Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/comp-zlib.c
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/comp-zopfli.c
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/compat.c
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/genttf.c
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/genwoff.c
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/optimize.c
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/readttc.c
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/readttf.c
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/readwoff.c
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/ttf2woff.c
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/ttf2woff.h
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/blocksplitter.c
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/blocksplitter.h
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/cache.c
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/cache.h
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/deflate.c
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/deflate.h
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/hash.c
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/hash.h
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/katajainen.c
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/katajainen.h
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/lz77.c
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/lz77.h
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/squeeze.c
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/squeeze.h
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/symbols.h
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/tree.c
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/tree.h
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/util.c
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/util.h
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/zlib_container.c
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/zlib_container.h
Examining data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/zopfli.h

FINAL RESULTS:

data/fonts-inter-3.15+ds/misc/ttf2woff/compat.c:10:8:  [4] (format) vfprintf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
	if(f) vfprintf(stderr, f, *va);
data/fonts-inter-3.15+ds/misc/ttf2woff/ttf2woff.c:31:2:  [4] (format) vfprintf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
	vfprintf(o, f, va);
data/fonts-inter-3.15+ds/misc/ttf2woff/ttf2woff.c:318:3:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
		strcpy(xtab.ptr+xtab.len, optarg);
data/fonts-inter-3.15+ds/misc/ttf2woff/ttf2woff.c:327:12:  [4] (format) printf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
	case 'V': printf(STR(VERSION)"\n"); return 0;
data/fonts-inter-3.15+ds/misc/ttf2woff/ttf2woff.c:296:17:  [3] (buffer) getopt:
  Some older implementations do not protect against internal buffer overflows
  (CWE-120, CWE-20). Check implementation on installation, or limit the size
  of all string inputs.
	for(;;) switch(getopt(argc, argv, "vt:u:SOX:lm:p:ihV")) {
data/fonts-inter-3.15+ds/misc/ttf2woff/optimize.c:14:43:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
struct table *find_table(struct ttf *ttf, char tag[4])
data/fonts-inter-3.15+ds/misc/ttf2woff/optimize.c:220:4:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
			memcpy(p,a.ptr,a.len); p+=a.len;
data/fonts-inter-3.15+ds/misc/ttf2woff/optimize.c:229:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(new.ptr, name->buf.ptr, 6+12*count);
data/fonts-inter-3.15+ds/misc/ttf2woff/ttf2woff.c:62:8:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
		fd = open(path, O_RDONLY|O_BINARY);
data/fonts-inter-3.15+ds/misc/ttf2woff/ttf2woff.c:111:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(nm, pt, l);
data/fonts-inter-3.15+ds/misc/ttf2woff/ttf2woff.c:114:3:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
		sprintf(p, "%d", i);
data/fonts-inter-3.15+ds/misc/ttf2woff/ttf2woff.c:115:8:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
		fd = open(nm, O_WRONLY|O_TRUNC|O_CREAT|O_BINARY|O_EXCL, 0666);
data/fonts-inter-3.15+ds/misc/ttf2woff/ttf2woff.c:307:11:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
		fontn = atoi(optarg);
data/fonts-inter-3.15+ds/misc/ttf2woff/ttf2woff.c:493:9:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
			fd = open(oname, O_WRONLY|O_TRUNC|O_CREAT|O_BINARY, 0666);
data/fonts-inter-3.15+ds/misc/ttf2woff/ttf2woff.h:42:62:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
static inline u8 *append(u8 *d, u8 *s, size_t n) {u8 *p=d+n; memcpy(d,s,n); return p;}
data/fonts-inter-3.15+ds/misc/ttf2woff/ttf2woff.h:56:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char name[8];
data/fonts-inter-3.15+ds/misc/ttf2woff/ttf2woff.h:73:43:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
struct table *find_table(struct ttf *ttf, char tag[4]);
data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/deflate.c:557:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(ll_lengths, ll_lengths2, sizeof(ll_lengths2));
data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/deflate.c:558:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(d_lengths, d_lengths2, sizeof(d_lengths2));
data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/squeeze.c:54:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(dest->litlens, source->litlens,
data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/squeeze.c:56:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(dest->dists, source->dists, ZOPFLI_NUM_D * sizeof(dest->dists[0]));
data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/squeeze.c:58:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(dest->ll_symbols, source->ll_symbols,
data/fonts-inter-3.15+ds/misc/ttf2woff/zopfli/squeeze.c:60:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(dest->d_symbols, source->d_symbols,
data/fonts-inter-3.15+ds/misc/ttf2woff/ttf2woff.c:76:7:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
		v = read(fd, file.ptr, file.len);
data/fonts-inter-3.15+ds/misc/ttf2woff/ttf2woff.c:91:8:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
			v = read(fd, file.ptr+file.len, alen-file.len);
data/fonts-inter-3.15+ds/misc/ttf2woff/ttf2woff.c:106:10:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	int l = strlen(pt);
data/fonts-inter-3.15+ds/misc/ttf2woff/ttf2woff.c:316:7:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
		v = strlen(optarg) + 1;

ANALYSIS SUMMARY:

Hits = 27
Lines analyzed = 5730 in approximately 0.25 seconds (22932 lines/second)
Physical Source Lines of Code (SLOC) = 3776
Hits@level = [0]  14 [1]   4 [2]  18 [3]   1 [4]   4 [5]   0
Hits@level+ = [0+]  41 [1+]  27 [2+]  23 [3+]   5 [4+]   4 [5+]   0
Hits/KSLOC@level+ = [0+] 10.8581 [1+] 7.15042 [2+] 6.0911 [3+] 1.32415 [4+] 1.05932 [5+]   0
Dot directories skipped = 2 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.