Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/libgweather-3.36.1/libgweather/gweather-enums.h
Examining data/libgweather-3.36.1/libgweather/gweather-location-entry.c
Examining data/libgweather-3.36.1/libgweather/gweather-location-entry.h
Examining data/libgweather-3.36.1/libgweather/gweather-location.c
Examining data/libgweather-3.36.1/libgweather/gweather-location.h
Examining data/libgweather-3.36.1/libgweather/gweather-parser.c
Examining data/libgweather-3.36.1/libgweather/gweather-parser.h
Examining data/libgweather-3.36.1/libgweather/gweather-private.c
Examining data/libgweather-3.36.1/libgweather/gweather-private.h
Examining data/libgweather-3.36.1/libgweather/gweather-timezone-menu.c
Examining data/libgweather-3.36.1/libgweather/gweather-timezone-menu.h
Examining data/libgweather-3.36.1/libgweather/gweather-timezone.c
Examining data/libgweather-3.36.1/libgweather/gweather-timezone.h
Examining data/libgweather-3.36.1/libgweather/gweather-weather.c
Examining data/libgweather-3.36.1/libgweather/gweather-weather.h
Examining data/libgweather-3.36.1/libgweather/gweather.c
Examining data/libgweather-3.36.1/libgweather/gweather.h
Examining data/libgweather-3.36.1/libgweather/test_libgweather.c
Examining data/libgweather-3.36.1/libgweather/test_locations.c
Examining data/libgweather-3.36.1/libgweather/test_locations_utc.c
Examining data/libgweather-3.36.1/libgweather/test_metar.c
Examining data/libgweather-3.36.1/libgweather/test_sun_moon.c
Examining data/libgweather-3.36.1/libgweather/test_weather.c
Examining data/libgweather-3.36.1/libgweather/weather-iwin.c
Examining data/libgweather-3.36.1/libgweather/weather-metar.c
Examining data/libgweather-3.36.1/libgweather/weather-moon.c
Examining data/libgweather-3.36.1/libgweather/weather-owm.c
Examining data/libgweather-3.36.1/libgweather/weather-sun.c
Examining data/libgweather-3.36.1/libgweather/weather-wx.c
Examining data/libgweather-3.36.1/libgweather/weather-yrno.c
FINAL RESULTS:
data/libgweather-3.36.1/libgweather/test_metar.c:63:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[BUFLEN];
data/libgweather-3.36.1/libgweather/test_metar.c:96:11: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
stream = fopen (filename, "r");
data/libgweather-3.36.1/libgweather/weather-iwin.c:242:64: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
if (strstr ((const char *)val, ph_list [i].name)) {
data/libgweather-3.36.1/libgweather/weather-iwin.c:250:64: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
if (strstr ((const char *)val, sky_list [i].name)) {
data/libgweather-3.36.1/libgweather/weather-metar.c:98:42: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
dir = (!strcmp (sdir, "VRB")) ? -1 : atoi (sdir);
data/libgweather-3.36.1/libgweather/weather-metar.c:103:11: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
spd = atoi (sspd);
data/libgweather-3.36.1/libgweather/weather-metar.c:180:9: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
den = atoi (sval);
data/libgweather-3.36.1/libgweather/weather-metar.c:187:13: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
val = atoi (tokp);
data/libgweather-3.36.1/libgweather/weather-metar.c:193:19: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
val = atoi (sval);
data/libgweather-3.36.1/libgweather/weather-metar.c:200:8: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
val = atoi (sval);
data/libgweather-3.36.1/libgweather/weather-metar.c:252:16: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
intg = atoi (sintg);
data/libgweather-3.36.1/libgweather/weather-metar.c:256:17: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
fract = atoi (sfract);
data/libgweather-3.36.1/libgweather/weather-metar.c:265:16: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
pres = atoi (spres);
data/libgweather-3.36.1/libgweather/weather-metar.c:286:50: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
priv->temp = (*ptemp == 'M') ? TEMP_C_TO_F (-atoi (ptemp + 1))
data/libgweather-3.36.1/libgweather/weather-metar.c:287:17: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
: TEMP_C_TO_F (atoi (ptemp));
data/libgweather-3.36.1/libgweather/weather-metar.c:289:45: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
priv->dew = (*pdew == 'M') ? TEMP_C_TO_F (-atoi (pdew + 1))
data/libgweather-3.36.1/libgweather/weather-metar.c:290:21: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
: TEMP_C_TO_F (atoi (pdew));
data/libgweather-3.36.1/libgweather/gweather-location-entry.c:677:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
g_assert (len == strlen(key));
data/libgweather-3.36.1/libgweather/gweather-timezone.c:82:31: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strncmp (contents, TZ_MAGIC, strlen (TZ_MAGIC)) != 0) {
data/libgweather-3.36.1/libgweather/gweather-weather.c:299:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return (strlen (str) > 0) ? str : "-";
data/libgweather-3.36.1/libgweather/test_libgweather.c:323:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen (line) != 83)
data/libgweather-3.36.1/libgweather/test_metar.c:106:8: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen (buf);
data/libgweather-3.36.1/libgweather/weather-iwin.c:67:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
doc = xmlParseMemory (buff, strlen (buff));
data/libgweather-3.36.1/libgweather/weather-metar.c:96:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (sdir, tokp, 3);
data/libgweather-3.36.1/libgweather/weather-metar.c:102:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (sspd, tokp + 3, glen);
data/libgweather-3.36.1/libgweather/weather-metar.c:110:9: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (sgust, gustp + 1, glen);
data/libgweather-3.36.1/libgweather/weather-metar.c:179:3: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (sval, pfrac + 1, pend - pfrac - 1);
data/libgweather-3.36.1/libgweather/weather-metar.c:192:6: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (sval, tokp, pend - tokp);
data/libgweather-3.36.1/libgweather/weather-metar.c:199:9: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (sval, tokp, strspn (tokp, CONST_DIGITS));
data/libgweather-3.36.1/libgweather/weather-metar.c:215:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (stype, tokp, 3);
data/libgweather-3.36.1/libgweather/weather-metar.c:217:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen (tokp) == 6) {
data/libgweather-3.36.1/libgweather/weather-metar.c:218:9: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (salt, tokp + 3, 3);
data/libgweather-3.36.1/libgweather/weather-metar.c:250:9: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (sintg, tokp + 1, 2);
data/libgweather-3.36.1/libgweather/weather-metar.c:254:9: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (sfract, tokp + 3, 2);
data/libgweather-3.36.1/libgweather/weather-metar.c:263:9: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (spres, tokp + 1, 4);
data/libgweather-3.36.1/libgweather/weather-metar.c:354:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ((strlen (tokp) > 3) && ((*tokp == '+') || (*tokp == '-')))
data/libgweather-3.36.1/libgweather/weather-metar.c:359:14: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
else if (strlen (tokp) < 4)
data/libgweather-3.36.1/libgweather/weather-metar.c:365:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (squal, tokp, pphen - tokp);
data/libgweather-3.36.1/libgweather/weather-metar.c:369:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (sphen, pphen, sizeof (sphen));
data/libgweather-3.36.1/libgweather/weather-metar.c:538:23: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
token_start = strlen(p);
data/libgweather-3.36.1/libgweather/weather-metar.c:618:7: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
p += strlen (searchkey);
ANALYSIS SUMMARY:
Hits = 41
Lines analyzed = 11378 in approximately 0.38 seconds (29836 lines/second)
Physical Source Lines of Code (SLOC) = 7662
Hits@level = [0] 22 [1] 24 [2] 17 [3] 0 [4] 0 [5] 0
Hits@level+ = [0+] 63 [1+] 41 [2+] 17 [3+] 0 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 8.2224 [1+] 5.35108 [2+] 2.21874 [3+] 0 [4+] 0 [5+] 0
Dot directories skipped = 2 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.