Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/getstream-20100616/crc32.h Examining data/getstream-20100616/stream.c Examining data/getstream-20100616/output_rtp.c Examining data/getstream-20100616/simplebuffer.c Examining data/getstream-20100616/pmt.c Examining data/getstream-20100616/socket.c Examining data/getstream-20100616/dvr.c Examining data/getstream-20100616/libconf.h Examining data/getstream-20100616/tsdecode.c Examining data/getstream-20100616/fe.c Examining data/getstream-20100616/input.c Examining data/getstream-20100616/crc32.c Examining data/getstream-20100616/pat.c Examining data/getstream-20100616/getstream.c Examining data/getstream-20100616/libconf.c Examining data/getstream-20100616/psi.h Examining data/getstream-20100616/logging.c Examining data/getstream-20100616/sap.c Examining data/getstream-20100616/output_udp.c Examining data/getstream-20100616/output_pipe.c Examining data/getstream-20100616/simplebuffer.h Examining data/getstream-20100616/sap.h Examining data/getstream-20100616/dmx.c Examining data/getstream-20100616/output.c Examining data/getstream-20100616/ringbuffer.c Examining data/getstream-20100616/util.c Examining data/getstream-20100616/socket.h Examining data/getstream-20100616/psi.c Examining data/getstream-20100616/config.c Examining data/getstream-20100616/config.h Examining data/getstream-20100616/getstream.h Examining data/getstream-20100616/libhttp.c Examining data/getstream-20100616/libhttp.h Examining data/getstream-20100616/output.h Examining data/getstream-20100616/output_http.c FINAL RESULTS: data/getstream-20100616/getstream.h:48:18: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. #define dprintf printf data/getstream-20100616/libhttp.c:22:18: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. #define Dprintf printf data/getstream-20100616/libhttp.c:257:13: [4] (format) vsprintf: Potential format string problem (CWE-134). Make format string constant. hc->hsize+=vsprintf(&hc->hdr[hc->hsize], fmt, ap); data/getstream-20100616/libhttp.c:302:13: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. hc->hsize+=sprintf(&hc->hdr[hc->hsize], data/getstream-20100616/logging.c:27:2: [4] (format) vsnprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. vsnprintf(logbuffer, sizeof(logbuffer), format, pvar); data/getstream-20100616/sap.c:87:6: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sp+=sprintf(sp, "o=%s\r\n", sap->odata); data/getstream-20100616/sap.c:89:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sp+=sprintf(sp, "s=%s\r\n", sap->output->stream->name); data/getstream-20100616/sap.c:91:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sp+=sprintf(sp, "i=%s\r\n", sap->description); data/getstream-20100616/sap.c:93:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sp+=sprintf(sp, "u=%s\r\n", sap->uri); data/getstream-20100616/sap.c:98:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sp+=sprintf(sp, "e=%s\r\n", email); data/getstream-20100616/sap.c:105:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sp+=sprintf(sp, "p=%s\r\n", phone); data/getstream-20100616/sap.c:114:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sp+=sprintf(sp, "a=%s\r\n", attribute); data/getstream-20100616/sap.c:117:6: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sp+=sprintf(sp, "m=%s\r\n", sap->mdata); data/getstream-20100616/sap.c:118:6: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sp+=sprintf(sp, "c=%s\r\n", sap->cdata); data/getstream-20100616/sap.c:121:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sp+=sprintf(sp, "a=x-plgroup:%s\r\n", sap->playgroup); data/getstream-20100616/sap.c:207:4: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(cdata, "IN IP4 %s/%d", data/getstream-20100616/sap.c:213:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(cdata, "IN IP4 %s/%d", data/getstream-20100616/sap.c:220:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(cdata, "IN IP4 %s/%d", data/getstream-20100616/sap.c:265:4: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(odata, "- %d %lu IN IP4 %s", data/getstream-20100616/sap.c:272:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(odata, "IN IP4 %s", data/getstream-20100616/sap.c:278:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(odata, "- %d %lu IN IP4 %s", data/getstream-20100616/getstream.c:114:12: [3] (buffer) getopt: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. while((ch=getopt(argc, argv, "c:dt:")) != -1) { data/getstream-20100616/output_rtp.c:233:24: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. o->rtpssrc=(uint32_t) random(); data/getstream-20100616/config.c:487:6: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). cfd=open(filename, O_RDONLY); data/getstream-20100616/dmx.c:23:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char dmxname[128]; data/getstream-20100616/dmx.c:25:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(dmxname, "/dev/dvb/adapter%d/demux0", adapter); data/getstream-20100616/dmx.c:78:5: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fd=open(dmxname(a->no), O_RDWR); data/getstream-20100616/dmx.c:111:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&sctFilterParams.filter, df, sizeof(struct dmx_filter)); data/getstream-20100616/dvr.c:34:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char dvrname[128]; data/getstream-20100616/dvr.c:36:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(dvrname, "/dev/dvb/adapter%d/dvr0", adapter); data/getstream-20100616/dvr.c:305:8: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). dvrfd=open(dvrname(a->no), O_RDONLY|O_NONBLOCK); data/getstream-20100616/fe.c:100:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char str[256]; data/getstream-20100616/fe.c:105:3: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(str, "HAS_SIGNAL "); data/getstream-20100616/fe.c:107:3: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(str, "HAS_CARRIER "); data/getstream-20100616/fe.c:109:3: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(str, "HAS_VITERBI "); data/getstream-20100616/fe.c:111:3: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(str, "HAS_SYNC "); data/getstream-20100616/fe.c:113:3: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(str, "HAS_LOCK "); data/getstream-20100616/fe.c:115:3: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(str, "TIMEDOUT "); data/getstream-20100616/fe.c:117:3: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(str, "REINIT "); data/getstream-20100616/fe.c:634:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char fename[128]; data/getstream-20100616/fe.c:636:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(fename, "/dev/dvb/adapter%d/frontend0", adapter->no); data/getstream-20100616/fe.c:638:17: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). adapter->fe.fd=open(fename, O_RDWR|O_NONBLOCK); data/getstream-20100616/libconf.c:131:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tb[256]; data/getstream-20100616/libhttp.c:115:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *elem[10]; data/getstream-20100616/libhttp.c:271:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. hc->hsize+=sprintf(&hc->hdr[hc->hsize], "\r\n"); data/getstream-20100616/libhttp.c:304:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. hc->hsize+=sprintf(&hc->hdr[hc->hsize], data/getstream-20100616/libhttp.c:522:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&hc->sin, &sin, sizeof(struct sockaddr_in)); data/getstream-20100616/libhttp.h:74:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char hdr[MAX_HEADER_SIZE]; data/getstream-20100616/logging.c:17:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char logbuffer[MAXPATHLEN]; data/getstream-20100616/logging.c:18:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char timedate[64]; data/getstream-20100616/output_pipe.c:32:13: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). o->pipe.fd=open(o->pipe.filename, O_NONBLOCK|O_WRONLY); data/getstream-20100616/psi.c:65:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(§ion->data[section->valid], &ts[off], copylen); data/getstream-20100616/psi.c:72:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(§ion->data[section->valid], &ts[off], copylen); data/getstream-20100616/psi.c:108:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(section->data, payloadptr, copylen); data/getstream-20100616/psi.c:217:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(new, section, sizeof(struct psisec_s)); data/getstream-20100616/psi.c:224:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(§ion->data, data, len); data/getstream-20100616/psi.c:261:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ts[tspayloadoff], §ion->data[plen-left], copylen); data/getstream-20100616/ringbuffer.c:89:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dptr, atom, atoms*rb->atomsize); data/getstream-20100616/ringbuffer.c:126:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char sascii[17]; data/getstream-20100616/ringbuffer.c:127:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char linebuffer[16*4+1]; data/getstream-20100616/ringbuffer.c:134:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(linebuffer, "%04x ", i); data/getstream-20100616/ringbuffer.c:136:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(&linebuffer[(i%16)*3], "%02x ", ch); data/getstream-20100616/ringbuffer.c:149:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(&linebuffer[(i%16)*3], " "); data/getstream-20100616/sap.c:59:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char sappkt[SAP_MAX_SIZE]; data/getstream-20100616/sap.c:86:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sp+=sprintf(sp, "v=0\r\n"); data/getstream-20100616/sap.c:109:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sp+=sprintf(sp, "t=0 0\r\n"); data/getstream-20100616/sap.c:110:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sp+=sprintf(sp, "a=type:broadcast\r\n"); data/getstream-20100616/sap.c:196:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char cdata[128]; data/getstream-20100616/sap.c:217:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char hname[80]; data/getstream-20100616/sap.c:235:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char mdata[128]; data/getstream-20100616/sap.c:242:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(mdata, "video %d udp 33", data/getstream-20100616/sap.c:246:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(mdata, "video %d RTP/AVP 33", data/getstream-20100616/sap.c:250:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(mdata, "video %d RTP/AVP 33", data/getstream-20100616/sap.c:260:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char odata[128]; data/getstream-20100616/sap.c:275:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char hname[80]; data/getstream-20100616/simplebuffer.c:57:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&sb->buffer[sb->fill*sb->atomsize+sb->headroom], atom, copy*sb->atomsize); data/getstream-20100616/tsdecode.c:26:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char sascii[17]; data/getstream-20100616/tsdecode.c:27:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char linebuffer[16*4+1]; data/getstream-20100616/tsdecode.c:34:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(linebuffer, "%04x ", i); data/getstream-20100616/tsdecode.c:36:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(&linebuffer[(i%16)*3], "%02x ", ch); data/getstream-20100616/tsdecode.c:49:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(&linebuffer[(i%16)*3], " "); data/getstream-20100616/tsdecode.c:62:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[128]; data/getstream-20100616/util.c:18:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char sascii[17]; data/getstream-20100616/util.c:19:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char linebuffer[16*4+1]; data/getstream-20100616/util.c:30:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(linebuffer, "%04x ", i); data/getstream-20100616/util.c:32:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(&linebuffer[(i%16)*3], "%02x ", ch); data/getstream-20100616/util.c:45:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(&linebuffer[(i%16)*3], " "); data/getstream-20100616/config.c:212:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int i, l=strlen(val->string); data/getstream-20100616/dvr.c:182:7: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). len=read(fd, db, adapter->dvr.buffer.size*TS_PACKET_SIZE); data/getstream-20100616/fe.c:120:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(str) > 0) data/getstream-20100616/fe.c:121:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). str[strlen(str)-1]=0x0; data/getstream-20100616/libhttp.c:201:5: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(http_static_msg_404)); data/getstream-20100616/tsdecode.c:196:7: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). len=read(fileno(stdin), &tsbuf, toread); ANALYSIS SUMMARY: Hits = 93 Lines analyzed = 7443 in approximately 0.21 seconds (35559 lines/second) Physical Source Lines of Code (SLOC) = 5052 Hits@level = [0] 60 [1] 6 [2] 64 [3] 2 [4] 21 [5] 0 Hits@level+ = [0+] 153 [1+] 93 [2+] 87 [3+] 23 [4+] 21 [5+] 0 Hits/KSLOC@level+ = [0+] 30.285 [1+] 18.4086 [2+] 17.2209 [3+] 4.55265 [4+] 4.15677 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.