Improved false positive detection for ELF, PNG and TRX signatures

src/magic/executables

@@ -23,7 +23,10 @@
 >>18	beshort		10
 >>>36	belong		&0x20		N32
 >4	byte		2		64-bit
->5	byte		0		invalid byte order
+>4	byte		>2
+>>4	byte		x		unknown ELF class: 0x%X
+>5	byte		!1
+>>5	byte		!2		invalid byte order
 >5	byte		1		LSB
 # The official e_machine number for MIPS is now #8, regardless of endianness.
 # The second number (#10) will be deprecated later. For now, we still

src/magic/firmware

@@ -95,6 +95,7 @@
 >4	lelong		x		image size: %d bytes,
 >8	lelong		x		CRC32: 0x%X
 >12	leshort		x		flags: 0x%X,
+>14	leshort		>5		invalid
 >14	leshort		x		version: %d
 
 0	string		0RDH	TRX firmware header, big endian, header size: 28 bytes,
@@ -102,6 +103,7 @@
 >4	belong		x		image size: %d bytes,
 >8	belong		x		CRC32: 0x%X
 >12	beshort		x		flags: 0x%X,
+>14	beshort		>5		invalid
 >14	beshort		x		version: %d
 
 

src/magic/images

@@ -11,8 +11,10 @@
 # 137 P N G \r \n ^Z \n [4-byte length] H E A D [HEAD data] [HEAD crc] ...
 #
 0       string          \x89PNG\x0d\x0a\x1a\x0a         PNG image
->16	belong		0		invalid
->20	belong		0		invalid
+>16		belong			<1				invalid
+>16		belong			>10000			invalid
+>20		belong			<1				invalid
+>20		belong			>10000			invalid
 >16     belong          x               \b, %ld x
 >20     belong          x               %ld,
 >24     byte            x               %d-bit