Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/g-wrap-1.9.15/guile/g-wrap/guile-wct.h
Examining data/g-wrap-1.9.15/guile/g-wrap/guile-compatibility.c
Examining data/g-wrap-1.9.15/guile/g-wrap/guile-runtime.c
Examining data/g-wrap-1.9.15/guile/g-wrap/guile-wct.c
Examining data/g-wrap-1.9.15/guile/g-wrap/guile-runtime.h
Examining data/g-wrap-1.9.15/guile/g-wrap/guile-compatibility.h
Examining data/g-wrap-1.9.15/guile/test/guile-test-c-code.h
Examining data/g-wrap-1.9.15/guile/test/guile-test-c-code.c
Examining data/g-wrap-1.9.15/guile/examples/miscutils-guile.c
Examining data/g-wrap-1.9.15/guile/examples/miscutils.c
Examining data/g-wrap-1.9.15/guile/examples/miscutils-guile.h
Examining data/g-wrap-1.9.15/guile/examples/miscutils.h
Examining data/g-wrap-1.9.15/guile/g-wrap-wct.h
Examining data/g-wrap-1.9.15/g-wrap/core-runtime.c
Examining data/g-wrap-1.9.15/g-wrap/ffi-support.h
Examining data/g-wrap-1.9.15/g-wrap/core-runtime.h
Examining data/g-wrap-1.9.15/test/g-wrap-test-c-code.c
Examining data/g-wrap-1.9.15/test/g-wrap-test-c-code.h
Examining data/g-wrap-1.9.15/lib/asnprintf.c
Examining data/g-wrap-1.9.15/lib/stdint_.h
Examining data/g-wrap-1.9.15/lib/vasprintf.c
Examining data/g-wrap-1.9.15/lib/alloca_.h
Examining data/g-wrap-1.9.15/lib/printf-parse.h
Examining data/g-wrap-1.9.15/lib/dummy.c
Examining data/g-wrap-1.9.15/lib/printf-args.c
Examining data/g-wrap-1.9.15/lib/size_max.h
Examining data/g-wrap-1.9.15/lib/stdio_.h
Examining data/g-wrap-1.9.15/lib/wchar_.h
Examining data/g-wrap-1.9.15/lib/asprintf.c
Examining data/g-wrap-1.9.15/lib/vasnprintf.c
Examining data/g-wrap-1.9.15/lib/printf-parse.c
Examining data/g-wrap-1.9.15/lib/xsize.h
Examining data/g-wrap-1.9.15/lib/vasnprintf.h
Examining data/g-wrap-1.9.15/lib/printf-args.h
Examining data/g-wrap-1.9.15/lib/float+.h
FINAL RESULTS:
data/g-wrap-1.9.15/lib/stdio_.h:43:22: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# define __printf__ printf
data/g-wrap-1.9.15/lib/stdio_.h:58:11: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# define fprintf rpl_fprintf
data/g-wrap-1.9.15/lib/stdio_.h:59:12: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
extern int fprintf (FILE *fp, const char *format, ...)
data/g-wrap-1.9.15/lib/stdio_.h:63:9: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# undef fprintf
data/g-wrap-1.9.15/lib/stdio_.h:64:10: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# define fprintf \
data/g-wrap-1.9.15/lib/stdio_.h:68:6: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf)
data/g-wrap-1.9.15/lib/stdio_.h:73:11: [4] (format) vfprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# define vfprintf rpl_vfprintf
data/g-wrap-1.9.15/lib/stdio_.h:74:12: [4] (format) vfprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
extern int vfprintf (FILE *fp, const char *format, va_list args)
data/g-wrap-1.9.15/lib/stdio_.h:78:9: [4] (format) vfprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# undef vfprintf
data/g-wrap-1.9.15/lib/stdio_.h:79:10: [4] (format) vfprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# define vfprintf(s,f,a) \
data/g-wrap-1.9.15/lib/stdio_.h:83:6: [4] (format) vfprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
vfprintf (s, f, a))
data/g-wrap-1.9.15/lib/stdio_.h:89:11: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# define printf __printf__
data/g-wrap-1.9.15/lib/stdio_.h:90:12: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
extern int printf (const char *format, ...)
data/g-wrap-1.9.15/lib/stdio_.h:94:9: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# undef printf
data/g-wrap-1.9.15/lib/stdio_.h:95:10: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# define printf \
data/g-wrap-1.9.15/lib/stdio_.h:99:6: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
printf)
data/g-wrap-1.9.15/lib/stdio_.h:111:11: [4] (format) vprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# define vprintf rpl_vprintf
data/g-wrap-1.9.15/lib/stdio_.h:112:12: [4] (format) vprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
extern int vprintf (const char *format, va_list args)
data/g-wrap-1.9.15/lib/stdio_.h:116:9: [4] (format) vprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# undef vprintf
data/g-wrap-1.9.15/lib/stdio_.h:117:10: [4] (format) vprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# define vprintf(f,a) \
data/g-wrap-1.9.15/lib/stdio_.h:121:6: [4] (format) vprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
vprintf (f, a))
data/g-wrap-1.9.15/lib/stdio_.h:126:11: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
# define snprintf rpl_snprintf
data/g-wrap-1.9.15/lib/stdio_.h:129:12: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
extern int snprintf (char *str, size_t size, const char *format, ...)
data/g-wrap-1.9.15/lib/stdio_.h:133:9: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
# undef snprintf
data/g-wrap-1.9.15/lib/stdio_.h:134:10: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
# define snprintf \
data/g-wrap-1.9.15/lib/stdio_.h:137:6: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
snprintf)
data/g-wrap-1.9.15/lib/stdio_.h:142:11: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
# define vsnprintf rpl_vsnprintf
data/g-wrap-1.9.15/lib/stdio_.h:145:12: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
extern int vsnprintf (char *str, size_t size, const char *format, va_list args)
data/g-wrap-1.9.15/lib/stdio_.h:149:9: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
# undef vsnprintf
data/g-wrap-1.9.15/lib/stdio_.h:150:10: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
# define vsnprintf(b,s,f,a) \
data/g-wrap-1.9.15/lib/stdio_.h:153:6: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
vsnprintf (b, s, f, a))
data/g-wrap-1.9.15/lib/stdio_.h:158:11: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
# define sprintf rpl_sprintf
data/g-wrap-1.9.15/lib/stdio_.h:159:12: [4] (format) sprintf:
Potential format string problem (CWE-134). Make format string constant.
extern int sprintf (char *str, const char *format, ...)
data/g-wrap-1.9.15/lib/stdio_.h:163:9: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
# undef sprintf
data/g-wrap-1.9.15/lib/stdio_.h:164:10: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
# define sprintf \
data/g-wrap-1.9.15/lib/stdio_.h:168:6: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf)
data/g-wrap-1.9.15/lib/stdio_.h:173:11: [4] (buffer) vsprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
# define vsprintf rpl_vsprintf
data/g-wrap-1.9.15/lib/stdio_.h:174:12: [4] (format) vsprintf:
Potential format string problem (CWE-134). Make format string constant.
extern int vsprintf (char *str, const char *format, va_list args)
data/g-wrap-1.9.15/lib/stdio_.h:178:9: [4] (buffer) vsprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
# undef vsprintf
data/g-wrap-1.9.15/lib/stdio_.h:179:10: [4] (format) vsprintf:
Potential format string problem (CWE-134). Make format string constant.
# define vsprintf(b,f,a) \
data/g-wrap-1.9.15/lib/stdio_.h:183:6: [4] (format) vsprintf:
Potential format string problem (CWE-134). Make format string constant.
vsprintf (b, f, a))
data/g-wrap-1.9.15/lib/vasnprintf.c:108:20: [4] (buffer) swprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
# define SNPRINTF swprintf
data/g-wrap-1.9.15/lib/vasnprintf.c:119:20: [4] (format) _snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
# define SNPRINTF _snprintf
data/g-wrap-1.9.15/lib/vasnprintf.c:122:20: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
# define SNPRINTF snprintf
data/g-wrap-1.9.15/lib/vasnprintf.c:124:10: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
# undef snprintf
data/g-wrap-1.9.15/lib/vasnprintf.c:128:8: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
#undef sprintf
data/g-wrap-1.9.15/lib/vasnprintf.c:1167:12: [4] (format) sprintf:
Potential format string problem (CWE-134). Make format string constant.
count = sprintf (tmp, buf, arg); \
data/g-wrap-1.9.15/lib/vasnprintf.c:1170:12: [4] (format) sprintf:
Potential format string problem (CWE-134). Make format string constant.
count = sprintf (tmp, buf, prefixes[0], arg); \
data/g-wrap-1.9.15/lib/vasnprintf.c:1173:12: [4] (format) sprintf:
Potential format string problem (CWE-134). Make format string constant.
count = sprintf (tmp, buf, prefixes[0], prefixes[1],\
data/g-wrap-1.9.15/lib/vasnprintf.h:36:22: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# define __printf__ printf
data/g-wrap-1.9.15/guile/examples/miscutils.c:34:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (result, s1, len1);
data/g-wrap-1.9.15/guile/examples/miscutils.c:35:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (result + len1, s2, len2 + 1);
data/g-wrap-1.9.15/guile/g-wrap/guile-compatibility.c:71:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (result, SCM_STRING_CHARS (str), len);
data/g-wrap-1.9.15/guile/g-wrap/guile-compatibility.c:84:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (buf, SCM_STRING_CHARS (str), len);
data/g-wrap-1.9.15/guile/g-wrap/guile-runtime.c:171:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[32];
data/g-wrap-1.9.15/guile/g-wrap/guile-runtime.c:194:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (buffer, "arg%d", i);
data/g-wrap-1.9.15/guile/g-wrap/guile-wct.c:164:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char endstr[64];
data/g-wrap-1.9.15/guile/g-wrap/guile-wct.c:309:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (ptr_data->wcp_dependencies, wcps,
data/g-wrap-1.9.15/lib/vasnprintf.c:145:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char pointbuf[5];
data/g-wrap-1.9.15/lib/vasnprintf.c:146:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (pointbuf, "%#.0f", 1.0);
data/g-wrap-1.9.15/lib/vasnprintf.c:251:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (memory, result, length * sizeof (CHAR_T)); \
data/g-wrap-1.9.15/lib/vasnprintf.c:263:6: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (result + length, cp, n * sizeof (CHAR_T));
data/g-wrap-1.9.15/lib/vasnprintf.c:570:10: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (p, "%+d", exponent);
data/g-wrap-1.9.15/lib/vasnprintf.c:716:10: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (p, "%+d", exponent);
data/g-wrap-1.9.15/lib/vasnprintf.c:777:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (result + length, tmp, count * sizeof (CHAR_T));
data/g-wrap-1.9.15/lib/vasnprintf.c:1062:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (p, dp->width_start, n * sizeof (CHAR_T));
data/g-wrap-1.9.15/lib/vasnprintf.c:1068:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (p, dp->precision_start, n * sizeof (CHAR_T));
data/g-wrap-1.9.15/lib/vasnprintf.c:1382:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (result + length, tmp, count * sizeof (CHAR_T));
data/g-wrap-1.9.15/test/g-wrap-test-c-code.c:73:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (result + (i * len), str, len);
data/g-wrap-1.9.15/guile/examples/miscutils.c:30:14: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
int len1 = strlen (s1);
data/g-wrap-1.9.15/guile/examples/miscutils.c:31:14: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
int len2 = strlen (s2);
data/g-wrap-1.9.15/lib/vasnprintf.c:74:24: [1] (buffer) wcslen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
# define local_wcslen wcslen
data/g-wrap-1.9.15/lib/vasnprintf.c:1005:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
tmp_length = strlen (a.arg[dp->arg_index].a.a_string);
data/g-wrap-1.9.15/test/g-wrap-test-c-code.c:65:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
int len = strlen (str);
ANALYSIS SUMMARY:
Hits = 74
Lines analyzed = 6876 in approximately 0.30 seconds (22797 lines/second)
Physical Source Lines of Code (SLOC) = 4744
Hits@level = [0] 9 [1] 5 [2] 19 [3] 0 [4] 50 [5] 0
Hits@level+ = [0+] 83 [1+] 74 [2+] 69 [3+] 50 [4+] 50 [5+] 0
Hits/KSLOC@level+ = [0+] 17.4958 [1+] 15.5987 [2+] 14.5447 [3+] 10.5396 [4+] 10.5396 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.