Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/cfortran-20110621/cfortran.h Examining data/cfortran-20110621/eg/abc/abc.c Examining data/cfortran-20110621/eg/cf14/cf14.c Examining data/cfortran-20110621/eg/e2/e2.c Examining data/cfortran-20110621/eg/easy/easy.c Examining data/cfortran-20110621/eg/eq/eq.c Examining data/cfortran-20110621/eg/f0/f0.c Examining data/cfortran-20110621/eg/f20/f20.c Examining data/cfortran-20110621/eg/f27/f27.c Examining data/cfortran-20110621/eg/fa/fa.c Examining data/cfortran-20110621/eg/fand/fand.c Examining data/cfortran-20110621/eg/fb/fb.c Examining data/cfortran-20110621/eg/fc/fc.c Examining data/cfortran-20110621/eg/fcb/fcb.c Examining data/cfortran-20110621/eg/fd/fd.c Examining data/cfortran-20110621/eg/fe/fe.c Examining data/cfortran-20110621/eg/ff/ff.c Examining data/cfortran-20110621/eg/fg/fg.c Examining data/cfortran-20110621/eg/fh/fh.c Examining data/cfortran-20110621/eg/fi/fi.c Examining data/cfortran-20110621/eg/fj/fj.c Examining data/cfortran-20110621/eg/fk/fk.c Examining data/cfortran-20110621/eg/fl/fl.c Examining data/cfortran-20110621/eg/fm/fm.c Examining data/cfortran-20110621/eg/fn/fn.c Examining data/cfortran-20110621/eg/forr/forr.c Examining data/cfortran-20110621/eg/fstr/fstr.c Examining data/cfortran-20110621/eg/ft/ft.c Examining data/cfortran-20110621/eg/fun/fun.c Examining data/cfortran-20110621/eg/fz/fz.c Examining data/cfortran-20110621/eg/pz/pz.c Examining data/cfortran-20110621/eg/q/q.c Examining data/cfortran-20110621/eg/rev/rev.c Examining data/cfortran-20110621/eg/rr/rr.c Examining data/cfortran-20110621/eg/ss1/ss1.c Examining data/cfortran-20110621/eg/strtok/strtok.c Examining data/cfortran-20110621/eg/sub/sub.c Examining data/cfortran-20110621/eg/subt/subt.c Examining data/cfortran-20110621/eg/sz/sz.c Examining data/cfortran-20110621/eg/sz1/sz1.c Examining data/cfortran-20110621/eg/user/user.c Examining data/cfortran-20110621/eg/v7/v7.c Examining data/cfortran-20110621/eg/vv/vv.c Examining data/cfortran-20110621/cfortest.c FINAL RESULTS: data/cfortran-20110621/cfortest.c:490:1: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(temp,save); data/cfortran-20110621/cfortest.c:491:1: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(save,s ); data/cfortran-20110621/cfortest.c:492:1: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(s ,temp); data/cfortran-20110621/eg/fstr/fstr.c:23:1: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(temp,save); data/cfortran-20110621/eg/fstr/fstr.c:24:1: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(save,s ); data/cfortran-20110621/eg/fstr/fstr.c:25:1: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(s ,temp); data/cfortran-20110621/cfortest.c:211:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. typedef struct { char v[13],w[4][13],x[2][3][13]; } FCB_DEF; data/cfortran-20110621/cfortest.c:217:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char cv[14]; data/cfortran-20110621/cfortest.c:218:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char cw[4][14] = {"C's w[0]", "C's w[1]", "C's w[2]", "C's w[3]"}; data/cfortran-20110621/cfortest.c:219:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char cx[2][3][14] = {{"C's x[0][0]", "C's x[0][1]", "C's x[0][2]"}, data/cfortran-20110621/cfortest.c:395:45: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. {printf("cd: had string argument:%s.\n",s); strcpy(s,"to you 12345678");} data/cfortran-20110621/cfortest.c:476:26: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. void Pstru(s) char *s; { strcpy(s,"new pstring"); return;} data/cfortran-20110621/cfortran.h:1513:28: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. #define STRING_cfE static char AA0[1+MAX_LEN_FORTRAN_FUNCTION_STRING]; \ data/cfortran-20110621/cfortran.h:1520:28: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. #define STRING_cfE static char AA0[1+MAX_LEN_FORTRAN_FUNCTION_STRING]; \ data/cfortran-20110621/cfortran.h:1527:27: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. #define STRING_cfE static char A0[1+MAX_LEN_FORTRAN_FUNCTION_STRING]; \ data/cfortran-20110621/cfortran.h:2054:42: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. ((B=_cf_malloc(D+1))[D]='\0', memcpy(B,A,D), kill_trailing(B,' ')) data/cfortran-20110621/cfortran.h:2090:36: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. #define RRRRPSTR( A,B,D) if (B) memcpy(A,B, _cfMIN(strlen(B),D)), \ data/cfortran-20110621/cfortran.h:2179:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(AS->dsc$a_pointer,A0,_cfMIN(AS->dsc$w_length,(A0==NULL?0:strlen(A0))));\ data/cfortran-20110621/cfortran.h:2186:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(_fcdtocp(AS),A0, _cfMIN(_fcdlen(AS),(A0==NULL?0:strlen(A0))) ); \ data/cfortran-20110621/cfortran.h:2191:28: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. #define STRING_cfK memcpy(AS,A0, _cfMIN(D0,(A0==NULL?0:strlen(A0))) ); \ data/cfortran-20110621/eg/fcb/fcb.c:16:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. typedef struct { char v[13],w[4][13],x[2][3][13]; } FCB_DEF; data/cfortran-20110621/eg/fcb/fcb.c:22:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char cv[14]; data/cfortran-20110621/eg/fcb/fcb.c:23:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char cw[4][14] = { "C's w[0]", "C's w[1]", "C's w[2]", "C's w[3]"}; data/cfortran-20110621/eg/fcb/fcb.c:24:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char cx[2][3][14] = {{"C's x[0][0]", "C's x[0][1]", "C's x[0][2]"}, data/cfortran-20110621/eg/fd/fd.c:18:45: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. {printf("cd: had string argument:%s.\n",s); strcpy(s,"to you 12345678");} data/cfortran-20110621/eg/fstr/fstr.c:9:23: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. void Pstru(char *s) { strcpy(s,"new pstring"); return;} data/cfortran-20110621/cfortest.c:486:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ls = strlen(s ); data/cfortran-20110621/cfortest.c:487:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). lsave = strlen(save); data/cfortran-20110621/cfortran.h:508:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). e = s + strlen(s); data/cfortran-20110621/cfortran.h:1712:41: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). #define STRING_cfC(M,I,A,B,C) (B.clen=strlen(A),B.f.dsc$a_pointer=A, \ data/cfortran-20110621/cfortran.h:1717:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). B.dsc$w_length=strlen(A): (A[C-1]='\0',B.dsc$w_length=strlen(A), \ data/cfortran-20110621/cfortran.h:1717:69: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). B.dsc$w_length=strlen(A): (A[C-1]='\0',B.dsc$w_length=strlen(A), \ data/cfortran-20110621/cfortran.h:1720:52: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). #define STRING_cfC(M,I,A,B,C) (B.nombre=A,B.clen=strlen(A), \ data/cfortran-20110621/cfortran.h:1723:54: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). #define PSTRING_cfC(M,I,A,B,C) (C==sizeof(char*)? B=strlen(A): \ data/cfortran-20110621/cfortran.h:1724:36: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (A[C-1]='\0',B=strlen(A),memset((A)+B,' ',C-B-1),B=C-1)); data/cfortran-20110621/cfortran.h:2090:55: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). #define RRRRPSTR( A,B,D) if (B) memcpy(A,B, _cfMIN(strlen(B),D)), \ data/cfortran-20110621/cfortran.h:2091:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (D>strlen(B)?memset(A+strlen(B),' ', D-strlen(B)):0), _cf_free(B); data/cfortran-20110621/cfortran.h:2091:41: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (D>strlen(B)?memset(A+strlen(B),' ', D-strlen(B)):0), _cf_free(B); data/cfortran-20110621/cfortran.h:2091:58: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (D>strlen(B)?memset(A+strlen(B),' ', D-strlen(B)):0), _cf_free(B); data/cfortran-20110621/cfortran.h:2179:66: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy(AS->dsc$a_pointer,A0,_cfMIN(AS->dsc$w_length,(A0==NULL?0:strlen(A0))));\ data/cfortran-20110621/cfortran.h:2180:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). AS->dsc$w_length>(A0==NULL?0:strlen(A0))? \ data/cfortran-20110621/cfortran.h:2181:40: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memset(AS->dsc$a_pointer+(A0==NULL?0:strlen(A0)),' ', \ data/cfortran-20110621/cfortran.h:2182:39: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). AS->dsc$w_length-(A0==NULL?0:strlen(A0))):0; data/cfortran-20110621/cfortran.h:2186:57: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy(_fcdtocp(AS),A0, _cfMIN(_fcdlen(AS),(A0==NULL?0:strlen(A0))) ); \ data/cfortran-20110621/cfortran.h:2187:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). _fcdlen(AS)>(A0==NULL?0:strlen(A0))? \ data/cfortran-20110621/cfortran.h:2188:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memset(_fcdtocp(AS)+(A0==NULL?0:strlen(A0)),' ', \ data/cfortran-20110621/cfortran.h:2189:34: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). _fcdlen(AS)-(A0==NULL?0:strlen(A0))):0; data/cfortran-20110621/cfortran.h:2191:64: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). #define STRING_cfK memcpy(AS,A0, _cfMIN(D0,(A0==NULL?0:strlen(A0))) ); \ data/cfortran-20110621/cfortran.h:2192:33: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). D0>(A0==NULL?0:strlen(A0))?memset(AS+(A0==NULL?0:strlen(A0)), \ data/cfortran-20110621/cfortran.h:2192:67: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). D0>(A0==NULL?0:strlen(A0))?memset(AS+(A0==NULL?0:strlen(A0)), \ data/cfortran-20110621/cfortran.h:2193:65: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ' ', D0-(A0==NULL?0:strlen(A0))):0; data/cfortran-20110621/eg/fstr/fstr.c:19:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ls = strlen(s ); data/cfortran-20110621/eg/fstr/fstr.c:20:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). lsave = strlen(save); ANALYSIS SUMMARY: Hits = 53 Lines analyzed = 4507 in approximately 0.26 seconds (17615 lines/second) Physical Source Lines of Code (SLOC) = 3348 Hits@level = [0] 155 [1] 27 [2] 20 [3] 0 [4] 6 [5] 0 Hits@level+ = [0+] 208 [1+] 53 [2+] 26 [3+] 6 [4+] 6 [5+] 0 Hits/KSLOC@level+ = [0+] 62.1266 [1+] 15.8303 [2+] 7.76583 [3+] 1.79211 [4+] 1.79211 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.