/usr/lib/python3/dist-packages/binwalk/plugins/lzmavalid.py is in python3-binwalk 2.1.1-16.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 | import binwalk.core.plugin
import binwalk.core.compat
from binwalk.core.common import BlockFile
class LZMAPlugin(binwalk.core.plugin.Plugin):
'''
Validates lzma signature results.
'''
MODULES = ['Signature']
# Some lzma files exclude the file size, so we have to put it back in.
# See also the lzmamod.py plugin.
FAKE_LZMA_SIZE = "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
# Check up to the first 64KB
MAX_DATA_SIZE = 64 * 1024
def init(self):
try:
import lzma
self.decompressor = lzma.decompress
except ImportError as e:
self.decompressor = None
def is_valid_lzma(self, data):
valid = True
if self.decompressor is not None:
# The only acceptable exceptions are those indicating that the input data was truncated.
try:
self.decompressor(binwalk.core.compat.str2bytes(data))
except IOError as e:
# The Python2 module gives this error on truncated input data.
if str(e) != "unknown BUF error":
valid = False
except Exception as e:
# The Python3 module gives this error on truncated input data.
# The inconsistency between modules is a bit worrisome.
if str(e) != "Compressed data ended before the end-of-stream marker was reached":
valid = False
return valid
def scan(self, result):
# If this result is an lzma signature match, try to decompress the data
if result.valid and result.file and result.description.lower().startswith('lzma compressed data'):
# Seek to and read the suspected lzma data
fd = self.module.config.open_file(result.file.name, offset=result.offset, length=self.MAX_DATA_SIZE)
data = fd.read(self.MAX_DATA_SIZE)
fd.close()
# Validate the original data; if that fails, maybe it is missing the size field,
# so try again with a dummy size field in place.
if not self.is_valid_lzma(data):
data = data[:5] + self.FAKE_LZMA_SIZE + data[5:]
if not self.is_valid_lzma(data):
result.valid = False
|