Issue in "magic" module can lead to bad results or crash

[plusvic]

The "magic" module has an issue that may cause the type() and mime_type() functions to return wrong results. The issue is caused by the caching mechanism, which holds a pointer to a buffer that becomes invalid after the libmagic API is called by a second time.

import "magic" 

rule buggy { 
  condition:
      magic.type() contains "Mach-O" and 
      magic.mime_type() == "application/x-mach-binary" and
      magic.type() contains "Mach-O
},

In the example above, the first time that type() is called it returns a value that gets cached internally by saving the pointer returned by the magic_buffer function, which is part of the libmagic API. This buffer is valid only until the call to mime_type(). When type() is called by the second time the module doesn't call magic_buffer again, it uses the previously cached pointer which was already invalid. This causes that the second call to type() may return gibberish or even crash.