Improved validation for multiple signatures

src/magic/archives

@@ -111,8 +111,20 @@
 >7	byte		>9		invalid os
 >7	byte		<0		invalid os
 
-# RAR archiver (Greg Roelofs, newt@uchicago.edu)
-0	string		Rar!		RAR archive data
+# RAR archiver (http://kthoom.googlecode.com/hg/docs/unrar.html)
+0	string		\x52\x61\x72\x21\x1A\x07\x00		RAR archive data, first volume type:
+>9  ubyte       <0x72                               invalid
+>9  ubyte       >0x7B                               invalid
+>9  ubyte       0x72                                MARK_HEAD
+>9  ubyte       0x73                                MAIN_HEAD
+>9  ubyte       0x74                                FILE_HEAD
+>9  ubyte       0x75                                COMM_HEAD
+>9  ubyte       0x76                                AV_HEAD
+>9  ubyte       0x77                                SUB_HEAD
+>9  ubyte       0x78                                PROTECT_HEAD
+>9  ubyte       0x79                                SIGN_HEAD
+>9  ubyte       0x7A                                NEWSUB_HEAD
+>9  ubyte       0x7B                                ENDARC_HEAD
 
 # HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz)
 0	string		HPAK		HPACK archive data

src/magic/compressed

@@ -55,8 +55,11 @@
 >>17	byte		=0x0E		os: Win32
 
 # lzip  
-0       string          LZIP            lzip compressed data
->4      byte            x               \b, version: %d
+0       string          LZIP            lzip compressed data,
+>4      ubyte           0               invalid
+# Current version is still 1.x
+>4      ubyte           >4              invalid
+>4      byte            x               version: %d
 
 # lrzip
 0       string          LRZI            lrzip compressed data

src/magic/executables

@@ -337,12 +337,14 @@
 # cisco:  file(1) magic for cisco Systems routers
 #
 # Most cisco file-formats are covered by the generic elf code
-0	string			\x85\x01\x14	Cisco IOS microcode
->7      string          	>\0         	
->>7	string			x		for "%s"
-0	string			\x85\x01\xcb	Cisco IOS experimental microcode
->7      string          	>\0         	
->>7	string			x		for "%s"
+0	string			\x85\x01\x14	Cisco IOS microcode,
+>7  string          x               for "%s"
+#>7  string          	>\0         	
+#>>7	string			x		for "%s"
+0	string			\x85\x01\xcb	Cisco IOS experimental microcode,
+>7  string          x               for "%s"
+#>7  string          	>\0         	
+#>>7	string			x		for "%s"
 
 # EST flat binary format (which isn't, but anyway)
 # From: Mark Brown <broonie@sirena.org.uk>

src/magic/firmware

@@ -128,16 +128,19 @@
 >4	beshort		0x2a05		image type: CCFG,
 >4	beshort		0x6ce8		image type: DCFG,
 >4	beshort		0xc371		image type: LOG,
->6	byte		x		header version: %d,
+>6	byte		x		    header version: %d,
+>10 ubyte       >12         invalid month
+>12 ubyte       >31         invalid day
+>8  ubyte       >3000       invalid year
 #month
->10	byte		x		created: %d/
+>10	byte		x		    created: %d/
 #day	
->12	byte 		x		\b%d/
+>12	byte 		x		    \b%d/
 #year
->8	beshort		x		\b%d,
->16	belong		x		image size: %d bytes,
->22	byte		x		body checksum: 0x%X,
->23	byte		x		header checksum: 0x%X
+>8	beshort		x		    \b%d,
+>16	belong		x		    image size: %d bytes,
+>22	byte		x		    body checksum: 0x%X,
+>23	byte		x		    header checksum: 0x%X
 
 # Linksys WRT54GX ROME image
 0		belong			0x59a0e842		Realtek firmware header, ROME bootloader,
@@ -149,6 +152,9 @@
 >4      beshort         0x6ce8          image type: DCFG,
 >4      beshort         0xc371          image type: LOG,
 >6      byte            x               header version: %d,
+>10     ubyte           >12             invalid month
+>12     ubyte           >31             invalid day
+>8      ubyte           >3000           invalid year
 #month
 >10     byte            x               created: %d/
 #day    
@@ -234,8 +240,13 @@
 
 # --------------------------------
 # Microsoft Xbox data file formats
-0       string          XIP0            XIP, Microsoft Xbox data
-0       string          XTF0            XTF, Microsoft Xbox data
+# http://home.comcast.net/~admiral_powerslave/filestructure.html
+0       string          XIP0                        XIP, Microsoft Xbox data,
+>12     lelong          x                           total size: %d
+>16     lelong          !0                          invalid
+>24     lelong          !0                          invalid
+
+0       string          XTF0\x00\x00\x00            XTF, Microsoft Xbox data
 
 #Windows CE Binary Image Data Format aka B000FF
 #More information on the format:
@@ -308,7 +319,7 @@
 #>0	string		x			"%s"
 
 # Firmware header used by some TV's
-0	string		FNIB		ZBOOT firmware header, header size: 32 bytes,
+0	string		FNIB	ZBOOT firmware header, header size: 32 bytes,
 >8	lelong		x		load address: 0x%.8X,
 >12	lelong		x		start address: 0x%.8X,
 >16	lelong		x		checksum: 0x%.8X,
@@ -564,10 +575,10 @@
 >18  string            x                 loader version: "%.4s",
 
 
-0    string            ELSC              LANCOM WWAN firmware,
+0    string            ELSC              LANCOM WWAN firmware
 >4   ubyte             3
 >>5  beshort           0
->>7  string            x                 "%s"
+>>7  string            x                 \b, "%s"
 
 0 string               ELSP                LANCOM file entry
 >202 string            @(RECENT_FIRMWARE)/ \b, file name:

src/magic/images

 # Tag Image File Format, from Daniel Quinlan (quinlan@yggdrasil.com)
 # The second word of TIFF files is the TIFF version number, 42, which has
 # never changed.  The TIFF specification recommends testing for it.
-0       string          MM\x00\x2a      TIFF image data, big-endian
+0       string          MM\x00\x2a      TIFF image data, big-endian,
+>4      belong          0               invalid
+>4      belong          <0              invalid
+# First image directory must begin on an even byte boundary
+>4      belong          &1              invalid
+>4      belong          >10000000       invalid
+>4      belong          x               offset of first image directory: %d
+
 0       string          II\x2a\x00      TIFF image data, little-endian
+>4      lelong          0               invalid
+>4      lelong          <0              invalid
+>4      lelong          &1              invalid
+>4      lelong          >10000000       invalid
+>4      lelong          x               offset of first image directory: %d
 
 # PNG [Portable Network Graphics, or "PNG's Not GIF"] images
 # (Greg Roelofs, newt@uchicago.edu)

src/magic/sql

@@ -25,7 +25,7 @@
 >3	string			<1		invalid
 >3	string			>\11		invalid
 >3      byte                    x               Version %d
-0       string                  \376bin         MySQL replication log
+#0       string                  \376bin         MySQL replication log
 
 #------------------------------------------------------------------------------
 # iRiver H Series database file