clamscan in ClamAV before 0.98.5, when using -a option, allows remote attackers to cause a denial of service as demonstrated by the jwplayer.js file.