I've found and identified a bug in file which causes it to read beyond the end
of a buffer.

mget() in softmagic.c will perform a memcpy operation and in some circumstances
will attempt to read beyond the end of the source buffer.

It does do *some* bounds checking but in the case of FILE_SEARCH this is wrong.
(approx line 1125)
		case FILE_STRING:
		case FILE_PSTRING:
		case FILE_SEARCH:
			if (nbytes < (offset + m->vallen))
				return 0;

(approx line 1135)
	if (m->type == FILE_SEARCH) {
		p->buf = malloc(m->mask + m->vallen);
		if (p->buf == NULL) {
			file_error(ms, errno, "Cannot allocate search buffer");
			return 0;
		}
		(void)memcpy(p->buf, s + offset, m->mask + m->vallen);
	}

You can see it will read mask+vallen bytes starting at s+offset. However there
is no check that s+offset+mask+vallen (i.e. the end of the data being copied) is
still within the bounds of s.

'nbytes' refers to the size of s.

--- file-4.14/src/softmagic.c	2005-03-06 05:58:22.000000000 +0000
+++ file-dsd/src/softmagic.c	2005-08-14 17:07:29.460534616 +0000
@@ -1127,10 +1127,14 @@ mget(struct magic_set *ms, union VALUETY
 
 		case FILE_STRING:
 		case FILE_PSTRING:
-		case FILE_SEARCH:
 			if (nbytes < (offset + m->vallen))
 				return 0;
 			break;
+
+		case FILE_SEARCH:
+			if (nbytes < (offset + m->vallen + m->mask))
+				return 0;
+			break;
 		default: break;
 	}