Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/gmpc-plugins-11.8.16/gmpc-shout/src/plugin.c
Examining data/gmpc-plugins-11.8.16/gmpc-mmkeys/mmkeys.c
Examining data/gmpc-plugins-11.8.16/gmpc-awn/src/plugin.c
Examining data/gmpc-plugins-11.8.16/gmpc-avahi/src/plugin.c
Examining data/gmpc-plugins-11.8.16/gmpc-magnatune/src/plugin.c
Examining data/gmpc-plugins-11.8.16/gmpc-magnatune/src/magnatune.h
Examining data/gmpc-plugins-11.8.16/gmpc-magnatune/src/magnatune.c
Examining data/gmpc-plugins-11.8.16/gmpc-alarm/src/plugin.c
Examining data/gmpc-plugins-11.8.16/gmpc-alarm/src/gmpc-alarm.h
Examining data/gmpc-plugins-11.8.16/gmpc-albumview/src/plugin.c
Examining data/gmpc-plugins-11.8.16/gmpc-albumview/src/plugin.h
Examining data/gmpc-plugins-11.8.16/gmpc-lyrics/src/_leoslyrics.c
Examining data/gmpc-plugins-11.8.16/gmpc-lyrics/src/plugin.c
Examining data/gmpc-plugins-11.8.16/gmpc-lyrics/src/_lyrictracker.c
Examining data/gmpc-plugins-11.8.16/gmpc-lyrics/src/gmpc-lyrics.h
Examining data/gmpc-plugins-11.8.16/gmpc-wikipedia/src/plugin.c
Examining data/gmpc-plugins-11.8.16/gmpc-tagedit/src/plugin.c
Examining data/gmpc-plugins-11.8.16/gmpc-tagedit/src/tagedit.h
Examining data/gmpc-plugins-11.8.16/gmpc-jamendo/src/plugin.c
Examining data/gmpc-plugins-11.8.16/gmpc-jamendo/src/jamendo.h
Examining data/gmpc-plugins-11.8.16/gmpc-jamendo/src/jamendo.c
Examining data/gmpc-plugins-11.8.16/gmpc-lyricwiki/src/plugin.c
FINAL RESULTS:
data/gmpc-plugins-11.8.16/gmpc-wikipedia/src/plugin.c:104:2: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(new_url, wp);
data/gmpc-plugins-11.8.16/gmpc-wikipedia/src/plugin.c:105:2: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat(new_url, WP_SKINSTR);
data/gmpc-plugins-11.8.16/gmpc-avahi/src/plugin.c:159:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char value[128];
data/gmpc-plugins-11.8.16/gmpc-avahi/src/plugin.c:281:4: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char a[AVAHI_ADDRESS_STR_MAX];
data/gmpc-plugins-11.8.16/gmpc-jamendo/src/jamendo.c:152:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char gz_magic[2] = {0x1f, 0x8b};
data/gmpc-plugins-11.8.16/gmpc-jamendo/src/jamendo.c:346:37: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
genre = atoi(temp);
data/gmpc-plugins-11.8.16/gmpc-wikipedia/src/plugin.c:367:2: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(locale,"en");
data/gmpc-plugins-11.8.16/gmpc-albumview/src/plugin.c:469:28: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(strlen(data3->tag) > 0)
data/gmpc-plugins-11.8.16/gmpc-albumview/src/plugin.c:560:29: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(song->albumartist && strlen(song->albumartist) >0){
data/gmpc-plugins-11.8.16/gmpc-avahi/src/plugin.c:164:2: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy( value, tmpval, 128 );
data/gmpc-plugins-11.8.16/gmpc-lyrics/src/plugin.c:221:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(hid && strlen((char *)hid) > 0)
data/gmpc-plugins-11.8.16/gmpc-magnatune/src/magnatune.c:41:16: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(name && strlen(name) > 0)
data/gmpc-plugins-11.8.16/gmpc-magnatune/src/magnatune.c:47:20: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(password && strlen(password) > 0)
data/gmpc-plugins-11.8.16/gmpc-magnatune/src/magnatune.c:55:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
int len = strlen(n);
data/gmpc-plugins-11.8.16/gmpc-magnatune/src/plugin.c:644:28: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
char *result = g_malloc0((strlen(name)+1+spaces*2)*sizeof(char));
data/gmpc-plugins-11.8.16/gmpc-magnatune/src/plugin.c:645:15: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
for(i=0; i < strlen(name);i++)
data/gmpc-plugins-11.8.16/gmpc-tagedit/src/plugin.c:237:29: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
&& entry_str && strlen(entry_str) > 0)
data/gmpc-plugins-11.8.16/gmpc-tagedit/src/plugin.c:273:28: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(strlen(gtk_entry_get_text(GTK_ENTRY(entries[0]))) == 0)
data/gmpc-plugins-11.8.16/gmpc-tagedit/src/plugin.c:278:28: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(strlen(gtk_entry_get_text(GTK_ENTRY(entries[1]))) == 0)
data/gmpc-plugins-11.8.16/gmpc-tagedit/src/plugin.c:283:28: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(strlen(gtk_entry_get_text(GTK_ENTRY(entries[2]))) == 0)
data/gmpc-plugins-11.8.16/gmpc-tagedit/src/plugin.c:288:28: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(strlen(gtk_entry_get_text(GTK_ENTRY(entries[3]))) == 0)
data/gmpc-plugins-11.8.16/gmpc-tagedit/src/plugin.c:671:29: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if((root == NULL || strlen(root) ==0) && browser_box)
data/gmpc-plugins-11.8.16/gmpc-wikipedia/src/plugin.c:103:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
new_url = malloc(strlen(wp) + strlen(WP_SKINSTR) + 1);
data/gmpc-plugins-11.8.16/gmpc-wikipedia/src/plugin.c:103:32: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
new_url = malloc(strlen(wp) + strlen(WP_SKINSTR) + 1);
data/gmpc-plugins-11.8.16/gmpc-wikipedia/src/plugin.c:151:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (g_regex_match_full(page_guess_re, txt, strlen(txt), 0, 0, NULL, NULL) &&
data/gmpc-plugins-11.8.16/gmpc-wikipedia/src/plugin.c:213:34: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
nstr = g_regex_replace(re, str, strlen(str), 0, "", 0, &error);
data/gmpc-plugins-11.8.16/gmpc-wikipedia/src/plugin.c:375:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(locale,l,2);
ANALYSIS SUMMARY:
Hits = 27
Lines analyzed = 9552 in approximately 0.30 seconds (31513 lines/second)
Physical Source Lines of Code (SLOC) = 7453
Hits@level = [0] 40 [1] 20 [2] 5 [3] 0 [4] 2 [5] 0
Hits@level+ = [0+] 67 [1+] 27 [2+] 7 [3+] 2 [4+] 2 [5+] 0
Hits/KSLOC@level+ = [0+] 8.98967 [1+] 3.6227 [2+] 0.939219 [3+] 0.268348 [4+] 0.268348 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.