Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/dtmf2num-0.1.1/mywav.h Examining data/dtmf2num-0.1.1/dsp.c Examining data/dtmf2num-0.1.1/dtmf2num.c Examining data/dtmf2num-0.1.1/resample2.c FINAL RESULTS: data/dtmf2num-0.1.1/dsp.c:150:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char digits[MAX_DTMF_DIGITS + 1]; data/dtmf2num-0.1.1/dtmf2num.c:135:39: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). fmt.dwSamplesPerSec = atoi(argv[i]); data/dtmf2num-0.1.1/dtmf2num.c:137:39: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). fmt.wChannels = atoi(argv[i]); data/dtmf2num-0.1.1/dtmf2num.c:139:39: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). fmt.wBitsPerSample = atoi(argv[i]); data/dtmf2num-0.1.1/dtmf2num.c:177:14: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fd = fopen(fname, "rb"); data/dtmf2num-0.1.1/dtmf2num.c:226:14: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fd = fopen(outfile, "wb"); data/dtmf2num-0.1.1/mywav.h:221:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(chunk.id, "RIFF", 4); data/dtmf2num-0.1.1/mywav.h:233:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(chunk.id, "fmt ", 4); data/dtmf2num-0.1.1/mywav.h:239:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(chunk.id, "data", 4); data/dtmf2num-0.1.1/resample2.c:212:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&c->filter_bank[c->filter_length*phase_count+1], c->filter_bank, (c->filter_length-1)*sizeof(FELEM)); data/dtmf2num-0.1.1/dtmf2num.c:127:61: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if(((argv[i][0] != '-') && (argv[i][0] != '/')) || (strlen(argv[i]) != 2)) { ANALYSIS SUMMARY: Hits = 11 Lines analyzed = 1539 in approximately 0.06 seconds (25041 lines/second) Physical Source Lines of Code (SLOC) = 1055 Hits@level = [0] 30 [1] 1 [2] 10 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 41 [1+] 11 [2+] 10 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 38.8626 [1+] 10.4265 [2+] 9.47867 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.