Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/cynthiune.app-1.0.0/BundleManager.h Examining data/cynthiune.app-1.0.0/CynthiuneAnimatedImageView.h Examining data/cynthiune.app-1.0.0/CynthiuneController.h Examining data/cynthiune.app-1.0.0/CynthiuneFadingTextField.h Examining data/cynthiune.app-1.0.0/CynthiuneHeaderCell.h Examining data/cynthiune.app-1.0.0/CynthiunePauseButton.h Examining data/cynthiune.app-1.0.0/CynthiuneTextCell.h Examining data/cynthiune.app-1.0.0/CynthiunePopUpButton.h Examining data/cynthiune.app-1.0.0/CynthiuneSliderCell.h Examining data/cynthiune.app-1.0.0/CynthiuneSongTitleCell.h Examining data/cynthiune.app-1.0.0/CynthiuneWindow.h Examining data/cynthiune.app-1.0.0/DictionaryCoder.h Examining data/cynthiune.app-1.0.0/FormatTester.h Examining data/cynthiune.app-1.0.0/GeneralPreference.h Examining data/cynthiune.app-1.0.0/GoomView.h Examining data/cynthiune.app-1.0.0/InfoDisplayController.h Examining data/cynthiune.app-1.0.0/M3UArchiver.h Examining data/cynthiune.app-1.0.0/MBResultsPanel.h Examining data/cynthiune.app-1.0.0/PLSArchiver.h Examining data/cynthiune.app-1.0.0/Player.h Examining data/cynthiune.app-1.0.0/PlayerController.h Examining data/cynthiune.app-1.0.0/PlayerPreference.h Examining data/cynthiune.app-1.0.0/PlaylistArchiver.h Examining data/cynthiune.app-1.0.0/PlaylistController.h Examining data/cynthiune.app-1.0.0/PlaylistView.h Examining data/cynthiune.app-1.0.0/PlaylistViewController.h Examining data/cynthiune.app-1.0.0/PreferencesController.h Examining data/cynthiune.app-1.0.0/Song.h Examining data/cynthiune.app-1.0.0/SongInspectorController.h Examining data/cynthiune.app-1.0.0/Bundles/ASFTags/ASFMetaData.h Examining data/cynthiune.app-1.0.0/Bundles/ASFTags/ASFTags.h Examining data/cynthiune.app-1.0.0/Bundles/AudioFile/AudioFileBundle.h Examining data/cynthiune.app-1.0.0/Bundles/Esound/Esound.h Examining data/cynthiune.app-1.0.0/Bundles/Esound/EsoundPreference.h Examining data/cynthiune.app-1.0.0/Bundles/FLAC/FLAC.h Examining data/cynthiune.app-1.0.0/Bundles/FLACTags/FLACTags.h Examining data/cynthiune.app-1.0.0/Bundles/FormatSkeleton/Skeleton.h Examining data/cynthiune.app-1.0.0/Bundles/GraphWriter/GraphWriter.h Examining data/cynthiune.app-1.0.0/Bundles/ID3Tag/ID3Tag.h Examining data/cynthiune.app-1.0.0/Bundles/MP3/MP3.h Examining data/cynthiune.app-1.0.0/Bundles/MP3/xing.c Examining data/cynthiune.app-1.0.0/Bundles/MP3/xing.h Examining data/cynthiune.app-1.0.0/Bundles/MacOSX/MacOSXPlayer.h Examining data/cynthiune.app-1.0.0/Bundles/Mod/Mod.h Examining data/cynthiune.app-1.0.0/Bundles/Musepack/CNSFileHandle.h Examining data/cynthiune.app-1.0.0/Bundles/Musepack/Musepack.h Examining data/cynthiune.app-1.0.0/Bundles/OSS/OSS.h Examining data/cynthiune.app-1.0.0/Bundles/OSS/OSSPreference.h Examining data/cynthiune.app-1.0.0/Bundles/Ogg/Ogg.h Examining data/cynthiune.app-1.0.0/Bundles/OutputSkeleton/Skeleton.h Examining data/cynthiune.app-1.0.0/Bundles/Sndio/Sndio.h Examining data/cynthiune.app-1.0.0/Bundles/Taglib/Taglib.h Examining data/cynthiune.app-1.0.0/Bundles/TagsSkeleton/Skeleton.h Examining data/cynthiune.app-1.0.0/Bundles/Timidity/Timidity.h Examining data/cynthiune.app-1.0.0/Bundles/VorbisTags/VorbisTags.h Examining data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c Examining data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.h Examining data/cynthiune.app-1.0.0/Bundles/WaveOut/WaveOut.h Examining data/cynthiune.app-1.0.0/Bundles/WindowsMedia/CWMFile.cpp Examining data/cynthiune.app-1.0.0/Bundles/WindowsMedia/CWMFile.h Examining data/cynthiune.app-1.0.0/Bundles/WindowsMedia/WindowsMedia.h Examining data/cynthiune.app-1.0.0/Bundles/XMMSInput/XMMSInput.h Examining data/cynthiune.app-1.0.0/Bundles/aRts/aRts.h Examining data/cynthiune.app-1.0.0/Bundles/ALSA/ALSA.h Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/CynthiuneBundle.h Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/Format.h Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/NSCellExtensions.h Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/NSColorExtensions.h Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/NSNumberExtensions.h Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/NSStringExtensions.h Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/NSTimerExtensions.h Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/NSViewExtensions.h Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/Output.h Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/Preference.h Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/Tags.h Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/NSArrayExtensions.h Examining data/cynthiune.app-1.0.0/Frameworks/Cynthiune/utils.h Examining data/cynthiune.app-1.0.0/Playlist.h FINAL RESULTS: data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:291:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(state->vendor, state->vc->vendor); data/cynthiune.app-1.0.0/Bundles/MP3/MP3.h:40:12: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. MadFixed random; data/cynthiune.app-1.0.0/Bundles/ALSA/ALSA.h:40:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buffer[DEFAULT_BUFFER_SIZE]; data/cynthiune.app-1.0.0/Bundles/ASFTags/ASFMetaData.h:107:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char guid[16]; data/cynthiune.app-1.0.0/Bundles/ASFTags/ASFMetaData.h:113:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char guid[16]; data/cynthiune.app-1.0.0/Bundles/ASFTags/ASFMetaData.h:122:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char guid[16]; data/cynthiune.app-1.0.0/Bundles/ASFTags/ASFMetaData.h:133:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char guid[16]; data/cynthiune.app-1.0.0/Bundles/MP3/MP3.h:80:20: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. @public unsigned char iBuffer[IBUFFER_SIZE]; data/cynthiune.app-1.0.0/Bundles/MP3/xing.h:31:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char toc[100]; /* 100-point seek table */ data/cynthiune.app-1.0.0/Bundles/MacOSX/MacOSXPlayer.h:40:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buffer[2][DEFAULT_BUFFER_SIZE]; data/cynthiune.app-1.0.0/Bundles/Musepack/Musepack.h:41:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char frameBuffer[maxSamples * 4]; data/cynthiune.app-1.0.0/Bundles/Sndio/Sndio.h:47:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buffer[DEFAULT_BUFFER_SIZE]; data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:113:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(op->packet, opb.buffer, oggpack_bytes(&opb)); data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:245:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(state->mainbuf, header_main.packet, header_main.bytes); data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:270:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(state->bookbuf, header->packet, data/cynthiune.app-1.0.0/Bundles/WaveOut/WaveOut.h:38:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buffer[DEFAULT_BUFFER_SIZE]; data/cynthiune.app-1.0.0/Bundles/XMMSInput/XMMSInput.h:33:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char pluginBuffer[BUF_LEN]; data/cynthiune.app-1.0.0/Bundles/aRts/aRts.h:38:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buffer[DEFAULT_BUFFER_SIZE]; data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:93:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). oggpack_write(&opb,strlen(vendor),32); data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:94:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). _v_writestring(&opb,vendor, strlen(vendor)); data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:156:15: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). bytes = s->read(buffer,1, CHUNKSIZE, s->in); data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:201:17: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). bytes = state->read(buffer, 1, CHUNKSIZE, state->in); data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:280:18: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). bytes = state->read(buffer, 1, CHUNKSIZE, state->in); data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:290:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). state->vendor = malloc(strlen(state->vc->vendor) +1); data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.c:454:18: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). bytes = state->read(buffer,1, CHUNKSIZE, state->in); data/cynthiune.app-1.0.0/Bundles/VorbisTags/vcedit.h:34:19: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). vcedit_read_func read; data/cynthiune.app-1.0.0/Bundles/WindowsMedia/CWMFile.cpp:45:11: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). _f->read ((char*) &header, 4); ANALYSIS SUMMARY: Hits = 27 Lines analyzed = 4844 in approximately 0.30 seconds (16378 lines/second) Physical Source Lines of Code (SLOC) = 2258 Hits@level = [0] 12 [1] 9 [2] 16 [3] 1 [4] 1 [5] 0 Hits@level+ = [0+] 39 [1+] 27 [2+] 18 [3+] 2 [4+] 1 [5+] 0 Hits/KSLOC@level+ = [0+] 17.2719 [1+] 11.9575 [2+] 7.97166 [3+] 0.88574 [4+] 0.44287 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.