[Clamav-devel] Confusion with Offset for cl_fmap_open_callback

Lloyd Kinsella lloyd at kinwood.net
Thu Mar 23 17:51:00 UTC 2023 

Curious, when I take that assumption, so basically memcpy into buf+offset it won't even scan, I end up with:

...
LibClamAV debug: Recognized MS-EXE/DLL file
Fatal error. LibClamAV debug: clean_cache_check: cb249dd6cbda01c212f56ab4112f2a18 is negative

Testbed.exe (process 38728) exited with code -1073741819.

However, if I assume offset is the file offset, so just read directly into buf (no adjustment with offset) then I get this:

...
LibClamAV debug: cli_pcre_report: no match found
LibClamAV debug: cli_pcre_report: PCRE Execution Report End
LibClamAV debug:
LibClamAV debug: FP SIGNATURE: 33d90e22aa498f3c68837fee91e900f7:174592:Test.Win32.VirusC.UNOFFICIAL  # Name: Test.file, Type: CL_TYPE_MSEXE
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0

Testbed.exe (process 21428) exited with code -1073740791.

So here it looks like it manages to scan and returns the correct `virus` found. However it still then exits for some reason (i.e I don't return from cl_scanmap_callback).

I also find it curious that count on the first call of the callback is 4096, but on subsequent calls is the decrementing size of the `file` I'm passing through it. Surely count would be of fixed size and you just read blocks into buf until you can't read anymore (and return 0)?

Does this make sense? What am I missing :S

-----Original Message-----
From: Markus Kolb <markus.kolb+clamav at tower-net.de> 
Sent: Thursday, March 23, 2023 3:24 PM
To: ClamAV Development <clamav-devel at lists.clamav.net>; Lloyd Kinsella <lloyd at kinwood.net>
Subject: Re: [Clamav-devel] Confusion with Offset for cl_fmap_open_callback

Am 23. März 2023 11:45:45 UTC schrieb Lloyd Kinsella <lloyd at kinwood.net>:
>* @param buf       A buffer to read data into, must be at least offset + count
>* @param count     The number of bytes to read.
>* @param offset    The the offset into buf to read the data to. If

I think the param description is quite clear...

buf needs to be of size offset + count, so offset specifies the start point where to store count number of bytes in buf.

More information about the clamav-devel mailing list