From: Andrew Lewis <nerf@judo.za.org>
Date: Mon, 4 Jan 2021 11:41:04 +0000 (+0200)
Subject: [Minor] Magic: try avoid false positive exe detection
X-Git-Tag: 2.7~17^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F3595%2Fhead;p=thirdparty%2Frspamd.git

[Minor] Magic: try avoid false positive exe detection
---

diff --git a/lualib/lua_magic/heuristics.lua b/lualib/lua_magic/heuristics.lua
index d9a7702a41..fb0a4b7c21 100644
--- a/lualib/lua_magic/heuristics.lua
+++ b/lualib/lua_magic/heuristics.lua
@@ -471,4 +471,22 @@ exports.pdf_format_heuristic = function(input, log_obj, pos, part)
   return 'pdf',weight
 end
 
+exports.pe_part_heuristic = function(input, log_obj, pos, part)
+  if not input then
+    return
+  end
+
+  local pe_ptr_bin = input:sub(60, 64)
+  if #pe_ptr_bin ~= 4 then
+    return
+  end
+
+  local pe_ptr = rspamd_util.unpack("<H", pe_ptr_bin)
+  if pe_ptr ~= pos then
+    return
+  end
+
+  return 'exe',15
+end
+
 return exports
diff --git a/lualib/lua_magic/patterns.lua b/lualib/lua_magic/patterns.lua
index 5e62b47f98..8bdc7ea443 100644
--- a/lualib/lua_magic/patterns.lua
+++ b/lualib/lua_magic/patterns.lua
@@ -105,6 +105,7 @@ local patterns = {
         string = [[PE\x{00}\x{00}]],
         position = {'>=', 0x3c + 4},
         weight = 15,
+        heuristic = heuristics.pe_part_heuristic,
       }
     }
   },
@@ -458,4 +459,4 @@ local patterns = {
   },
 }
 
-return patterns
\ No newline at end of file
+return patterns