Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/jigit-1.22/md5.c
Examining data/jigit-1.22/jigdump.c
Examining data/jigit-1.22/mkimage.c
Examining data/jigit-1.22/endian.h
Examining data/jigit-1.22/jig-base64.h
Examining data/jigit-1.22/rsync.c
Examining data/jigit-1.22/jig-base64.c
Examining data/jigit-1.22/jigdo.h
Examining data/jigit-1.22/uncompress.c
Examining data/jigit-1.22/endian.c
Examining data/jigit-1.22/jigsum-sha256.c
Examining data/jigit-1.22/jigsum.c
Examining data/jigit-1.22/extract-data.c
Examining data/jigit-1.22/md5.h
Examining data/jigit-1.22/parallel-sums.c
Examining data/jigit-1.22/libjte/sha512.h
Examining data/jigit-1.22/libjte/test/demo.c
Examining data/jigit-1.22/libjte/md5.c
Examining data/jigit-1.22/libjte/libjte.h
Examining data/jigit-1.22/libjte/jte.h
Examining data/jigit-1.22/libjte/sha256.c
Examining data/jigit-1.22/libjte/rsync.h
Examining data/jigit-1.22/libjte/sha256.h
Examining data/jigit-1.22/libjte/rsync.c
Examining data/jigit-1.22/libjte/checksum.c
Examining data/jigit-1.22/libjte/sha512.c
Examining data/jigit-1.22/libjte/libjte_private.h
Examining data/jigit-1.22/libjte/checksum.h
Examining data/jigit-1.22/libjte/jte.c
Examining data/jigit-1.22/libjte/endian.c
Examining data/jigit-1.22/libjte/libjte.c
Examining data/jigit-1.22/libjte/sha1.h
Examining data/jigit-1.22/libjte/sha1.c
Examining data/jigit-1.22/libjte/md5.h
Examining data/jigit-1.22/libjte/endianconv.h
FINAL RESULTS:
data/jigit-1.22/jigdump.c:270:11: [4] (buffer) sscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function. If the scanf format is influenceable by an
attacker, it's exploitable.
ret = sscanf((char *)buf, HEADER_STRING" %s %s", format_version, generator);
data/jigit-1.22/libjte/checksum.c:678:9: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(buf, "%s %s", info->prog, filename);
data/jigit-1.22/libjte/checksum.c:679:9: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
system(buf);
data/jigit-1.22/libjte/jte.c:449:13: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(new_name, "%s:%s", entry->to, &filename[strlen(entry->from)]);
data/jigit-1.22/libjte/jte.c:508:14: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
i += sprintf(p, "JigsawDownload template %s libjte-%d.%d.%d \r\n",
data/jigit-1.22/libjte/jte.c:512:14: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
i += sprintf(p, "JigsawDownload template %s libjte-%d.%d.%d \r\n",
data/jigit-1.22/libjte/jte.c:517:10: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
i += sprintf(p, "%s \r\n", JTE_COMMENT);
data/jigit-1.22/libjte/jte.c:1412:9: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(o->message_buffer, "cannot open '%s': (%d)",
data/jigit-1.22/libjte/jte.c:1415:9: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(o->message_buffer, "cannot open '%s': %s",
data/jigit-1.22/libjte/jte.c:1430:13: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(o->message_buffer,
data/jigit-1.22/libjte/libjte.c:194:13: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(o->message_buffer,
data/jigit-1.22/libjte/libjte.c:262:9: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(o->message_buffer, "Invalid checksum algorithm name in '%s'",
data/jigit-1.22/libjte/libjte.c:457:9: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(o->message_buffer, "Attempted to call libjte_write_match_record() after choosing checksum algorithm '%s'",
data/jigit-1.22/libjte/libjte.c:489:9: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(o->message_buffer, "Attempted to call libjte_decide_file_jigdo() after choosing checksum algorithm '%s'",
data/jigit-1.22/mkimage.c:284:13: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(path, "%s/%s", entry->mirror_path, jigdo_name);
data/jigit-1.22/jigsum-sha256.c:242:13: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
c = getopt(argc, argv, "cv");
data/jigit-1.22/jigsum.c:241:13: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
c = getopt(argc, argv, "cv");
data/jigit-1.22/mkimage.c:1336:13: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
c = getopt(argc, argv, ":ql:o:j:t:f:F:m:M:h?s:e:zvO");
data/jigit-1.22/parallel-sums.c:212:13: [3] (buffer) getopt_long:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
c = getopt_long(argc, argv, "", opts, &option_index);
data/jigit-1.22/extract-data.c:35:15: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
in_file = fopen(in_filename, "rb");
data/jigit-1.22/extract-data.c:42:16: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
out_file = fopen(out_filename, "wb");
data/jigit-1.22/jigdump.c:266:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char format_version[BUF_SIZE] = {0};
data/jigit-1.22/jigdump.c:267:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char generator[BUF_SIZE] = {0};
data/jigit-1.22/jigdump.c:323:10: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fd = open(filename, O_RDONLY);
data/jigit-1.22/jigsum-sha256.c:45:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[BUF_SIZE];
data/jigit-1.22/jigsum-sha256.c:46:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char file_sha256[CKSUM_BYTES] = {0};
data/jigit-1.22/jigsum-sha256.c:61:16: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file = fopen(filename, "rb");
data/jigit-1.22/jigsum-sha256.c:133:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(sha256, base64_sha256, BASE64_CKSUM_BYTES + 1);
data/jigit-1.22/jigsum-sha256.c:149:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char base64_sha256[BASE64_CKSUM_BYTES + 1] = {0};
data/jigit-1.22/jigsum-sha256.c:157:16: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file = fopen(filename, "rb");
data/jigit-1.22/jigsum-sha256.c:234:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char base64_sha256[BASE64_CKSUM_BYTES];
data/jigit-1.22/jigsum.c:44:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[BUF_SIZE];
data/jigit-1.22/jigsum.c:45:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char file_md5[CKSUM_BYTES] = {0};
data/jigit-1.22/jigsum.c:60:16: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file = fopen(filename, "rb");
data/jigit-1.22/jigsum.c:132:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(md5, base64_md5, BASE64_CKSUM_BYTES + 1);
data/jigit-1.22/jigsum.c:148:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char base64_md5[BASE64_CKSUM_BYTES + 1] = {0};
data/jigit-1.22/jigsum.c:156:16: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file = fopen(filename, "rb");
data/jigit-1.22/jigsum.c:233:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char base64_md5[BASE64_CKSUM_BYTES];
data/jigit-1.22/libjte/checksum.c:64:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(digest, sha1_read(context), 20);
data/jigit-1.22/libjte/checksum.c:193:14: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
p += sprintf(p, "%2.2x", buf[i]);
data/jigit-1.22/libjte/checksum.c:449:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(digest, c->algo[which].digest, algorithms[which].digest_size);
data/jigit-1.22/libjte/checksum.c:533:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[32768];
data/jigit-1.22/libjte/checksum.c:546:14: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
infile = fopen(filename, "rb");
data/jigit-1.22/libjte/checksum.c:615:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[1024];
data/jigit-1.22/libjte/checksum.c:629:10: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fd = open(filename, O_RDONLY);
data/jigit-1.22/libjte/checksum.c:665:18: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char r[64];
data/jigit-1.22/libjte/jte.c:109:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer, "Out of memory for %.f new bytes",
data/jigit-1.22/libjte/jte.c:239:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer,
data/jigit-1.22/libjte/jte.c:283:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer,
data/jigit-1.22/libjte/jte.c:294:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer,
data/jigit-1.22/libjte/jte.c:323:25: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer,
data/jigit-1.22/libjte/jte.c:395:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer,
data/jigit-1.22/libjte/jte.c:443:17: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer,
data/jigit-1.22/libjte/jte.c:476:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[2048];
data/jigit-1.22/libjte/jte.c:483:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer,
data/jigit-1.22/libjte/jte.c:500:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer,
data/jigit-1.22/libjte/jte.c:520:10: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
i += sprintf(p, "\r\n");
data/jigit-1.22/libjte/jte.c:542:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(new->checksum, checksum, check_algos[o->checksum_algo].raw_bytes);
data/jigit-1.22/libjte/jte.c:581:39: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static uint64_t parse_number(unsigned char in[12])
data/jigit-1.22/libjte/jte.c:609:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char buf[1024];
data/jigit-1.22/libjte/jte.c:624:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer, "Ignoring call with checksum list file '%1.1024s'",
data/jigit-1.22/libjte/jte.c:634:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer, "cannot allocate memory to read from checksum list file '%1.1024s'",
data/jigit-1.22/libjte/jte.c:642:21: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
checksum_file = fopen(o->jchecksum_list, "rb");
data/jigit-1.22/libjte/jte.c:645:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer, "cannot open checksum list file '%1.1024s'",
data/jigit-1.22/libjte/jte.c:659:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer, "cannot read from checksum list file '%1.1024s'",
data/jigit-1.22/libjte/jte.c:681:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer, "invalid checksum list file '%1.1024s' - wrong checksum type?",
data/jigit-1.22/libjte/jte.c:702:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer, "cannot parse checksum file '%1.1024s'",
data/jigit-1.22/libjte/jte.c:715:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer, "cannot add checksum entry to list from file '%1.1024s', error %d",
data/jigit-1.22/libjte/jte.c:726:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer,
data/jigit-1.22/libjte/jte.c:750:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer, "cannot allocate iso checksum contexts");
data/jigit-1.22/libjte/jte.c:778:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char comp_size_out[6];
data/jigit-1.22/libjte/jte.c:779:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char uncomp_size_out[6];
data/jigit-1.22/libjte/jte.c:872:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char comp_size_out[6];
data/jigit-1.22/libjte/jte.c:873:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char uncomp_size_out[6];
data/jigit-1.22/libjte/jte.c:979:20: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer,
data/jigit-1.22/libjte/jte.c:1015:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&(o->uncomp_buf[o->uncomp_buf_used]), buffer, size);
data/jigit-1.22/libjte/jte.c:1026:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char out_len[6];
data/jigit-1.22/libjte/jte.c:1139:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer,
data/jigit-1.22/libjte/jte.c:1152:14: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
p += sprintf(p, "%c", b64_enc[(value >> bits) & 63U]);
data/jigit-1.22/libjte/jte.c:1155:18: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
p += sprintf(p, "%c", b64_enc[(value >> bits) & 63U]);
data/jigit-1.22/libjte/jte.c:1161:14: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
p += sprintf(p, "%c", b64_enc[value & 63U]);
data/jigit-1.22/libjte/jte.c:1167:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char *uint64_to_dec(uint64_t num, char dec[40])
data/jigit-1.22/libjte/jte.c:1167:42: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char *uint64_to_dec(uint64_t num, char dec[40])
data/jigit-1.22/libjte/jte.c:1196:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *b64, dec[40];
data/jigit-1.22/libjte/jte.c:1201:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer,
data/jigit-1.22/libjte/jte.c:1349:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(new_entry->data.file.checksum, checksum, check_algos[o->checksum_algo].raw_bytes);
data/jigit-1.22/libjte/jte.c:1401:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[32768];
data/jigit-1.22/libjte/jte.c:1410:19: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((infile = fopen(filename, "rb")) == NULL) {
data/jigit-1.22/libjte/jte.h:156:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char fileLen[6];
data/jigit-1.22/libjte/jte.h:157:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char fileRsync[8];
data/jigit-1.22/libjte/jte.h:158:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char fileMD5[MD5_BYTES];
data/jigit-1.22/libjte/jte.h:164:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char fileLen[6];
data/jigit-1.22/libjte/jte.h:165:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char fileRsync[8];
data/jigit-1.22/libjte/jte.h:166:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char fileSHA256[SHA256_BYTES];
data/jigit-1.22/libjte/jte.h:172:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char skipLen[6];
data/jigit-1.22/libjte/jte.h:178:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char imageLen[6];
data/jigit-1.22/libjte/jte.h:179:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char imageMD5[MD5_BYTES];
data/jigit-1.22/libjte/jte.h:180:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char blockLen[4];
data/jigit-1.22/libjte/jte.h:186:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char imageLen[6];
data/jigit-1.22/libjte/jte.h:187:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char imageSHA256[SHA256_BYTES];
data/jigit-1.22/libjte/jte.h:188:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char blockLen[4];
data/jigit-1.22/libjte/libjte.c:324:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer,
data/jigit-1.22/libjte/libjte.c:334:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer,
data/jigit-1.22/libjte/libjte.c:393:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer,
data/jigit-1.22/libjte/libjte.c:399:21: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
o->jttemplate = fopen(o->jtemplate_out, "wb");
data/jigit-1.22/libjte/libjte.c:401:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer,
data/jigit-1.22/libjte/libjte.c:407:18: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
o->jtjigdo = fopen(o->jjigdo_out, "wb");
data/jigit-1.22/libjte/libjte.c:409:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(o->message_buffer,
data/jigit-1.22/libjte/libjte.c:450:29: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *filename, char *mirror_name, int sector_size,
data/jigit-1.22/libjte/libjte.c:450:45: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *filename, char *mirror_name, int sector_size,
data/jigit-1.22/libjte/libjte.c:451:50: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
off_t size, unsigned char md5[16])
data/jigit-1.22/libjte/libjte.c:484:30: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *filename, off_t size, char **mirror_name,
data/jigit-1.22/libjte/libjte.c:484:58: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *filename, off_t size, char **mirror_name,
data/jigit-1.22/libjte/libjte.c:485:39: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char md5[16])
data/jigit-1.22/libjte/libjte.h:356:30: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *filename, off_t size, char **mirror_name,
data/jigit-1.22/libjte/libjte.h:356:58: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *filename, off_t size, char **mirror_name,
data/jigit-1.22/libjte/libjte.h:357:39: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char md5[16]);
data/jigit-1.22/libjte/libjte.h:402:10: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *filename, char *mirror_name, int sector_size,
data/jigit-1.22/libjte/libjte.h:402:26: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *filename, char *mirror_name, int sector_size,
data/jigit-1.22/libjte/libjte.h:403:31: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
off_t size, unsigned char md5[16]);
data/jigit-1.22/libjte/libjte_private.h:53:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char message_buffer[4096];
data/jigit-1.22/libjte/md5.c:128:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(p, buf, len);
data/jigit-1.22/libjte/md5.c:131:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(p, buf, t);
data/jigit-1.22/libjte/md5.c:140:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ctx->in, buf, 64);
data/jigit-1.22/libjte/md5.c:148:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ctx->in, buf, len);
data/jigit-1.22/libjte/md5.c:156:23: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
mk_MD5Final (unsigned char digest[16], struct mk_MD5Context *ctx)
data/jigit-1.22/libjte/md5.c:215:51: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
mk_MD5Transform (mk_uint32 buf[4], const unsigned char inraw[64])
data/jigit-1.22/libjte/md5.c:312:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char checksum[16];
data/jigit-1.22/libjte/md5.h:28:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char in[64];
data/jigit-1.22/libjte/md5.h:34:28: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
void mk_MD5Final (unsigned char digest[16],
data/jigit-1.22/libjte/md5.h:36:56: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
void mk_MD5Transform (mk_uint32 buf[4], const unsigned char in[64]);
data/jigit-1.22/libjte/sha1.c:114:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (x, data, 64);
data/jigit-1.22/libjte/sha1.h:28:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char buf[64];
data/jigit-1.22/libjte/sha256.c:52:23: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
data/jigit-1.22/libjte/sha256.c:217:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (&ctx->buffer[bytes], fillbuf, pad);
data/jigit-1.22/libjte/sha256.c:245:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (&ctx->buffer[left_over], buffer, add);
data/jigit-1.22/libjte/sha256.c:254:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~63],
data/jigit-1.22/libjte/sha256.c:276:28: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
data/jigit-1.22/libjte/sha256.c:294:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (&ctx->buffer[left_over], buffer, len);
data/jigit-1.22/libjte/sha256.c:300:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (ctx->buffer, &ctx->buffer[64], left_over);
data/jigit-1.22/libjte/sha256.h:48:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[128] __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
data/jigit-1.22/libjte/sha512.c:59:23: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ };
data/jigit-1.22/libjte/sha512.c:332:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (&ctx->buffer[bytes], fillbuf, pad);
data/jigit-1.22/libjte/sha512.c:360:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (&ctx->buffer[left_over], buffer, add);
data/jigit-1.22/libjte/sha512.c:369:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~127],
data/jigit-1.22/libjte/sha512.c:391:28: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
sha512_process_block (memcpy (ctx->buffer, buffer, 128), 128,
data/jigit-1.22/libjte/sha512.c:410:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (&ctx->buffer[left_over], buffer, len);
data/jigit-1.22/libjte/sha512.c:416:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (ctx->buffer, &ctx->buffer[128], left_over);
data/jigit-1.22/libjte/sha512.h:48:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[256] __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
data/jigit-1.22/libjte/test/demo.c:109:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char *filev[LIBJTE_DEMO_MAX_FILES + 1];
data/jigit-1.22/libjte/test/demo.c:200:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[LIBJTE_DEMO_BUFSIZE];
data/jigit-1.22/libjte/test/demo.c:204:14: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fp_out = fopen(outfile, "wb");
data/jigit-1.22/libjte/test/demo.c:216:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buf, "test/demo of libjte-%d.%d.%d\n", major, minor, micro);
data/jigit-1.22/libjte/test/demo.c:217:5: [2] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused). Risk is low because the
source is a constant string.
strcat(buf,
data/jigit-1.22/libjte/test/demo.c:233:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buf, "name=%1.1024s\nsize=%.f\n",
data/jigit-1.22/libjte/test/demo.c:235:9: [2] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused). Risk is low because the
source is a constant string.
strcat(buf,
data/jigit-1.22/libjte/test/demo.c:241:17: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fp_in = fopen(filev[i], "rb");
data/jigit-1.22/libjte/test/demo.c:280:9: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(buf,
data/jigit-1.22/libjte/test/demo.c:287:5: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(buf, "test/demo end\n");
data/jigit-1.22/md5.c:106:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(p, buf, len);
data/jigit-1.22/md5.c:109:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(p, buf, t);
data/jigit-1.22/md5.c:118:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ctx->in, buf, 64);
data/jigit-1.22/md5.c:126:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ctx->in, buf, len);
data/jigit-1.22/md5.c:134:23: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
mk_MD5Final (unsigned char digest[16], struct mk_MD5Context *ctx)
data/jigit-1.22/md5.c:195:51: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
mk_MD5Transform (mk_uint32 buf[4], const unsigned char inraw[64])
data/jigit-1.22/md5.c:293:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char checksum[16];
data/jigit-1.22/md5.h:16:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char in[64];
data/jigit-1.22/md5.h:22:28: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
void mk_MD5Final (unsigned char digest[16],
data/jigit-1.22/md5.h:24:56: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
void mk_MD5Transform (mk_uint32 buf[4], const unsigned char in[64]);
data/jigit-1.22/mkimage.c:116:24: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
missing_file = fopen(missing, "wb");
data/jigit-1.22/mkimage.c:341:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char bin_md5[MD5_BYTES];
data/jigit-1.22/mkimage.c:367:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[2048];
data/jigit-1.22/mkimage.c:372:12: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file = fopen(filename, "rb");
data/jigit-1.22/mkimage.c:423:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char bin_sha256[SHA256_BYTES];
data/jigit-1.22/mkimage.c:449:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[2048];
data/jigit-1.22/mkimage.c:454:12: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file = fopen(filename, "rb");
data/jigit-1.22/mkimage.c:586:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[2048];
data/jigit-1.22/mkimage.c:750:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[BUF_SIZE];
data/jigit-1.22/mkimage.c:754:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char file_md5[MD5_BYTES];
data/jigit-1.22/mkimage.c:767:22: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
input_file = fopen(md5_list_entry->full_path, "rb");
data/jigit-1.22/mkimage.c:842:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hex_md5[HEX_MD5_BYTES + 1];
data/jigit-1.22/mkimage.c:846:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(hex_md5 + 2 * i, "%2.2x", (unsigned int) md5[i]);
data/jigit-1.22/mkimage.c:859:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[BUF_SIZE];
data/jigit-1.22/mkimage.c:863:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char file_sha256[SHA256_BYTES];
data/jigit-1.22/mkimage.c:876:22: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
input_file = fopen(sha256_list_entry->full_path, "rb");
data/jigit-1.22/mkimage.c:951:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hex_sha256[HEX_SHA256_BYTES + 1];
data/jigit-1.22/mkimage.c:955:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(hex_sha256 + 2 * i, "%2.2x", (unsigned int) sha256[i]);
data/jigit-1.22/mkimage.c:979:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char image_md5sum[MD5_BYTES];
data/jigit-1.22/mkimage.c:980:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char image_sha256sum[SHA256_BYTES];
data/jigit-1.22/mkimage.c:981:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char image_md5sum_from_tmpl[MD5_BYTES];
data/jigit-1.22/mkimage.c:982:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char image_sha256sum_from_tmpl[SHA256_BYTES];
data/jigit-1.22/mkimage.c:986:12: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file = fopen(filename, "rb");
data/jigit-1.22/mkimage.c:1069:17: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(image_md5sum_from_tmpl, (unsigned char*)&bufptr[7], MD5_BYTES);
data/jigit-1.22/mkimage.c:1075:17: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(image_sha256sum_from_tmpl, (unsigned char*)&bufptr[7], SHA256_BYTES);
data/jigit-1.22/mkimage.c:1349:27: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
logfile = fopen(optarg, "ab");
data/jigit-1.22/mkimage.c:1359:27: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
outfile = fopen(output_name, "wb");
data/jigit-1.22/parallel-sums.c:45:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char d[BUF_SIZE];
data/jigit-1.22/parallel-sums.c:247:35: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
state[i].out_stream = fopen(state[i].out_filename, "wb");
data/jigit-1.22/parallel-sums.c:267:24: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
queue.infile = fopen(argv[optind], "rb");
data/jigit-1.22/rsync.c:119:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[BUF_SIZE];
data/jigit-1.22/rsync.c:131:16: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file = fopen(filename, "rb");
data/jigit-1.22/uncompress.c:94:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char inbuf[1024];
data/jigit-1.22/jigdump.c:30:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t length = strlen(search);
data/jigit-1.22/jigdump.c:293:12: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
hlen = strlen(haystack);
data/jigit-1.22/jigdump.c:294:12: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
nlen = strlen(needle);
data/jigit-1.22/jigdump.c:355:14: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
bytes = read(fd, buf, BUF_SIZE);
data/jigit-1.22/jigdump.c:390:17: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
bytes = read(fd, buf, BUF_SIZE);
data/jigit-1.22/jigdump.c:407:17: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
bytes = read(fd, buf, BUF_SIZE);
data/jigit-1.22/jigsum-sha256.c:148:13: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
ssize_t read;
data/jigit-1.22/jigsum-sha256.c:187:13: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if (read > (BASE64_CKSUM_BYTES + 2)
data/jigit-1.22/jigsum-sha256.c:195:24: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
line[--read] = '\0';
data/jigit-1.22/jigsum.c:147:13: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
ssize_t read;
data/jigit-1.22/jigsum.c:186:13: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if (read > (BASE64_CKSUM_BYTES + 2)
data/jigit-1.22/jigsum.c:194:24: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
line[--read] = '\0';
data/jigit-1.22/libjte/checksum.c:500:28: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (len == strlen(algorithms[i].name) &&
data/jigit-1.22/libjte/checksum.c:646:15: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
err = read(fd, buf, sizeof(buf));
data/jigit-1.22/libjte/jte.c:371:26: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (from == NULL || !strlen(from) || eqpt == arg)
data/jigit-1.22/libjte/jte.c:381:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(to, arg, eqpt - arg);
data/jigit-1.22/libjte/jte.c:438:45: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (!strncmp(filename, entry->from, strlen(entry->from)))
data/jigit-1.22/libjte/jte.c:440:38: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
new_name = calloc(1, 2 + strlen(filename) + strlen(entry->to) - strlen(entry->from));
data/jigit-1.22/libjte/jte.c:440:57: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
new_name = calloc(1, 2 + strlen(filename) + strlen(entry->to) - strlen(entry->from));
data/jigit-1.22/libjte/jte.c:440:77: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
new_name = calloc(1, 2 + strlen(filename) + strlen(entry->to) - strlen(entry->from));
data/jigit-1.22/libjte/jte.c:449:61: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
sprintf(new_name, "%s:%s", entry->to, &filename[strlen(entry->from)]);
data/jigit-1.22/libjte/jte.c:695:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (buf[strlen((char *)buf)-1] == '\n')
data/jigit-1.22/libjte/jte.c:696:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
buf[strlen((char *)buf)-1] = 0;
data/jigit-1.22/libjte/libjte.c:511:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
libjte_report_no_mem(o, strlen(checksum_name) + 1, 0);
data/jigit-1.22/libjte/md5.c:325:36: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
mk_MD5Update (&context, argv[j], strlen (argv[j]));
data/jigit-1.22/libjte/test/demo.c:219:34: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ret = libjte_demo_write(buf, strlen(buf), fp_out);
data/jigit-1.22/libjte/test/demo.c:237:38: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ret = libjte_demo_write(buf, strlen(buf), fp_out);
data/jigit-1.22/libjte/test/demo.c:282:38: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ret = libjte_demo_write(buf, strlen(buf), fp_out);
data/jigit-1.22/libjte/test/demo.c:288:34: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ret = libjte_demo_write(buf, strlen(buf), fp_out);
data/jigit-1.22/md5.c:306:36: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
mk_MD5Update (&context, argv[j], strlen (argv[j]));
data/jigit-1.22/mkimage.c:265:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
int jigdo_name_size = strlen(jigdo_name);
data/jigit-1.22/mkimage.c:271:36: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
int mirror_path_size = strlen(entry->mirror_path);
data/jigit-1.22/mkimage.c:352:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(md5_entry, base64_dump(bin_md5, MD5_BYTES), BASE64_MD5_BYTES);
data/jigit-1.22/mkimage.c:358:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ('\n' == file_name[strlen(file_name) -1])
data/jigit-1.22/mkimage.c:359:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
file_name[strlen(file_name) - 1] = 0;
data/jigit-1.22/mkimage.c:434:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(sha256_entry, base64_dump(bin_sha256, SHA256_BYTES), BASE64_SHA256_BYTES);
data/jigit-1.22/mkimage.c:440:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ('\n' == file_name[strlen(file_name) -1])
data/jigit-1.22/mkimage.c:441:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
file_name[strlen(file_name) - 1] = 0;
data/jigit-1.22/mkimage.c:510:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
csum_length = strlen(base64_checksum);
ANALYSIS SUMMARY:
Hits = 241
Lines analyzed = 9984 in approximately 0.34 seconds (28993 lines/second)
Physical Source Lines of Code (SLOC) = 7235
Hits@level = [0] 315 [1] 39 [2] 183 [3] 4 [4] 15 [5] 0
Hits@level+ = [0+] 556 [1+] 241 [2+] 202 [3+] 19 [4+] 15 [5+] 0
Hits/KSLOC@level+ = [0+] 76.8487 [1+] 33.3103 [2+] 27.9198 [3+] 2.62612 [4+] 2.07326 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.