Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/distlib-0.3.1/PC/launcher.c FINAL RESULTS: data/distlib-0.3.1/PC/launcher.c:134:9: [2] (buffer) wchar_t: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. wchar_t message[MSGSIZE]; data/distlib-0.3.1/PC/launcher.c:155:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char message[MSGSIZE]; data/distlib-0.3.1/PC/launcher.c:171:8: [2] (buffer) wchar_t: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static wchar_t script_path[MAX_PATH]; data/distlib-0.3.1/PC/launcher.c:188:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char data/distlib-0.3.1/PC/launcher.c:200:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. p = (char *) memchr(bp, pattern[0], n); data/distlib-0.3.1/PC/launcher.c:308:8: [2] (buffer) wchar_t: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static wchar_t path_executable[MSGSIZE]; data/distlib-0.3.1/PC/launcher.c:467:9: [2] (buffer) wchar_t: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. wchar_t emessage[MSGSIZE]; data/distlib-0.3.1/PC/launcher.c:565:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[MAX_PATH]; data/distlib-0.3.1/PC/launcher.c:566:5: [2] (buffer) wchar_t: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. wchar_t wbuffer[MAX_PATH]; data/distlib-0.3.1/PC/launcher.c:568:5: [2] (buffer) wchar_t: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. wchar_t dbuffer[MAX_PATH]; data/distlib-0.3.1/PC/launcher.c:569:5: [2] (buffer) wchar_t: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. wchar_t pbuffer[MAX_PATH]; data/distlib-0.3.1/PC/launcher.c:619:9: [2] (buffer) MultiByteToWideChar: Requires maximum length in CHARACTERS, not bytes (CWE-120). n = MultiByteToWideChar(CP_UTF8, MB_ERR_INVALID_CHARS, p, (int) (cp - p), wbuffer, MAX_PATH); data/distlib-0.3.1/PC/launcher.c:218:12: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). size_t read; data/distlib-0.3.1/PC/launcher.c:233:30: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). p = find_pattern(buffer, read, end_cdr_sig, sizeof(end_cdr_sig)); data/distlib-0.3.1/PC/launcher.c:252:38: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). p = find_pattern(big_buffer, read, end_cdr_sig, sizeof(end_cdr_sig)); data/distlib-0.3.1/PC/launcher.c:276:12: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). assert(read > 0, "Unable to read from file"); data/distlib-0.3.1/PC/launcher.c:287:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). assert(read > 0, "Unable to read from file"); data/distlib-0.3.1/PC/launcher.c:659:11: [1] (buffer) wcslen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = wcslen(wcp) + wcslen(wp) + 8 + wcslen(psp) + wcslen(cmdline); data/distlib-0.3.1/PC/launcher.c:659:25: [1] (buffer) wcslen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = wcslen(wcp) + wcslen(wp) + 8 + wcslen(psp) + wcslen(cmdline); data/distlib-0.3.1/PC/launcher.c:659:42: [1] (buffer) wcslen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = wcslen(wcp) + wcslen(wp) + 8 + wcslen(psp) + wcslen(cmdline); data/distlib-0.3.1/PC/launcher.c:659:56: [1] (buffer) wcslen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = wcslen(wcp) + wcslen(wp) + 8 + wcslen(psp) + wcslen(cmdline); ANALYSIS SUMMARY: Hits = 21 Lines analyzed = 683 in approximately 0.12 seconds (5899 lines/second) Physical Source Lines of Code (SLOC) = 530 Hits@level = [0] 7 [1] 9 [2] 12 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 28 [1+] 21 [2+] 12 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 52.8302 [1+] 39.6226 [2+] 22.6415 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.