Merge pull request #4480 from dannysmyda/4659-audio-mpeg-fix

4659 Verify Tikas audio/mpeg mimetype

Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeDetector.java

@@ -23,6 +23,7 @@ import java.util.Collections;
 import java.util.List;
 import java.util.SortedSet;
 import java.util.TreeSet;
+import java.util.logging.Level;
 import java.util.stream.Collectors;
 import org.apache.tika.Tika;
 import org.apache.tika.io.TikaInputStream;
@@ -108,9 +109,7 @@ public class FileTypeDetector {
      * Tika, and Autopsy file type definitions take precendence over Tika.
      *
      * @throws FileTypeDetectorInitException If an initialization error occurs,
-     *                                       e.g., user-defined file type
+     * e.g., user-defined file type definitions exist but cannot be loaded.
-     *                                       definitions exist but cannot be
-     *                                       loaded.
      */
     public FileTypeDetector() throws FileTypeDetectorInitException {
         try {
@@ -173,7 +172,7 @@ public class FileTypeDetector {
      * @return A MIME type name. If file type could not be detected, or results
      * were uncertain, octet-stream is returned.
      *
- 
+     *
      */
     public String getMIMEType(AbstractFile file) {
         /*
@@ -235,6 +234,22 @@ public class FileTypeDetector {
                  */
                 mimeType = removeOptionalParameter(mimeType);
 
+                /**
+                 * We cannot trust Tika's audio/mpeg mimetype. Lets verify the
+                 * first two bytes and confirm it is not 0xffff. Details in
+                 * JIRA-4659
+                 */
+                if (mimeType.contains("audio/mpeg")) {
+                    try {
+                        byte[] header = getNBytes(file, 0, 2);
+                        if (byteIs0xFF(header[0]) && byteIs0xFF(header[1])) {
+                            mimeType = MimeTypes.OCTET_STREAM;
+                        }
+                    } catch (TskCoreException ex) {
+                        //Oh well, the mimetype is what it is.
+                        logger.log(Level.WARNING, String.format("Could not verify audio/mpeg mimetype for file %s with id=%d", file.getName(), file.getId()), ex);
+                    }
+                }
             } catch (Exception ignored) {
                 /*
                  * This exception is swallowed and not logged rather than
@@ -255,6 +270,33 @@ public class FileTypeDetector {
         return mimeType;
     }
 
+    /**
+     * Determine if the byte is 255 (0xFF) by examining the last 4 bits and the
+     * first 4 bits.
+     *
+     * @param x byte
+     * @return Flag indicating the byte if 0xFF
+     */
+    private boolean byteIs0xFF(byte x) {
+        return (x & 0x0F) == 0x0F && (x & 0xF0) == 0xF0;
+    }
+
+    /**
+     * Retrieves the first N bytes from a file.
+     *
+     * @param file Abstract file to read
+     * @param offset Offset to begin reading
+     * @param n Number of bytes to read
+     * @return Byte array of size n
+     *
+     * @throws TskCoreException
+     */
+    private byte[] getNBytes(AbstractFile file, int offset, int n) throws TskCoreException {
+        byte[] headerCache = new byte[n];
+        file.read(headerCache, offset, n);
+        return headerCache;
+    }
+
     /**
      * Removes the optional parameter from a MIME type string
      *
@@ -291,7 +333,8 @@ public class FileTypeDetector {
     }
 
     /**
-     * Determines whether or not a file matches a custom file type defined by Autopsy.
+     * Determines whether or not a file matches a custom file type defined by
+     * Autopsy.
      *
      * @param file The file to test.
      *