Corrupted value String File Info items gets filled with other keys

[gdesmar]

Describe the bug I believe some keys are present in the String File Info items that doesn't have any parsable value. The value that is then returned seems to be another key.

To Reproduce Download at least one the file attached to this issue: 731bb363a01f45b64c0065e1cdfe8cc653930f102f715bc5073ac77c1d4bae2a.zip 4bfaa99393f635cd05d91a64de73edb5639412c129e049f0fe34f88517a10fc6.zip Extract the file(s) using the password liefsample. Verify that your new file(s) have the right hash:

$ sha256sum 4bfaa99393f635cd05d91a64de73edb5639412c129e049f0fe34f88517a10fc6 731bb363a01f45b64c0065e1cdfe8cc653930f102f715bc5073ac77c1d4bae2a
4bfaa99393f635cd05d91a64de73edb5639412c129e049f0fe34f88517a10fc6  4bfaa99393f635cd05d91a64de73edb5639412c129e049f0fe34f88517a10fc6
731bb363a01f45b64c0065e1cdfe8cc653930f102f715bc5073ac77c1d4bae2a  731bb363a01f45b64c0065e1cdfe8cc653930f102f715bc5073ac77c1d4bae2a

For 4bfaa99393f635cd05d91a64de73edb5639412c129e049f0fe34f88517a10fc6

>>> import lief
>>> lief.__version__
'0.13.0-ef27ca91'
>>> b = lief.parse("4bfaa99393f635cd05d91a64de73edb5639412c129e049f0fe34f88517a10fc6")
>>> b.resources_manager.version.string_file_info.langcode_items[0].items
{'Build Description': b'', 'ProductName': b'WinPcap', 'ProductVersion': b'4.1.0.2980', 'LegalTrademarks': b'8\x08\x01OriginalFilename', 'LegalCopyright': b'Copyright \xc2\xa9 2010-2013 Riverbed Technology, Inc. Copyright \xc2\xa9 2005-2010 CACE Technologies. Copyright \xc2\xa9 1999-2005 NetGroup, Politecnico di Torino.', 'OriginalFilename': b'npf.sys', 'FileVersion': b'4.1.0.2980', 'CompanyName': b'Riverbed Technology, Inc.', 'FileDescription': b'npf.sys (NT5/6 AMD64) Kernel Driver', 'InternalName': b'NPF + TME'}
>>> b.resources_manager.version.string_file_info.langcode_items[0].items["LegalTrademarks"]
b'8\x08\x01OriginalFilename'

For 731bb363a01f45b64c0065e1cdfe8cc653930f102f715bc5073ac77c1d4bae2a

>>> import lief
>>> lief.__version__
'0.13.0-ef27ca91'
>>> b = lief.parse("731bb363a01f45b64c0065e1cdfe8cc653930f102f715bc5073ac77c1d4bae2a")
>>> b.resources_manager.version.string_file_info.langcode_items[0].items
{'FileDescription': b'Firefox', 'BuildID': b'20210927121355', 'CompanyName': b'Mozilla Corporation', 'InternalName': b'Firefox', 'LegalCopyright': b'\xc2\xa9Firefox and Mozilla Developers; available under the MPL 2 license.', 'Comments': b'\xc2\xacD\x01LegalCopyright', 'FileVersion': b'78.15.0', 'OriginalFilename': b'firefox.exe', 'ProductVersion': b'78.15.0', 'LegalTrademarks': b'Firefox is a Trademark of The Mozilla Foundation.', 'ProductName': b'Firefox'}
>>> b.resources_manager.version.string_file_info.langcode_items[0].items["Comments"]
b'\xc2\xacD\x01LegalCopyright'

Expected behavior I did not check the internals of the binary, but PEStudio gives an empty value for both of these and VirusTotal doesn't show them. It is probably hiding empty values as it doesn't show the Build Description of 4bfaa99393f635cd05d91a64de73edb5639412c129e049f0fe34f88517a10fc6 that both PEStudio and LIEF finds as empty.

LegalTrademarks of 4bfaa99393f635cd05d91a64de73edb5639412c129e049f0fe34f88517a10fc6

Comments of 731bb363a01f45b64c0065e1cdfe8cc653930f102f715bc5073ac77c1d4bae2a.

Environment

• System and Version : Ubuntu 18.04
• Target format : PE
• LIEF commit version : 0.13.0-ef27ca91

Additional context Both samples are PE64 (PE32_PLUS), but I have other samples with the same behaviour that are PE32.

[romainthomas]

You can also test the pre-release 0.12.1 with these packages:

pip install --index-url https://lief.s3-website.fr-par.scw.cloud/0.12.1 lief==0.12.1

[gdesmar]

I just tested 0.12.1-b13b2d7c and my results looks good! Thanks!