Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/iniparser-4.1/example/iniexample.c Examining data/iniparser-4.1/example/parse.c Examining data/iniparser-4.1/src/dictionary.c Examining data/iniparser-4.1/src/dictionary.h Examining data/iniparser-4.1/src/iniparser.c Examining data/iniparser-4.1/src/iniparser.h Examining data/iniparser-4.1/test/CuTest.c Examining data/iniparser-4.1/test/CuTest.h Examining data/iniparser-4.1/test/test_dictionary.c Examining data/iniparser-4.1/test/test_iniparser.c FINAL RESULTS: data/iniparser-4.1/src/iniparser.c:121:9: [4] (format) vfprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. ret = vfprintf(stderr, format, argptr); data/iniparser-4.1/src/iniparser.c:307:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(keym, "%s:", s); data/iniparser-4.1/src/iniparser.c:791:13: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(tmp, "%s:%s", section, key); data/iniparser-4.1/test/CuTest.c:24:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(newStr, old); data/iniparser-4.1/test/CuTest.c:75:2: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(str->buffer, text); data/iniparser-4.1/test/CuTest.c:91:2: [4] (format) vsprintf: Potential format string problem (CWE-134). Make format string constant. vsprintf(buf, format, argp); data/iniparser-4.1/test/CuTest.c:152:2: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(buf, "%s:%d: ", file, line); data/iniparser-4.1/test/test_dictionary.c:80:13: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(key_name, "%s:key%d", sec_name, j); data/iniparser-4.1/test/test_dictionary.c:90:13: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(key_name, "%s:key%d", sec_name, j); data/iniparser-4.1/test/test_dictionary.c:155:13: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(key_name, "%s:key%d", sec_name, j); data/iniparser-4.1/test/test_dictionary.c:165:13: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(key_name, "%s:key%d", sec_name, j); data/iniparser-4.1/test/test_dictionary.c:226:13: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(key_name, "%s:key%d", sec_name, j); data/iniparser-4.1/test/test_iniparser.c:38:13: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(key_name, "%s:key%d", sec_name, j); data/iniparser-4.1/test/test_iniparser.c:107:9: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(stripped, strings_empty[i]); data/iniparser-4.1/test/test_iniparser.c:109:9: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(error_msg, "Bad stripping : strstrip(\"%s\") ==> \"%s\"", data/iniparser-4.1/test/test_iniparser.c:116:9: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(stripped, strings_test[i]); data/iniparser-4.1/test/test_iniparser.c:118:9: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(error_msg, "Bad stripping : strstrip(\"%s\") ==> \"%s\"", data/iniparser-4.1/test/test_iniparser.c:127:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(stripped, test_with_spaces); data/iniparser-4.1/test/test_iniparser.c:608:9: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(ini_path, "%s/%s", GOOD_INI_PATH, curr->d_name); data/iniparser-4.1/test/test_iniparser.c:622:9: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(ini_path, "%s/%s", BAD_INI_PATH, curr->d_name); data/iniparser-4.1/test/test_iniparser.c:672:11: [4] (format) vsprintf: Potential format string problem (CWE-134). Make format string constant. ret = vsprintf(_last_error, format, argptr); data/iniparser-4.1/example/iniexample.c:28:14: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((ini=fopen("example.ini", "w"))==NULL) { data/iniparser-4.1/src/dictionary.c:56:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(t, s, len) ; data/iniparser-4.1/src/dictionary.c:88:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(new_val, d->val, d->size * sizeof(char *)); data/iniparser-4.1/src/dictionary.c:89:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(new_key, d->key, d->size * sizeof(char *)); data/iniparser-4.1/src/dictionary.c:90:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(new_hash, d->hash, d->size * sizeof(unsigned)); data/iniparser-4.1/src/iniparser.c:79:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(t, s, len) ; data/iniparser-4.1/src/iniparser.c:299:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char keym[ASCIILINESZ+1]; data/iniparser-4.1/src/iniparser.c:333:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char keym[ASCIILINESZ+1]; data/iniparser-4.1/src/iniparser.c:375:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char keym[ASCIILINESZ+1]; data/iniparser-4.1/src/iniparser.c:417:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmp_str[ASCIILINESZ+1]; data/iniparser-4.1/src/iniparser.c:603:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmp_str[ASCIILINESZ+1]; data/iniparser-4.1/src/iniparser.c:619:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmp_str[ASCIILINESZ+1]; data/iniparser-4.1/src/iniparser.c:718:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line [ASCIILINESZ+1] ; data/iniparser-4.1/src/iniparser.c:719:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char section [ASCIILINESZ+1] ; data/iniparser-4.1/src/iniparser.c:720:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char key [ASCIILINESZ+1] ; data/iniparser-4.1/src/iniparser.c:721:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmp [(ASCIILINESZ * 2) + 1] ; data/iniparser-4.1/src/iniparser.c:722:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char val [ASCIILINESZ+1] ; data/iniparser-4.1/src/iniparser.c:732:13: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((in=fopen(ininame, "r"))==NULL) { data/iniparser-4.1/test/CuTest.c:80:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char text[2]; data/iniparser-4.1/test/CuTest.c:89:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[HUGE_STRING_LEN]; data/iniparser-4.1/test/CuTest.c:105:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(str->buffer + pos, text, length); data/iniparser-4.1/test/CuTest.c:150:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[HUGE_STRING_LEN]; data/iniparser-4.1/test/CuTest.c:208:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[STRING_MAX]; data/iniparser-4.1/test/CuTest.c:210:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf, "expected <%d> but was <%d>", expected, actual); data/iniparser-4.1/test/CuTest.c:217:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[STRING_MAX]; data/iniparser-4.1/test/CuTest.c:219:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf, "expected <%ld> but was <%ld>", expected, actual); data/iniparser-4.1/test/CuTest.c:226:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[STRING_MAX]; data/iniparser-4.1/test/CuTest.c:228:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf, "expected <%f> but was <%f>", expected, actual); data/iniparser-4.1/test/CuTest.c:236:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[STRING_MAX]; data/iniparser-4.1/test/CuTest.c:238:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf, "expected pointer <0x%p> but was <0x%p>", expected, actual); data/iniparser-4.1/test/test_dictionary.c:67:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char sec_name[32]; data/iniparser-4.1/test/test_dictionary.c:68:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char key_name[64]; data/iniparser-4.1/test/test_dictionary.c:77:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(sec_name, "sec%d", i); data/iniparser-4.1/test/test_dictionary.c:88:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(sec_name, "sec%d", i); data/iniparser-4.1/test/test_dictionary.c:107:10: [2] (tmpfile) tmpfile: Function tmpfile() has a security flaw on some systems (e.g., older System V systems) (CWE-377). fd = tmpfile(); data/iniparser-4.1/test/test_dictionary.c:137:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char sec_name[32]; data/iniparser-4.1/test/test_dictionary.c:138:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char key_name[64]; data/iniparser-4.1/test/test_dictionary.c:152:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(sec_name, "sec%d", i); data/iniparser-4.1/test/test_dictionary.c:162:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(sec_name, "sec%d", i); data/iniparser-4.1/test/test_dictionary.c:192:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char sec_name[32]; data/iniparser-4.1/test/test_dictionary.c:193:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char key_name[64]; data/iniparser-4.1/test/test_dictionary.c:223:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(sec_name, "sec%d", i); data/iniparser-4.1/test/test_iniparser.c:24:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char sec_name[32]; data/iniparser-4.1/test/test_iniparser.c:25:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char key_name[64]; data/iniparser-4.1/test/test_iniparser.c:26:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char key_value[32]; data/iniparser-4.1/test/test_iniparser.c:34:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(sec_name, "sec%d", i); data/iniparser-4.1/test/test_iniparser.c:39:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(key_value, "value-%d/%d", i, j); data/iniparser-4.1/test/test_iniparser.c:49:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char out_buffer[128]; data/iniparser-4.1/test/test_iniparser.c:72:5: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(out_buffer, "OVERWRITE ME !"); data/iniparser-4.1/test/test_iniparser.c:98:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char stripped[ASCIILINESZ+1]; data/iniparser-4.1/test/test_iniparser.c:99:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char error_msg[128]; data/iniparser-4.1/test/test_iniparser.c:135:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char sec_name[32]; data/iniparser-4.1/test/test_iniparser.c:152:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(sec_name, "sec%d", i); data/iniparser-4.1/test/test_iniparser.c:167:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char sec_name[32]; data/iniparser-4.1/test/test_iniparser.c:180:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(sec_name, "sec%d", i); data/iniparser-4.1/test/test_iniparser.c:188:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(sec_name, "sec%d", i); data/iniparser-4.1/test/test_iniparser.c:197:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char key_name[64]; data/iniparser-4.1/test/test_iniparser.c:200:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char * keys[10]; /* At most 10 elements per section */ data/iniparser-4.1/test/test_iniparser.c:222:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(key_name, "sec42:key%d", i); data/iniparser-4.1/test/test_iniparser.c:238:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(key_name, "sec99:key%d", i); data/iniparser-4.1/test/test_iniparser.c:246:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(key_name, "sec0:key%d", i + 3); data/iniparser-4.1/test/test_iniparser.c:281:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char key_name[64]; data/iniparser-4.1/test/test_iniparser.c:317:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(key_name, "int:value%d", i); data/iniparser-4.1/test/test_iniparser.c:321:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(key_name, "int:value%d", i); data/iniparser-4.1/test/test_iniparser.c:330:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(key_name, "int:bad%d", i); data/iniparser-4.1/test/test_iniparser.c:334:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(key_name, "int:bad%d", i); data/iniparser-4.1/test/test_iniparser.c:344:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char key_name[64]; data/iniparser-4.1/test/test_iniparser.c:380:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(key_name, "longint:value%d", i); data/iniparser-4.1/test/test_iniparser.c:384:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(key_name, "longint:value%d", i); data/iniparser-4.1/test/test_iniparser.c:393:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(key_name, "longint:bad%d", i); data/iniparser-4.1/test/test_iniparser.c:397:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(key_name, "longint:bad%d", i); data/iniparser-4.1/test/test_iniparser.c:447:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char key_name[64]; data/iniparser-4.1/test/test_iniparser.c:486:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(key_name, "bool:true%d", i); data/iniparser-4.1/test/test_iniparser.c:490:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(key_name, "bool:false%d", i); data/iniparser-4.1/test/test_iniparser.c:495:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(key_name, "bool:true%d", i); data/iniparser-4.1/test/test_iniparser.c:499:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(key_name, "bool:false%d", i); data/iniparser-4.1/test/test_iniparser.c:518:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char section [ASCIILINESZ+1] ; data/iniparser-4.1/test/test_iniparser.c:519:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char key [ASCIILINESZ+1] ; data/iniparser-4.1/test/test_iniparser.c:520:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char val [ASCIILINESZ+1] ; data/iniparser-4.1/test/test_iniparser.c:598:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char ini_path[256]; data/iniparser-4.1/test/test_iniparser.c:666:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char _last_error[1024]; data/iniparser-4.1/src/dictionary.c:53:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(s) + 1 ; data/iniparser-4.1/src/dictionary.c:127:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(key); data/iniparser-4.1/src/iniparser.c:76:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(s) + 1 ; data/iniparser-4.1/src/iniparser.c:98:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). last = s + strlen(s); data/iniparser-4.1/src/iniparser.c:305:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). seclen = (int)strlen(s); data/iniparser-4.1/src/iniparser.c:341:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). seclen = (int)strlen(s); data/iniparser-4.1/src/iniparser.c:380:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). seclen = (int)strlen(s); data/iniparser-4.1/src/iniparser.c:751:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = (int)strlen(line)-1; data/iniparser-4.1/test/CuTest.c:22:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int len = strlen(old); data/iniparser-4.1/test/CuTest.c:71:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). length = strlen(text); data/iniparser-4.1/test/CuTest.c:98:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int length = strlen(text); data/iniparser-4.1/test/test_iniparser.c:122:5: [1] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant character. strcpy(stripped, "."); ANALYSIS SUMMARY: Hits = 114 Lines analyzed = 3279 in approximately 0.17 seconds (18807 lines/second) Physical Source Lines of Code (SLOC) = 1853 Hits@level = [0] 29 [1] 12 [2] 81 [3] 0 [4] 21 [5] 0 Hits@level+ = [0+] 143 [1+] 114 [2+] 102 [3+] 21 [4+] 21 [5+] 0 Hits/KSLOC@level+ = [0+] 77.1722 [1+] 61.5219 [2+] 55.0459 [3+] 11.333 [4+] 11.333 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.