, so a simply >0 should suffice. - -0x400 beshort 0xD2D7 Macintosh MFS data ->0 beshort 0x4C4B (bootable) ->0x40a beshort &0x8000 (locked) ->0x402 beldate-0x7C25B080 x created: %s, ->0x406 beldate-0x7C25B080 >0 last backup: %s, ->0x414 belong x block size: %d, ->0x412 beshort x number of blocks: %d, ->0x424 pstring x volume name: %s - -# "BD" is has many false positives -#0x400 beshort 0x4244 Macintosh HFS data -#>0 beshort 0x4C4B (bootable) -#>0x40a beshort &0x8000 (locked) -#>0x40a beshort ^0x0100 (mounted) -#>0x40a beshort &0x0200 (spared blocks) -#>0x40a beshort &0x0800 (unclean) -#>0x47C beshort 0x482B (Embedded HFS+ Volume) -#>0x402 beldate-0x7C25B080 x created: %s, -#>0x406 beldate-0x7C25B080 x last modified: %s, -#>0x440 beldate-0x7C25B080 >0 last backup: %s, -#>0x414 belong x block size: %d, -#>0x412 beshort x number of blocks: %d, -#>0x424 pstring x volume name: %s - -0x400 beshort 0x482B Macintosh HFS Extended ->&0 beshort x version %d data ->0 beshort 0x4C4B (bootable) ->0x404 belong ^0x00000100 (mounted) ->&2 belong &0x00000200 (spared blocks) ->&2 belong &0x00000800 (unclean) ->&2 belong &0x00008000 (locked) ->&6 string x last mounted by: '%.4s', -# really, that should be treated as a belong and we print a string -# based on the value. TN1150 only mentions '8.10' for "MacOS 8.1" ->&14 beldate-0x7C25B080 x created: %s, -# only the creation date is local time, all other timestamps in HFS+ are UTC. ->&18 bedate-0x7C25B080 x last modified: %s, ->&22 bedate-0x7C25B080 >0 last backup: %s, ->&26 bedate-0x7C25B080 >0 last checked: %s, ->&38 belong x block size: %d, ->&42 belong x number of blocks: %d, ->&46 belong x free blocks: %d - -# I don't think this is really necessary since it doesn't do much and -# anything with a valid driver descriptor will also have a valid -# partition map -#0 beshort 0x4552 Apple Device Driver data -#>&24 beshort =1 \b, MacOS - -# Is that the partition type a cstring or a pstring? Well, IM says "strings -# shorter than 32 bytes must be terminated with NULL" so I'll treat it as a -# cstring. Of course, partitions can contain more than four entries, but -# what're you gonna do? -# GRR: This magic is too weak, it is just "PM" -#0x200 beshort 0x504D Apple Partition data -#>0x2 beshort x (block size: %d): -#>0x230 string x first type: %s, -#>0x210 string x name: %s, -#>0x254 belong x number of blocks: %d, -#>0x400 beshort 0x504D -#>>0x430 string x second type: %s, -#>>0x410 string x name: %s, -#>>0x454 belong x number of blocks: %d, -#>>0x600 beshort 0x504D -#>>>0x630 string x third type: %s, -#>>>0x610 string x name: %s, -#>>>0x654 belong x number of blocks: %d, -#>>0x800 beshort 0x504D -#>>>0x830 string x fourth type: %s, -#>>>0x810 string x name: %s, -#>>>0x854 belong x number of blocks: %d, -#>>>0xa00 beshort 0x504D -#>>>>0xa30 string x fifth type: %s, -#>>>>0xa10 string x name: %s, -#>>>>0xa54 belong x number of blocks: %d -#>>>0xc00 beshort 0x504D -#>>>>0xc30 string x sixth type: %s, -#>>>>0xc10 string x name: %s, -#>>>>0xc54 belong x number of blocks: %d -## AFAIK, only the signature is different -#0x200 beshort 0x5453 Apple Old Partition data -#>0x2 beshort x block size: %d, -#>0x230 string x first type: %s, -#>0x210 string x name: %s, -#>0x254 belong x number of blocks: %d, -#>0x400 beshort 0x504D -#>>0x430 string x second type: %s, -#>>0x410 string x name: %s, -#>>0x454 belong x number of blocks: %d, -#>>0x800 beshort 0x504D -#>>>0x830 string x third type: %s, -#>>>0x810 string x name: %s, -#>>>0x854 belong x number of blocks: %d, -#>>>0xa00 beshort 0x504D -#>>>>0xa30 string x fourth type: %s, -#>>>>0xa10 string x name: %s, -#>>>>0xa54 belong x number of blocks: %d - -# From: Remi Mommsen -0 string BOMStore Mac OS X bill of materials (BOM) file diff --git a/magic/Magdir/mcrypt b/magic/Magdir/mcrypt index e862f59..b5145d6 100644 --- a/magic/Magdir/mcrypt +++ b/magic/Magdir/mcrypt @@ -1,13 +1,17 @@ #------------------------------------------------------------------------------ # Mavroyanopoulos Nikos -# mcrypt: file(1) magic for mcrypt 2.2.x; +# mcrypt: file(1) magic for mcrypt 2.5; 0 string \0m\3 mcrypt 2.5 encrypted data, >4 string >\0 algorithm: %s, >>&1 leshort >0 keysize: %d bytes, >>>&0 string >\0 mode: %s, +>>>>&1 string >\0 key generator: %s +#end mcrypt 2.5 +#------------------------------------------------------------------------------ +# mcrypt: file(1) magic for mcrypt 2.2; 0 string \0m\2 mcrypt 2.2 encrypted data, ->3 byte 0 algorithm: blowfish-448, +>3 byte 0 algorithm: BLOWFISH-448, >3 byte 1 algorithm: DES, >3 byte 2 algorithm: 3DES, >3 byte 3 algorithm: 3-WAY, @@ -17,20 +21,62 @@ >3 byte 8 algorithm: CAST-128, >3 byte 9 algorithm: xTEA, >3 byte 10 algorithm: TWOFISH-128, ->3 byte 11 algorithm: RC2, +>3 byte 11 algorithm: RC2-1024, >3 byte 12 algorithm: TWOFISH-192, >3 byte 13 algorithm: TWOFISH-256, ->3 byte 14 algorithm: blowfish-128, ->3 byte 15 algorithm: blowfish-192, ->3 byte 16 algorithm: blowfish-256, ->3 byte 100 algorithm: RC6, +>3 byte 14 algorithm: BLOWFISH-128, +>3 byte 15 algorithm: BLOWFISH-192, +>3 byte 16 algorithm: BLOWFISH-256, +>3 byte 17 algorithm: CAST-256, +>3 byte 18 algorithm: SAFER+, +>3 byte 19 algorithm: LOKI97, +>3 byte 20 algorithm: SERPENT-128, +>3 byte 21 algorithm: SERPENT-192, +>3 byte 22 algorithm: SERPENT-256, +>3 byte 23 algorithm: RIJNDAEL-128, +>3 byte 24 algorithm: RIJNDAEL-192, +>3 byte 25 algorithm: RIJNDAEL-256, +>3 byte 26 algorithm: RC2-256, +>3 byte 27 algorithm: RC2-128, +>3 byte 100 algorithm: RC6-256, >3 byte 101 algorithm: IDEA, +>3 byte 102 algorithm: RC6-128, +>3 byte 103 algorithm: RC6-192, +>3 byte 104 algorithm: RC4, >4 byte 0 mode: CBC, >4 byte 1 mode: ECB, >4 byte 2 mode: CFB, >4 byte 3 mode: OFB, >4 byte 4 mode: nOFB, +>4 byte 5 mode: STREAM, >5 byte 0 keymode: 8bit >5 byte 1 keymode: 4bit >5 byte 2 keymode: SHA-1 hash >5 byte 3 keymode: MD5 hash +#end mcrypt 2.2 + +#------------------------------------------------------------------------------ +# mcrypt: file(1) magic for mcrypt 2.1; +0 string \0m\0 mcrypt 2.1 encrypted data, +>3 byte 0 algorithm: BLOWFISH, +>3 byte 1 algorithm: DES, +>3 byte 2 algorithm: 3DES, +>3 byte 3 algorithm: 3-WAY, +>3 byte 4 algorithm: GOST, +>3 byte 6 algorithm: SAFER-SK64, +>3 byte 7 algorithm: SAFER-SK128, +>3 byte 8 algorithm: CAST-128, +>3 byte 9 algorithm: xTEA, +>3 byte 10 algorithm: TWOFISH-128, +>3 byte 11 algorithm: RC2, +>3 byte 12 algorithm: TWOFISH-192, +>3 byte 13 algorithm: TWOFISH-256, +>3 byte 100 algorithm: RC6, +>3 byte 101 algorithm: IDEA, +>4 byte 0 mode: CBC, +>4 byte 1 mode: ECB, +>4 byte 2 mode: CFB, +>4 byte 3 mode: OFB, +>5 byte 0 keymode: 8bit +>5 byte 1 keymode: 4bit +#end mcrypt 2.1 diff --git a/magic/Magdir/modem b/magic/Magdir/modem index 73e747e..a5775b0 100644 --- a/magic/Magdir/modem +++ b/magic/Magdir/modem @@ -2,9 +2,9 @@ # modem: file(1) magic for modem programs # # From: Florian La Roche -4 string Research, Digifax-G3-File ->29 byte 1 , fine resolution ->29 byte 0 , normal resolution +1 string PC\ Research,\ Inc Digifax-G3-File +>29 byte 1 \b, fine resolution +>29 byte 0 \b, normal resolution 0 short 0x0100 raw G3 data, byte-padded 0 short 0x1400 raw G3 data diff --git a/magic/Magdir/msdos b/magic/Magdir/msdos index cdd7c93..a249432 100644 --- a/magic/Magdir/msdos +++ b/magic/Magdir/msdos @@ -18,8 +18,8 @@ # OS/2 batch files are REXX. the second regex is a bit generic, oh well # the matched commands seem to be common in REXX and uncommon elsewhere -100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text -100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text +#100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text +#100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text 0 leshort 0x14c MS Windows COFF Intel 80386 object file #>4 ledate x stamp %s @@ -68,6 +68,7 @@ >>&0 leshort 0x290 PA-RISC >>&18 leshort&0x0100 >0 32-bit >>&18 leshort&0x1000 >0 system file +>>&228 lelong >0 \b, Mono/.Net assembly >>&0xf4 search/0x140 \x0\x40\x1\x0 >>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive >30 string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive @@ -271,7 +272,7 @@ # a few unknown ZIP sfxes, no idea if they are needed or if they are # already captured by the generic patterns above ->122 string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive +>0x7a string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive >(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP) # TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive # @@ -290,25 +291,40 @@ >6 string SFX\ of\ LHarc (%s) 0 belong 0xffffffff DOS executable (device driver) #CMD640X2.SYS ->10 string >\x23 ->>10 string !\x2e ->>>17 string <\x5B ->>>>10 string x \b, name: %.8s -#UDMA.SYS KEYB.SYS CMD640X2.SYS ->10 string <\x41 ->>12 string >\x40 ->>>10 string !$ ->>>>12 string x \b, name: %.8s -#BTCDROM.SYS ASPICD.SYS ->22 string >\x40 ->>22 string <\x5B ->>>23 string <\x5B ->>>>22 string x \b, name: %.8s +>10 string >\x23 +>>10 string !\x2e +>>>17 string <\x5B +>>>>10 string CMD640X2.SYS \b, name: %.8s +#UDMA.SYS +>10 string <\x41 +>>12 string >\x40 +>>>10 string !$ +>>>>12 string UDMA.SYS \b, name: %.8s +#CMD640X2.SYS +>10 string <\x41 +>>12 string >\x40 +>>>10 string !$ +>>>>12 string CMD640X2.SYS \b, name: %.8s +#KEYB.SYS +>10 string <\x41 +>>12 string >\x40 +>>>10 string !$ +>>>>12 string KEYB.SYS \b, name: %.8s +#BTCDROM.SYS +>22 string >\x40 +>>22 string <\x5B +>>>23 string <\x5B +>>>>22 string BTCDROM.SYS \b, name: %.8s +#ASPICD.SYS +>22 string >\x40 +>>22 string <\x5B +>>>23 string <\x5B +>>>>22 string ASPICD.SYS \b, name: %.8s #ATAPICD.SYS ->76 string \0 ->>77 string >\x40 ->>>77 string <\x5B ->>>>77 string x \b, name: %.8s +>76 string \0 +>>77 string >\x40 +>>>77 string <\x5B +>>>>77 string ATAPICD.SYS \b, name: %.8s #0 byte 0x8c DOS executable (COM) # 0xeb conflicts with "sequent" magic #0 byte 0xeb DOS executable (COM) @@ -360,7 +376,7 @@ # FIXME: missing diet .com compression # miscellaneous formats -0 string LZ MS-DOS executable (built-in) +#0 string LZ MS-DOS executable (built-in) #0 byte 0xf0 MS-DOS program library data # @@ -595,8 +611,8 @@ # See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp # for further information. 0 ulelong 1 ->40 string \ EMF Windows Enhanced Metafile (EMF) image data ->>44 ulelong x version 0x%x +>40 string \ EMF +>>44 ulelong x Windows Enhanced Metafile (EMF) image data version 0x%x # From: Alex Beregszaszi 0 string COWD VMWare3 @@ -692,7 +708,7 @@ # Type: Microsoft Document Imaging Format (.mdi) # URL: http://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format # From: Daniele Sempione -0 short 0x5045 Microsoft Document Imaging Format +#0 short 0x5045 Microsoft Document Imaging Format # MS eBook format (.lit) 0 string ITOLITLS Microsoft Reader eBook Data diff --git a/magic/Magdir/os400 b/magic/Magdir/os400 deleted file mode 100644 index 3dc05bf..0000000 --- a/magic/Magdir/os400 +++ /dev/null @@ -1,37 +0,0 @@ -#------------------------------------------------------------------------------ -# os400: file(1) magic for IBM OS/400 files -# -# IBM OS/400 (i5/OS) Save file (SAVF) - gerardo.cacciari@gmail.com -# In spite of its quite variable format (due to internal memory page -# length differences between CISC and RISC versions of the OS) the -# SAVF structure hasn't suitable offsets to identify the catalog -# header in the first descriptor where there are some useful infos, -# so we must search in a somewhat large area for a particular string -# that represents the EBCDIC encoding of 'QSRDSSPC' (save/restore -# descriptor space) preceded by a two byte constant. -# -1090 search/7393 \x19\xDB\xD8\xE2\xD9\xC4\xE2\xE2\xD7\xC3 IBM OS/400 save file data ->&212 byte 0x01 \b, created with SAVOBJ ->&212 byte 0x02 \b, created with SAVLIB ->&212 byte 0x07 \b, created with SAVCFG ->&212 byte 0x08 \b, created with SAVSECDTA ->&212 byte 0x0A \b, created with SAVSECDTA ->&212 byte 0x0B \b, created with SAVDLO ->&212 byte 0x0D \b, created with SAVLICPGM ->&212 byte 0x11 \b, created with SAVCHGOBJ ->&213 byte 0x44 \b, at least V5R4 to open ->&213 byte 0x43 \b, at least V5R3 to open ->&213 byte 0x42 \b, at least V5R2 to open ->&213 byte 0x41 \b, at least V5R1 to open ->&213 byte 0x40 \b, at least V4R5 to open ->&213 byte 0x3F \b, at least V4R4 to open ->&213 byte 0x3E \b, at least V4R3 to open ->&213 byte 0x3C \b, at least V4R2 to open ->&213 byte 0x3D \b, at least V4R1M4 to open ->&213 byte 0x3B \b, at least V4R1 to open ->&213 byte 0x3A \b, at least V3R7 to open ->&213 byte 0x35 \b, at least V3R6 to open ->&213 byte 0x36 \b, at least V3R2 to open ->&213 byte 0x34 \b, at least V3R1 to open ->&213 byte 0x31 \b, at least V3R0M5 to open ->&213 byte 0x30 \b, at least V2R3 to open diff --git a/magic/Magdir/palm b/magic/Magdir/palm index e57e119..006d4a6 100644 --- a/magic/Magdir/palm +++ b/magic/Magdir/palm @@ -1,64 +1,72 @@ #------------------------------------------------------------------------------ -# palm: file(1) magic for PalmOS {.prc,.pdb}: applications, docfiles, and hacks +# $File: palm,v 1.8 2011/12/15 16:21:43 christos Exp $ +# palm: file(1) magic for PalmOS {.prc,.pdb}: applications, docfiles, and hacks # # Brian Lalor +# These are weak, byte 59 is not guaranteed to be 0 and there are +# 8 character identifiers at byte 60, one I found for appl is BIGb. +# What are the possibilities and where is this documented? + # appl -60 belong 0x6170706c PalmOS application ->0 string >\0 "%s" +#59 byte \0 +#>60 string appl PalmOS application +#>0 string >\0 "%s" # TEXt -60 belong 0x54455874 AportisDoc file ->0 string >\0 "%s" +#59 byte \0 +#>60 belong TEXt AportisDoc file +#>0 string >\0 "%s" # HACK -60 belong 0x4841434b HackMaster hack ->0 string >\0 "%s" +#59 byte \0 +#>60 string HACK HackMaster hack +#>0 string >\0 "%s" # Variety of PalmOS document types # Michael-John Turner # Thanks to Hasan Umit Ezerce for his DocType -60 string BVokBDIC BDicty PalmOS document ->0 string >\0 "%s" -60 string DB99DBOS DB PalmOS document ->0 string >\0 "%s" -60 string vIMGView FireViewer/ImageViewer PalmOS document ->0 string >\0 "%s" -60 string PmDBPmDB HanDBase PalmOS document ->0 string >\0 "%s" -60 string InfoINDB InfoView PalmOS document ->0 string >\0 "%s" -60 string ToGoToGo iSilo PalmOS document ->0 string >\0 "%s" -60 string JfDbJBas JFile PalmOS document ->0 string >\0 "%s" -60 string JfDbJFil JFile Pro PalmOS document ->0 string >\0 "%s" -60 string DATALSdb List PalmOS document ->0 string >\0 "%s" -60 string Mdb1Mdb1 MobileDB PalmOS document ->0 string >\0 "%s" -60 string PNRdPPrs PeanutPress PalmOS document ->0 string >\0 "%s" -60 string DataPlkr Plucker PalmOS document ->0 string >\0 "%s" -60 string DataSprd QuickSheet PalmOS document ->0 string >\0 "%s" -60 string SM01SMem SuperMemo PalmOS document ->0 string >\0 "%s" -60 string TEXtTlDc TealDoc PalmOS document ->0 string >\0 "%s" -60 string InfoTlIf TealInfo PalmOS document ->0 string >\0 "%s" -60 string DataTlMl TealMeal PalmOS document ->0 string >\0 "%s" -60 string DataTlPt TealPaint PalmOS document ->0 string >\0 "%s" -60 string dataTDBP ThinkDB PalmOS document ->0 string >\0 "%s" -60 string TdatTide Tides PalmOS document ->0 string >\0 "%s" -60 string ToRaTRPW TomeRaider PalmOS document ->0 string >\0 "%s" +60 string BVokBDIC BDicty PalmOS document +>0 string >\0 "%s" +60 string DB99DBOS DB PalmOS document +>0 string >\0 "%s" +60 string vIMGView FireViewer/ImageViewer PalmOS document +>0 string >\0 "%s" +60 string PmDBPmDB HanDBase PalmOS document +>0 string >\0 "%s" +60 string InfoINDB InfoView PalmOS document +>0 string >\0 "%s" +60 string ToGoToGo iSilo PalmOS document +>0 string >\0 "%s" +60 string JfDbJBas JFile PalmOS document +>0 string >\0 "%s" +60 string JfDbJFil JFile Pro PalmOS document +>0 string >\0 "%s" +60 string DATALSdb List PalmOS document +>0 string >\0 "%s" +60 string Mdb1Mdb1 MobileDB PalmOS document +>0 string >\0 "%s" +60 string PNRdPPrs PeanutPress PalmOS document +>0 string >\0 "%s" +60 string DataPlkr Plucker PalmOS document +>0 string >\0 "%s" +60 string DataSprd QuickSheet PalmOS document +>0 string >\0 "%s" +60 string SM01SMem SuperMemo PalmOS document +>0 string >\0 "%s" +60 string TEXtTlDc TealDoc PalmOS document +>0 string >\0 "%s" +60 string InfoTlIf TealInfo PalmOS document +>0 string >\0 "%s" +60 string DataTlMl TealMeal PalmOS document +>0 string >\0 "%s" +60 string DataTlPt TealPaint PalmOS document +>0 string >\0 "%s" +60 string dataTDBP ThinkDB PalmOS document +>0 string >\0 "%s" +60 string TdatTide Tides PalmOS document +>0 string >\0 "%s" +60 string ToRaTRPW TomeRaider PalmOS document +>0 string >\0 "%s" # A GutenPalm zTXT etext for use on Palm Pilots (http://gutenpalm.sf.net) # For version 1.xx zTXTs, outputs version and numbers of bookmarks and @@ -81,11 +89,11 @@ >>(0x4E.L+1) byte x %02d) # Palm OS .prc file types -60 string libr Palm OS dynamic library data ->0 string >\0 "%s" -60 string ptch Palm OS operating system patch data ->0 string >\0 "%s" +#60 string libr Palm OS dynamic library data +#>0 string >\0 "%s" +#60 string ptch Palm OS operating system patch data +#>0 string >\0 "%s" # Mobipocket (www.mobipocket.com), donated by Carl Witty -60 string BOOKMOBI Mobipocket E-book ->0 string >\0 "%s" +60 string BOOKMOBI Mobipocket E-book +>0 string >\0 "%s" diff --git a/magic/Magdir/perl b/magic/Magdir/perl index 73fb88b..c774cfd 100644 --- a/magic/Magdir/perl +++ b/magic/Magdir/perl @@ -4,27 +4,27 @@ # The `eval' lines recognizes an outrageously clever hack. # Keith Waclena # Send additions to -0 search/1/b #!\ /bin/perl Perl script text executable +0 string/b #!\ /bin/perl perl script text executable !:mime text/x-perl -0 search/1 eval\ "exec\ /bin/perl Perl script text +0 search/1 eval\ "exec\ /bin/perl perl script text !:mime text/x-perl -0 search/1/b #!\ /usr/bin/perl Perl script text executable +0 string/b #!\ /usr/bin/perl perl script text executable !:mime text/x-perl -0 search/1 eval\ "exec\ /usr/bin/perl Perl script text +0 search/1 eval\ "exec\ /usr/bin/perl perl script text !:mime text/x-perl -0 search/1/b #!\ /usr/local/bin/perl Perl script text executable +0 string/b #!\ /usr/local/bin/perl perl script text executable !:mime text/x-perl -0 search/1 eval\ "exec\ /usr/local/bin/perl Perl script text +0 search/1 eval\ "exec\ /usr/local/bin/perl perl script text !:mime text/x-perl -0 search/1 eval\ '(exit\ $?0)'\ &&\ eval\ 'exec Perl script text +0 search/1 eval\ '(exit\ $?0)'\ &&\ eval\ 'exec perl script text !:mime text/x-perl # by Dmitry V. Levin and Alexey Tourbin # check the first line 0 search/1 package -0 regex \^package[\ \t]+[A-Za-z_] ->0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; Perl5 module source text +>0 regex \^package[\ \t]+[A-Za-z_] +>>0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; Perl5 module source text # not 'p', check other lines 0 search/1 !p >0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; @@ -34,12 +34,12 @@ # Perl POD documents # From: Tom Hukins -0 search/1/B \=pod\n Perl POD document text -0 search/1/B \n\=pod\n Perl POD document text -0 search/1/B \=head1\ Perl POD document text -0 search/1/B \n\=head1\ Perl POD document text -0 search/1/B \=head2\ Perl POD document text -0 search/1/B \n\=head2\ Perl POD document text +#0 string/B \=pod\n Perl POD document text +#0 string/B \n\=pod\n Perl POD document text +#0 string/B \=head1\ Perl POD document text +#0 string/B \n\=head1\ Perl POD document text +#0 string/B \=head2\ Perl POD document text +#0 string/B \n\=head2\ Perl POD document text # Perl Storable data files. 0 string perl-store perl Storable (v0.6) data diff --git a/magic/Magdir/python b/magic/Magdir/python index 9fac2b9..6d9b628 100644 --- a/magic/Magdir/python +++ b/magic/Magdir/python @@ -4,8 +4,9 @@ # # From: David Necas # often the module starts with a multiline string -0 string """ a python script text executable -# MAGIC as specified in Python/import.c (1.5 to 2.3.0a) +0 string """ a python script text +# MAGIC as specified in Python/import.c (1.5 to 2.7a0 and 3.1a0, assuming +# that Py_UnicodeFlag is off for Python 2) # 20121 ( YEAR - 1995 ) + MONTH + DAY (little endian followed by "\r\n" 0 belong 0x994e0d0a python 1.5/1.6 byte-compiled 0 belong 0x87c60d0a python 2.0 byte-compiled @@ -14,6 +15,15 @@ 0 belong 0x3bf20d0a python 2.3 byte-compiled 0 belong 0x6df20d0a python 2.4 byte-compiled 0 belong 0xb3f20d0a python 2.5 byte-compiled +0 belong 0xd1f20d0a python 2.6 byte-compiled +0 belong 0x03f30d0a python 2.7 byte-compiled +0 belong 0x3b0c0d0a python 3.0 byte-compiled +0 belong 0x4f0c0d0a python 3.1 byte-compiled +0 belong 0x6c0c0d0a python 3.2 byte-compiled +0 belong 0x9e0c0d0a python 3.3 byte-compiled -0 string/b #!\ /usr/bin/python python script text executable +0 string/b #!\ /usr/bin/python3 python3 script text executable +0 string/b #!\ /usr/bin/python2 python script text executable +0 string/B #!/usr/bin/python\n python script text executable +0 string/B #!\ /usr/bin/python\n python script text executable diff --git a/magic/Magdir/revision b/magic/Magdir/revision index a809cb9..824c2fa 100644 --- a/magic/Magdir/revision +++ b/magic/Magdir/revision @@ -17,3 +17,14 @@ 0 string HG10 Mercurial bundle, >4 string UN uncompressed >4 string BZ bzip2 compressed + +# Type: Subversion (SVN) dumps +# From: Uwe Zeisberger +0 string SVN-fs-dump-format-version: Subversion dumpfile +>28 string >\0 (version: %s) + +# Type: Bazaar revision bundles and merge requests +# URL: http://www.bazaar-vcs.org/ +# From: Jelmer Vernooij +0 string #\ Bazaar\ revision\ bundle\ v Bazaar Bundle +0 string #\ Bazaar\ merge\ directive\ format Bazaar merge directive diff --git a/magic/Magdir/ruby b/magic/Magdir/ruby index de6f2a0..4f5c655 100644 --- a/magic/Magdir/ruby +++ b/magic/Magdir/ruby @@ -4,7 +4,7 @@ # From: Reuben Thomas # Ruby scripts -0 search/1/b #!\ /usr/bin/ruby Ruby script text executable -0 search/1/b #!\ /usr/local/bin/ruby Ruby script text executable +0 string/b #!\ /usr/bin/ruby Ruby script text executable +0 string/b #!\ /usr/local/bin/ruby Ruby script text executable 0 search/1 #!/usr/bin/env\ ruby Ruby script text executable 0 search/1 #!\ /usr/bin/env\ ruby Ruby script text executable diff --git a/magic/Magdir/scientific b/magic/Magdir/scientific index f7aedae..5c6791e 100644 --- a/magic/Magdir/scientific +++ b/magic/Magdir/scientific @@ -15,22 +15,22 @@ # Electron density MAP/MASK formats 0 string EZD_MAP NEWEZD Electron Density Map -109 string MAP\040( Old EZD Electron Density Map +#109 string MAP\040( Old EZD Electron Density Map 0 string/c :-)\040Origin BRIX Electron Density Map >170 string >0 , Sigma:%.12s #>4 string >0 %.178s #>4 addr x %.178s -7 string 18\040!NTITLE XPLOR ASCII Electron Density Map -9 string \040!NTITLE\012\040REMARK CNS ASCII electron density map +#7 string 18\040!NTITLE XPLOR ASCII Electron Density Map +#9 string \040!NTITLE\012\040REMARK CNS ASCII electron density map -208 string MAP\040 CCP4 Electron Density Map +#208 string MAP\040 CCP4 Electron Density Map # Assumes same stamp for float and double (normal case) ->212 byte 17 \b, Big-endian ->212 byte 34 \b, VAX format ->212 byte 68 \b, Little-endian ->212 byte 85 \b, Convex native +#>212 byte 17 \b, Big-endian +#>212 byte 34 \b, VAX format +#>212 byte 68 \b, Little-endian +#>212 byte 85 \b, Convex native ############################################################ # X-Ray Area Detector images @@ -60,7 +60,7 @@ # Type: GEDCOM genealogical (family history) data # From: Giuseppe Bilotta -0 search/1/c 0\ HEAD GEDCOM genealogy text +0 string/c 0\ HEAD GEDCOM genealogy text >&0 search 1\ GEDC >>&0 search 2\ VERS version >>>&1 search/1 >\0 %s diff --git a/magic/Magdir/selinux b/magic/Magdir/selinux new file mode 100644 index 0000000..c6bee4e --- /dev/null +++ b/magic/Magdir/selinux @@ -0,0 +1,32 @@ +# SE Linux policy database +# From: Mike Frysinger +0 lelong 0xf97cff8c SE Linux policy +>16 lelong x v%d +>20 lelong 1 MLS +>24 lelong x %d symbols +>28 lelong x %d ocons + +# Type: SE Linux policy modules *.pp reference policy +# for Fedora 5 to 9, RHEL5, and Debian Etch and Lenny. +# URL: http://doc.coker.com.au/computers/selinux-magic +# From: Russell Coker + +0 lelong 0xf97cff8f SE Linux modular policy +>4 lelong x version %d, +>8 lelong x %d sections, +>>(12.l) lelong 0xf97cff8d +>>>(12.l+27) lelong x mod version %d, +>>>(12.l+31) lelong 0 Not MLS, +>>>(12.l+31) lelong 1 MLS, +>>>(12.l+23) lelong 2 +>>>>(12.l+47) string >\0 module name %s +>>>(12.l+23) lelong 1 base + +1 string policy_module( SE Linux policy module source +2 string policy_module( SE Linux policy module source + +0 string ##\ SE Linux policy interface source + +#0 search gen_context( SE Linux policy file contexts + +#0 search gen_sens( SE Linux policy MLS constraints source diff --git a/magic/Magdir/sendmail b/magic/Magdir/sendmail index 7880ab5..c0c2971 100644 --- a/magic/Magdir/sendmail +++ b/magic/Magdir/sendmail @@ -4,8 +4,8 @@ # # XXX - byte order? # -0 byte 046 Sendmail frozen configuration ->16 string >\0 - version %s +#0 byte 046 Sendmail frozen configuration +#>16 string >\0 - version %s 0 short 0x271c Sendmail frozen configuration >16 string >\0 - version %s diff --git a/magic/Magdir/sgml b/magic/Magdir/sgml index 7e3391b..3793f3f 100644 --- a/magic/Magdir/sgml +++ b/magic/Magdir/sgml @@ -19,41 +19,41 @@ # HyperText Markup Language (HTML) is an SGML document type, # from Daniel Quinlan (quinlan@yggdrasil.com) # adapted to string extenstions by Anthon van der Neut MAXPATHLEN) { + if (*buf && strlen(*buf) > MAXPATHLEN) { free(*buf); *buf = NULL; } diff --git a/src/ascmagic.c b/src/ascmagic.c index c374e02..7f1dfe2 100644 --- a/src/ascmagic.c +++ b/src/ascmagic.c @@ -166,6 +166,31 @@ file_ascmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes) goto done; } + /* + * for troff, look for . + letter + letter or .\"; + * this must be done to disambiguate tar archives' ./file + * and other trash from real troff input. + * + * I believe Plan 9 troff allows non-ASCII characters in the names + * of macros, so this test might possibly fail on such a file. + */ + if ((ms->flags & MAGIC_NO_CHECK_TROFF) == 0 && *ubuf == '.') { + unichar *tp = ubuf + 1; + + while (ISSPC(*tp)) + ++tp; /* skip leading whitespace */ + if ((tp[0] == '\\' && tp[1] == '\"') || + (isascii((unsigned char)tp[0]) && + isalnum((unsigned char)tp[0]) && + isascii((unsigned char)tp[1]) && + isalnum((unsigned char)tp[1]) && + ISSPC(tp[2]))) { + subtype_mime = "text/troff"; + subtype = "troff or preprocessor input"; + goto subtype_identified; + } + } + /* Convert ubuf to UTF-8 and try text soft magic */ /* If original was ASCII or UTF-8, could use nbuf instead of re-converting. */ @@ -258,7 +283,7 @@ subtype_identified: if (mime) { if (mime & MAGIC_MIME_TYPE) { if (subtype_mime) { - if (file_printf(ms, subtype_mime) == -1) + if (file_printf(ms, "%s", subtype_mime) == -1) goto done; } else { if (file_printf(ms, "text/plain") == -1) @@ -270,26 +295,26 @@ subtype_identified: if ((mime & MAGIC_MIME_TYPE) && file_printf(ms, " charset=") == -1) goto done; - if (file_printf(ms, code_mime) == -1) + if (file_printf(ms, "%s", code_mime) == -1) goto done; } if (mime == MAGIC_MIME_ENCODING) file_printf(ms, "binary"); } else { - if (file_printf(ms, code) == -1) + if (file_printf(ms, "%s", code) == -1) goto done; if (subtype) { if (file_printf(ms, " ") == -1) goto done; - if (file_printf(ms, subtype) == -1) + if (file_printf(ms, "%s", subtype) == -1) goto done; } if (file_printf(ms, " ") == -1) goto done; - if (file_printf(ms, type) == -1) + if (file_printf(ms, "%s", type) == -1) goto done; if (has_long_lines) diff --git a/src/compress.c b/src/compress.c index 5867ac9..ef76e42 100644 --- a/src/compress.c +++ b/src/compress.c @@ -77,6 +77,11 @@ private const struct { { "PK\3\4", 4, { "gzip", "-cdq", NULL }, 1 }, /* pkzipped, */ /* ...only first file examined */ { "BZh", 3, { "bzip2", "-cd", NULL }, 1 }, /* bzip2-ed */ + { "LZIP", 4, { "lzip", "-cdq", NULL }, 1 }, /* lzip-ed */ + { "\3757zXZ\0",6,{ "xz", "-cd", NULL }, 1 }, /* XZ Utils */ + { "LRZI", 4, { "lrzip", "-do", NULL }, 1 }, /* LRZIP */ + { "\004\"M\030", 4, { "lz4", "-cdq", NULL }, 1 }, /* LZ4 */ + { "\x28\xB5\x2F\xFD", 4, { "zstd", "-cdq", NULL }, 1 }, /* zstd */ }; private size_t ncompr = sizeof(compr) / sizeof(compr[0]); @@ -371,6 +376,7 @@ uncompressbuf(struct magic_set *ms, int fd, size_t method, const unsigned char *old, unsigned char **newch, size_t n) { int fdin[2], fdout[2]; + pid_t pid1 = -1, pid2 = -1; int r; #ifdef BUILTIN_DECOMPRESS @@ -385,7 +391,7 @@ uncompressbuf(struct magic_set *ms, int fd, size_t method, file_error(ms, errno, "cannot create pipe"); return NODATA; } - switch (fork()) { + switch ((pid1=fork())) { case 0: /* child */ (void) close(0); if (fd != -1) { @@ -426,7 +432,7 @@ uncompressbuf(struct magic_set *ms, int fd, size_t method, * fork again, to avoid blocking because both * pipes filled */ - switch (fork()) { + switch ((pid2=fork())) { case 0: /* child */ (void)close(fdout[0]); if (swrite(fdin[1], old, n) != (ssize_t)n) { @@ -481,12 +487,8 @@ err: if (fdin[1] != -1) (void) close(fdin[1]); (void) close(fdout[0]); -#ifdef WNOHANG - while (waitpid(-1, NULL, WNOHANG) != -1) - continue; -#else - (void)wait(NULL); -#endif + waitpid(pid1, NULL, 0); + waitpid(pid2, NULL, 0); return n; } } diff --git a/src/file.h b/src/file.h index aab1137..8540daf 100644 --- a/src/file.h +++ b/src/file.h @@ -302,7 +302,7 @@ struct level_info { int last_match; int last_cond; /* used for error checking by parse() */ #endif -} *li; +}; struct magic_set { struct mlist *mlist; struct cont { diff --git a/src/fsmagic.c b/src/fsmagic.c index f3b2372..786285c 100644 --- a/src/fsmagic.c +++ b/src/fsmagic.c @@ -117,7 +117,8 @@ file_fsmagic(struct magic_set *ms, const char *fn, struct stat *sb) if (file_printf(ms, "cannot open `%s' (%s)", fn, strerror(errno)) == -1) return -1; - return 1; + ms->haderr++; + return -1; } if (!mime) { diff --git a/src/funcs.c b/src/funcs.c index af98605..84b6834 100644 --- a/src/funcs.c +++ b/src/funcs.c @@ -152,6 +152,20 @@ file_badread(struct magic_set *ms) file_error(ms, errno, "error reading"); } +private int mime_encoding(struct magic_set *ms, const unsigned char *buf, size_t size) +{ + size_t dummy; + + if (file_looks_utf8(buf, size, NULL, &dummy) == 1) + { + if (file_printf(ms, "7bit") == -1) + return -1; + } else if (file_printf(ms, "binary") == -1) + return -1; + + return 1; +} + #ifndef COMPILE_ONLY protected int file_buffer(struct magic_set *ms, int fd, const char *inname, const void *buf, @@ -187,6 +201,8 @@ file_buffer(struct magic_set *ms, int fd, const char *inname, const void *buf, } } #endif + if (ms->flags & MAGIC_MIME_ENCODING && !(ms->flags & MAGIC_MIME_TYPE)) + return mime_encoding(ms, ubuf, nb); /* try compression stuff */ if ((ms->flags & MAGIC_NO_CHECK_COMPRESS) != 0 || diff --git a/src/is_tar.c b/src/is_tar.c index a931111..fefabe8 100644 --- a/src/is_tar.c +++ b/src/is_tar.c @@ -75,7 +75,7 @@ file_is_tar(struct magic_set *ms, const unsigned char *buf, size_t nbytes) if (mime == MAGIC_MIME_ENCODING) return 0; - if (file_printf(ms, mime ? "application/x-tar" : + if (file_printf(ms, "%s", mime ? "application/x-tar" : tartype[tar - 1]) == -1) return -1; return 1; diff --git a/src/names.h b/src/names.h index 2682edc..90b7b19 100644 --- a/src/names.h +++ b/src/names.h @@ -152,8 +152,6 @@ static const struct names { {".text", L_MACH}, {"clr", L_MACH}, {"(input,", L_PAS}, - {"program", L_PAS}, - {"record", L_PAS}, {"dcl", L_PLI}, {"Received:", L_MAIL}, {">From", L_MAIL}, diff --git a/src/readelf.c b/src/readelf.c index 9dcaf09..7d3af69 100644 --- a/src/readelf.c +++ b/src/readelf.c @@ -298,6 +298,7 @@ dophn_core(struct magic_set *ms, int clazz, int swap, int fd, off_t off, ssize_t bufsize; off_t savedoffset; struct stat st; + size_t bs_for_read; if (fstat(fd, &st) < 0) { file_badread(ms); @@ -318,7 +319,7 @@ dophn_core(struct magic_set *ms, int clazz, int swap, int fd, off_t off, file_badseek(ms); return -1; } - if (read(fd, xph_addr, xph_sizeof) == -1) { + if (read(fd, xph_addr, xph_sizeof) < (ssize_t)xph_sizeof) { file_badread(ms); return -1; } @@ -342,9 +343,9 @@ dophn_core(struct magic_set *ms, int clazz, int swap, int fd, off_t off, file_badseek(ms); return -1; } - bufsize = read(fd, nbuf, - ((xph_filesz < sizeof(nbuf)) ? xph_filesz : sizeof(nbuf))); - if (bufsize == -1) { + bs_for_read = (xph_filesz < sizeof(nbuf)) ? xph_filesz : sizeof(nbuf); + bufsize = read(fd, nbuf, bs_for_read); + if (bufsize < (ssize_t) bs_for_read) { file_badread(ms); return -1; } @@ -838,7 +839,7 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num, } for ( ; num; num--) { - if (read(fd, xsh_addr, xsh_sizeof) == -1) { + if (read(fd, xsh_addr, xsh_sizeof) < (ssize_t)xsh_sizeof) { file_badread(ms); return -1; } @@ -875,7 +876,7 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num, noff = 0; for (;;) { - if (noff >= (size_t)xsh_size) + if (noff >= (off_t)xsh_size) break; noff = donote(ms, nbuf, (size_t)noff, (size_t)xsh_size, clazz, swap, 4, @@ -907,8 +908,9 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num, for (;;) { Elf32_Cap cap32; Elf64_Cap cap64; - char cbuf[MAX(sizeof cap32, sizeof cap64)]; - if ((coff += xcap_sizeof) >= (size_t)xsh_size) + char cbuf[/*CONSTCOND*/ + MAX(sizeof cap32, sizeof cap64)]; + if ((coff += xcap_sizeof) >= (off_t)xsh_size) break; if (read(fd, cbuf, (size_t)xcap_sizeof) != (ssize_t)xcap_sizeof) { @@ -929,7 +931,8 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num, if (file_printf(ms, ", with unknown capability " "0x%llx = 0x%llx", - xcap_tag, xcap_val) == -1) + (unsigned long long)xcap_tag, + (unsigned long long)xcap_val) == -1) return -1; break; } @@ -976,11 +979,12 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num, if (cap_hw1) if (file_printf(ms, " unknown hardware capability 0x%llx", - cap_hw1) == -1) + (unsigned long long)cap_hw1) == -1) return -1; } else { if (file_printf(ms, - " hardware capability 0x%llx", cap_hw1) == -1) + " hardware capability 0x%llx", + (unsigned long long)cap_hw1) == -1) return -1; } } @@ -996,7 +1000,7 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num, if (cap_sf1) if (file_printf(ms, ", with unknown software capability 0x%llx", - cap_sf1) == -1) + (unsigned long long)cap_sf1) == -1) return -1; } return 0; @@ -1020,6 +1024,7 @@ dophn_exec(struct magic_set *ms, int clazz, int swap, int fd, off_t off, size_t offset, align; off_t savedoffset = (off_t)-1; struct stat st; + size_t bs_for_read; if (fstat(fd, &st) < 0) { file_badread(ms); @@ -1038,7 +1043,7 @@ dophn_exec(struct magic_set *ms, int clazz, int swap, int fd, off_t off, } for ( ; num; num--) { - if (read(fd, xph_addr, xph_sizeof) == -1) { + if (read(fd, xph_addr, xph_sizeof) < (ssize_t)xph_sizeof) { file_badread(ms); return -1; } @@ -1089,9 +1094,10 @@ dophn_exec(struct magic_set *ms, int clazz, int swap, int fd, off_t off, file_badseek(ms); return -1; } - bufsize = read(fd, nbuf, ((xph_filesz < sizeof(nbuf)) ? - xph_filesz : sizeof(nbuf))); - if (bufsize == -1) { + + bs_for_read = (xph_filesz < sizeof(nbuf)) ? xph_filesz : sizeof(nbuf); + bufsize = read(fd, nbuf, bs_for_read); + if (bufsize < (ssize_t)bs_for_read) { file_badread(ms); return -1; } diff --git a/src/softmagic.c b/src/softmagic.c index 39a7fc8..071cd63 100644 --- a/src/softmagic.c +++ b/src/softmagic.c @@ -157,9 +157,9 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic, * main entry didn't match, * flush its continuations */ - while (magindex < nmagic - 1 && - magic[magindex + 1].cont_level != 0) - magindex++; + while (magindex + 1 < nmagic && + magic[magindex + 1].cont_level != 0) + magindex++; continue; } @@ -410,7 +410,7 @@ mprint(struct magic_set *ms, struct magic *m) if (m->reln == '=' || m->reln == '!') { if (file_printf(ms, MAGIC_DESC, m->value.s) == -1) return -1; - t = ms->offset + m->vallen; + t = ms->offset + ms->search.rm_len; } else { if (*m->value.s == '\0') @@ -529,7 +529,7 @@ mprint(struct magic_set *ms, struct magic *m) if ((m->str_flags & REGEX_OFFSET_START)) t = ms->search.offset; else - t = ms->search.offset + m->vallen; + t = ms->search.offset + ms->search.rm_len; break; case FILE_DEFAULT: @@ -799,6 +799,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, ms->search.s = (const char *)s + offset; ms->search.s_len = nbytes - offset; ms->search.offset = offset; + ms->search.rm_len = 0; return 0; case FILE_REGEX: { @@ -844,7 +845,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, /* check for pointer overflow */ if (src < s) { - file_magerror(ms, "invalid offset %zu in mcopy()", + file_magerror(ms, "invalid offset %u in mcopy()", offset); return -1; } @@ -861,10 +862,12 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, } } *edst = '\0'; + ms->search.rm_len = 0; return 0; } case FILE_STRING: /* XXX - these two should not need */ case FILE_PSTRING: /* to copy anything, but do anyway. */ + ms->search.rm_len = 0; default: break; } @@ -1440,7 +1443,7 @@ mget(struct magic_set *ms, const unsigned char *s, } private uint64_t -file_strncmp(const char *s1, const char *s2, size_t len, uint32_t flags) +file_strncmp(const char *s1, const char *s2, size_t len, size_t *rlen, uint32_t flags) { /* * Convert the source args to unsigned here so that (1) the @@ -1498,11 +1501,12 @@ file_strncmp(const char *s1, const char *s2, size_t len, uint32_t flags) } } } + *rlen = b - (const unsigned char *)s2; return v; } private uint64_t -file_strncmp16(const char *a, const char *b, size_t len, uint32_t flags) +file_strncmp16(const char *a, const char *b, size_t len, size_t *rlen, uint32_t flags) { /* * XXX - The 16-bit string compare probably needs to be done @@ -1510,7 +1514,7 @@ file_strncmp16(const char *a, const char *b, size_t len, uint32_t flags) * At the moment, I am unsure. */ flags = 0; - return file_strncmp(a, b, len, flags); + return file_strncmp(a, b, len, rlen, flags); } private int @@ -1635,13 +1639,13 @@ magiccheck(struct magic_set *ms, struct magic *m) case FILE_STRING: case FILE_PSTRING: l = 0; - v = file_strncmp(m->value.s, p->s, (size_t)m->vallen, m->str_flags); + v = file_strncmp(m->value.s, p->s, (size_t)m->vallen, &ms->search.rm_len, m->str_flags); break; case FILE_BESTRING16: case FILE_LESTRING16: l = 0; - v = file_strncmp16(m->value.s, p->s, (size_t)m->vallen, m->str_flags); + v = file_strncmp16(m->value.s, p->s, (size_t)m->vallen, &ms->search.rm_len, m->str_flags); break; case FILE_SEARCH: { /* search ms->search.s for the string m->value.s */ @@ -1659,7 +1663,7 @@ magiccheck(struct magic_set *ms, struct magic *m) if (slen + idx > ms->search.s_len) break; - v = file_strncmp(m->value.s, ms->search.s + idx, slen, m->str_flags); + v = file_strncmp(m->value.s, ms->search.s + idx, slen, &ms->search.rm_len, m->str_flags); if (v == 0) { /* found match */ ms->search.offset += idx; break;