Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/decoder.c
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/bignum-dtoa.cc
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/bignum-dtoa.h
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/bignum.cc
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/bignum.h
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/cached-powers.cc
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/cached-powers.h
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/diy-fp.cc
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/diy-fp.h
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/double-conversion.cc
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/double-conversion.h
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/fast-dtoa.cc
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/fast-dtoa.h
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/fixed-dtoa.cc
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/fixed-dtoa.h
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/ieee.h
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/strtod.cc
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/strtod.h
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/utils.h
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/doubles.cc
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/encoder.c
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/jiffy.c
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/jiffy.h
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/objects.cc
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/termstack.c
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/termstack.h
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/utf8.c
Examining data/erlang-jiffy-1.0.5+dfsg/c_src/util.c
FINAL RESULTS:
data/erlang-jiffy-1.0.5+dfsg/c_src/decoder.c:20:9: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#define snprintf _snprintf
data/erlang-jiffy-1.0.5+dfsg/c_src/decoder.c:20:19: [4] (format) _snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#define snprintf _snprintf
data/erlang-jiffy-1.0.5+dfsg/c_src/encoder.c:25:9: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#define snprintf _snprintf
data/erlang-jiffy-1.0.5+dfsg/c_src/encoder.c:25:19: [4] (format) _snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#define snprintf _snprintf
data/erlang-jiffy-1.0.5+dfsg/c_src/decoder.c:300:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(chrbuf, &(d->p[st]), ulen);
data/erlang-jiffy-1.0.5+dfsg/c_src/decoder.c:379:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char nbuf[NUM_BUF_LEN];
data/erlang-jiffy-1.0.5+dfsg/c_src/decoder.c:590:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(nbuf, &(d->p[st]), d->i - st);
data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/double-conversion.cc:102:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[kMaxExponentLength + 1];
data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/double-conversion.cc:174:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char decimal_rep[kDecimalRepCapacity];
data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/double-conversion.cc:219:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char decimal_rep[kDecimalRepCapacity];
data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/double-conversion.cc:252:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char decimal_rep[kDecimalRepCapacity];
data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/double-conversion.cc:307:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char decimal_rep[kDecimalRepCapacity];
data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/double-conversion.cc:826:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[kBufferSize]; // NOLINT: size is known at compile time.
data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/strtod.cc:450:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char copy_buffer[kMaxSignificantDecimalDigits];
data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/strtod.cc:500:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char copy_buffer[kMaxSignificantDecimalDigits];
data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/utils.h:352:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
typedef char VerifySizesAreEqual[sizeof(Dest) == sizeof(Source) ? 1 : -1];
data/erlang-jiffy-1.0.5+dfsg/c_src/encoder.c:196:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&(e->p[e->i]), literal, len);
data/erlang-jiffy-1.0.5+dfsg/c_src/encoder.c:264:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char data[512];
data/erlang-jiffy-1.0.5+dfsg/c_src/encoder.c:371:17: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&e->p[e->i], &data[i], ulen);
data/erlang-jiffy-1.0.5+dfsg/c_src/encoder.c:441:18: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const char digits[201] =
data/erlang-jiffy-1.0.5+dfsg/c_src/termstack.c:38:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(stack->elements, elements, arity * sizeof(ERL_NIF_TERM));
data/erlang-jiffy-1.0.5+dfsg/c_src/termstack.c:63:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(elems, stack->elements, num_bytes);
data/erlang-jiffy-1.0.5+dfsg/c_src/utf8.c:6:23: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const unsigned char hexvals[256] = {
data/erlang-jiffy-1.0.5+dfsg/c_src/utf8.c:42:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const char hexdigits[16] = {
data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/utils.h:196:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t length = strlen(string);
data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/utils.h:284:38: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ASSERT(static_cast<size_t>(n) <= strlen(s));
data/erlang-jiffy-1.0.5+dfsg/c_src/double-conversion/utils.h:304:12: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ASSERT(strlen(buffer_.start()) == static_cast<size_t>(position_));
data/erlang-jiffy-1.0.5+dfsg/c_src/encoder.c:273:12: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size = strlen((const char*)data);
ANALYSIS SUMMARY:
Hits = 28
Lines analyzed = 9230 in approximately 1.65 seconds (5596 lines/second)
Physical Source Lines of Code (SLOC) = 6057
Hits@level = [0] 0 [1] 4 [2] 20 [3] 0 [4] 4 [5] 0
Hits@level+ = [0+] 28 [1+] 28 [2+] 24 [3+] 4 [4+] 4 [5+] 0
Hits/KSLOC@level+ = [0+] 4.62275 [1+] 4.62275 [2+] 3.96236 [3+] 0.660393 [4+] 0.660393 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.