Hi, I just recompiled ClamAV 0.87.1 under OS/2, and I discovered a file able to crash the function in the subject.
Debugging code, showed that at some point in cli_scandesc() (matcher.c) at line #292 while((bytes=...) only 21020 bytes are read from file. At this time length=98538, so at line 298 the result is -115514. Then cli_bm_scanbuff() is called, but here the length parameter is declared as unsigned int instead of integer, so length became a very high value. I don't understand if length should be negative or reset to zero, so I'm posting here. The file is available on request. TIA, Yuri Dario _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html