Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/cynthiune.app-1.0.0/BundleManager.h
Examining data/cynthiune.app-1.0.0/CynthiuneAnimatedImageView.h
Examining data/cynthiune.app-1.0.0/CynthiuneController.h
Examining data/cynthiune.app-1.0.0/CynthiuneFadingTextField.h
Examining data/cynthiune.app-1.0.0/CynthiuneHeaderCell.h
Examining data/cynthiune.app-1.0.0/CynthiunePauseButton.h
Examining data/cynthiune.app-1.0.0/CynthiuneTextCell.h
Examining data/cynthiune.app-1.0.0/CynthiunePopUpButton.h
Examining data/cynthiune.app-1.0.0/CynthiuneSliderCell.h
Examining data/cynthiune.app-1.0.0/CynthiuneSongTitleCell.h
Examining data/cynthiune.app-1.0.0/CynthiuneWindow.h
Examining data/cynthiune.app-1.0.0/DictionaryCoder.h
Examining data/cynthiune.app-1.0.0/FormatTester.h
Examining data/cynthiune.app-1.0.0/GeneralPreference.h
Examining data/cynthiune.app-1.0.0/GoomView.h
Examining data/cynthiune.app-1.0.0/InfoDisplayController.h
Examining data/cynthiune.app-1.0.0/M3UArchiver.h
Examining data/cynthiune.app-1.0.0/MBResultsPanel.h
Examining data/cynthiune.app-1.0.0/PLSArchiver.h
Examining data/cynthiune.app-1.0.0/Player.h
Examining data/cynthiune.app-1.0.0/PlayerController.h
Examining data/cynthiune.app-1.0.0/PlayerPreference.h
Examining data/cynthiune.app-1.0.0/PlaylistArchiver.h
Examining data/cynthiune.app-1.0.0/PlaylistController.h
Examining data/cynthiune.app-1.0.0/PlaylistView.h
Examining data/cynthiune.app-1.0.0/PlaylistViewController.h
Examining data/cynthiune.app-1.0.0/PreferencesController.h
Examining data/cynthiune.app-1.0.0/Song.h
Examining data/cynthiune.app-1.0.0/SongInspectorController.h
Examining data/cynthiune.app-1.0.0/Bundles/ASFTags/ASFMetaData.h
Examining data/cynthiune.app-1.0.0/Bundles/ASFTags/ASFTags.h
Examining data/cynthiune.app-1.0.0/Bundles/AudioFile/AudioFileBundle.h
Examining data/cynthiune.app-1.0.0/Bundles/Esound/Esound.h
Examining data/cynthiune.app-1.0.0/Bundles/Esound/EsoundPreference.h
Examining data/cynthiune.app-1.0.0/Bundles/FLAC/FLAC.h
Examining data/cynthiune.app-1.0.0/Bundles/FLACTags/FLACTags.h
Examining data/cynthiune.app-1.0.0/Bundles/FormatSkeleton/Skeleton.h
Examining data/cynthiune.app-1.0.0/Bundles/GraphWriter/GraphWriter.h
Examining data/cynthiune.app-1.0.0/Bundles/ID3Tag/ID3Tag.h
Examining data/cynthiune.app-1.0.0/Bundles/MP3/MP3.h
Examining data/cynthiune.app-1.0.0/Bundles/MP3/xing.c
Examining data/cynthiune.app-1.0.0/Bundles/MP3/xing.h
Examining data/cynthiune.app-1.0.0/Bundles/MacOSX/MacOSXPlayer.h
Examining data/cynthiune.app-1.0.0/Bundles/Mod/Mod.h
Examining data/cynthiune.app-1.0.0/Bundles/Musepack/CNSFileHandle.h
Examining data/cynthiune.app-1.0.0/Bundles/Musepack/Musepack.h
Examining data/cynthiune.app-1.0.0/Bundles/OSS/OSS.h
Examining data/cynthiune.app-1.0.0/Bundles/OSS/OSSPreference.h
Examining data/cynthiune.app-1.0.0/Bundles/Ogg/Ogg.h
Examining data/cynthiune.app-1.0.0/Bundles/OutputSkeleton/Skeleton.h
Examining data/cynthiune.app-1.0.0/Bundles/Sndio/Sndio.h
Examining data/cynthiune.app-1.0.0/Bundles/Taglib/Taglib.h
Examining data/cynthiune.app-1.0.0/Bundles/TagsSkeleton/Skeleton.h
Examining data/cynthiune.app-1.0.0/Bundles/Timidity/Timidity.h
Examining data/cynthiune.app-1.0.0/Bundles/VorbisTags/VorbisTags.h
Examining data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c
Examining data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.h
Examining data/cynthiune.app-1.0.0/Bundles/WaveOut/WaveOut.h
Examining data/cynthiune.app-1.0.0/Bundles/WindowsMedia/CWMFile.cpp
Examining data/cynthiune.app-1.0.0/Bundles/WindowsMedia/CWMFile.h
Examining data/cynthiune.app-1.0.0/Bundles/WindowsMedia/WindowsMedia.h
Examining data/cynthiune.app-1.0.0/Bundles/XMMSInput/XMMSInput.h
Examining data/cynthiune.app-1.0.0/Bundles/aRts/aRts.h
Examining data/cynthiune.app-1.0.0/Bundles/ALSA/ALSA.h
Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/CynthiuneBundle.h
Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/Format.h
Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/NSCellExtensions.h
Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/NSColorExtensions.h
Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/NSNumberExtensions.h
Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/NSStringExtensions.h
Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/NSTimerExtensions.h
Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/NSViewExtensions.h
Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/Output.h
Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/Preference.h
Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/Tags.h
Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/NSArrayExtensions.h
Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/utils.h
Examining data/cynthiune.app-1.0.0/Playlist.h
FINAL RESULTS:
data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:291:2: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(state->vendor, state->vc->vendor);
data/cynthiune.app-1.0.0/Bundles/MP3/MP3.h:40:12: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
MadFixed random;
data/cynthiune.app-1.0.0/Bundles/ALSA/ALSA.h:40:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char buffer[DEFAULT_BUFFER_SIZE];
data/cynthiune.app-1.0.0/Bundles/ASFTags/ASFMetaData.h:107:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char guid[16];
data/cynthiune.app-1.0.0/Bundles/ASFTags/ASFMetaData.h:113:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char guid[16];
data/cynthiune.app-1.0.0/Bundles/ASFTags/ASFMetaData.h:122:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char guid[16];
data/cynthiune.app-1.0.0/Bundles/ASFTags/ASFMetaData.h:133:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char guid[16];
data/cynthiune.app-1.0.0/Bundles/MP3/MP3.h:80:20: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
@public unsigned char iBuffer[IBUFFER_SIZE];
data/cynthiune.app-1.0.0/Bundles/MP3/xing.h:31:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char toc[100]; /* 100-point seek table */
data/cynthiune.app-1.0.0/Bundles/MacOSX/MacOSXPlayer.h:40:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char buffer[2][DEFAULT_BUFFER_SIZE];
data/cynthiune.app-1.0.0/Bundles/Musepack/Musepack.h:41:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char frameBuffer[maxSamples * 4];
data/cynthiune.app-1.0.0/Bundles/Sndio/Sndio.h:47:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char buffer[DEFAULT_BUFFER_SIZE];
data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:113:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(op->packet, opb.buffer, oggpack_bytes(&opb));
data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:245:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(state->mainbuf, header_main.packet, header_main.bytes);
data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:270:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(state->bookbuf, header->packet,
data/cynthiune.app-1.0.0/Bundles/WaveOut/WaveOut.h:38:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char buffer[DEFAULT_BUFFER_SIZE];
data/cynthiune.app-1.0.0/Bundles/XMMSInput/XMMSInput.h:33:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char pluginBuffer[BUF_LEN];
data/cynthiune.app-1.0.0/Bundles/aRts/aRts.h:38:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char buffer[DEFAULT_BUFFER_SIZE];
data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:93:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
oggpack_write(&opb,strlen(vendor),32);
data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:94:30: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
_v_writestring(&opb,vendor, strlen(vendor));
data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:156:15: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
bytes = s->read(buffer,1, CHUNKSIZE, s->in);
data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:201:17: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
bytes = state->read(buffer, 1, CHUNKSIZE, state->in);
data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:280:18: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
bytes = state->read(buffer, 1, CHUNKSIZE, state->in);
data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:290:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
state->vendor = malloc(strlen(state->vc->vendor) +1);
data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:454:18: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
bytes = state->read(buffer,1, CHUNKSIZE, state->in);
data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.h:34:19: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
vcedit_read_func read;
data/cynthiune.app-1.0.0/Bundles/WindowsMedia/CWMFile.cpp:45:11: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
_f->read ((char*) &header, 4);
ANALYSIS SUMMARY:
Hits = 27
Lines analyzed = 4844 in approximately 0.30 seconds (16378 lines/second)
Physical Source Lines of Code (SLOC) = 2258
Hits@level = [0] 12 [1] 9 [2] 16 [3] 1 [4] 1 [5] 0
Hits@level+ = [0+] 39 [1+] 27 [2+] 18 [3+] 2 [4+] 1 [5+] 0
Hits/KSLOC@level+ = [0+] 17.2719 [1+] 11.9575 [2+] 7.97166 [3+] 0.88574 [4+] 0.44287 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.