Skip to content

fix false negatives for zlib strings#1217

Open
vee1e wants to merge 1 commit intomandiant:quantumstrandfrom
vee1e:fix-768
Open

fix false negatives for zlib strings#1217
vee1e wants to merge 1 commit intomandiant:quantumstrandfrom
vee1e:fix-768

Conversation

@vee1e
Copy link

@vee1e vee1e commented Feb 19, 2026

Fixes #768

Key changes:

  • The database storing relevant zlib strings did not catch several that were in the sample. I ran a simple script to update it with the relevant entries.

  • Script used to apply the change:

import gzip
import json

entries = []
with gzip.open('flare-floss/floss/qs/db/data/oss/zlib.jsonl.gz', 'rt') as f:
    for line in f:
        if line.strip():
            entries.append(json.loads(line))

missing_strings = [
    'incorrect length check',
    'incorrect data check',
    'invalid distances set',
    'invalid literal/lengths set',
    'invalid bit length repeat',
    'too many length or distance symbols',
    'invalid code lengths set',
    'invalid stored block lengths',
    'header crc mismatch',
    'unknown header flags set',
    'incorrect header check',
    'invalid window size',
    'unknown compression method',
    'incompatible version',
    'buffer error',
    'insufficient memory',
    'data error',
    'stream error',
    'file error',
    'stream end',
]

for s in missing_strings:
    entries.append({
        'string': s,
        'library_name': 'zlib',
        'library_version': '1.2.13',
        'file_path': 'CMakeFiles/zlib.dir/zutil.obj',
        'function_name': 'zError',
        'line_number': None
    })

with gzip.open('flare-floss/floss/qs/db/data/oss/zlib.jsonl.gz', 'wt') as f:
    for entry in entries:
        f.write(json.dumps(entry) + '\n')
print(f'Added {len(missing_strings)} missing strings')
print(f'Total entries: {len(entries)}')

@williballenthin these were examples taken from the specific sample only. There are a few other zlib oracle strings that can be found in source files like gzwrite.c like stalled write on gzprintf. If we could create a test executable, or even better find an actual sample using these it would ensure completeness.

@gemini-code-assist
Copy link
Contributor

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

@mr-tz
Copy link
Collaborator

mr-tz commented Feb 22, 2026

Hi, great, thanks. An approach to make this reproducible for new versions or other binaries would indeed be helpful and support the larger database efforts.

@vee1e
Copy link
Author

vee1e commented Feb 22, 2026

Sure then, would you like to merge the PR or have the work for this be done here only?

@williballenthin
Copy link
Collaborator

i think we should merge here, but lets spawn a discussion in another issue about how we can do this repeatably and consistently.

@vee1e
Copy link
Author

vee1e commented Feb 23, 2026

Sure!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants