incorrect bytes() constructor usage in buf_filled_with

[mike-hunhoff]

Bug Fix: Incorrect bytes() constructor usage in buf_filled_with

Description

In capa/features/extractors/strings.py:buf_filled_with, the code used bytes(character) * SLICE_SIZE to create a repeating chunk of a specific character. However, in Python 3, bytes(int) creates a null-filled buffer of that length, rather than a single byte with that value.

This caused the chunked comparison for large buffers (>= 4096 bytes) to fail for characters in the REPEATS set (like 'A', 0xFE, 0xFF), because the constructed dupe_chunk had an incorrect length and content. This effectively disabled the optimization intended to skip large blocks of filler data (like section padding), causing unnecessary regex scanning overhead.

Fix

Changed bytes(character) to bytes([character]) to correctly create a 1-byte buffer containing the character value before multiplying by SLICE_SIZE.

Tests

Added unit tests in tests/test_strings.py with buffers larger than 4096 bytes to ensure coverage of the chunked processing logic in buf_filled_with.

Checklist

• No CHANGELOG update needed

• No new tests needed

• No documentation update needed

• This submission includes AI-generated code and I have provided details in the description.

[github-actions]

Please add bug fixes, new features, breaking changes and anything else you think is worthwhile mentioning to the master (unreleased) section of CHANGELOG.md. If no CHANGELOG update is needed add the following to the PR description: [x] No CHANGELOG update needed

CHANGELOG updated or no update needed, thanks! 😄

[gemini-code-assist]

Code Review

This pull request fixes a bug in the buf_filled_with function where the comparison chunk was incorrectly initialized, and adds new test cases to verify behavior with large buffers. The reviewer suggested further improving test coverage by adding specific cases that target potential boundary issues in the chunked processing logic.

[williballenthin]

nice catch