Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/libmateweather-1.24.1/libmateweather/location-entry.c
Examining data/libmateweather-1.24.1/libmateweather/location-entry.h
Examining data/libmateweather-1.24.1/libmateweather/mateweather-location.c
Examining data/libmateweather-1.24.1/libmateweather/mateweather-location.h
Examining data/libmateweather-1.24.1/libmateweather/mateweather-prefs.c
Examining data/libmateweather-1.24.1/libmateweather/mateweather-prefs.h
Examining data/libmateweather-1.24.1/libmateweather/mateweather-timezone.c
Examining data/libmateweather-1.24.1/libmateweather/mateweather-timezone.h
Examining data/libmateweather-1.24.1/libmateweather/mateweather-xml.c
Examining data/libmateweather-1.24.1/libmateweather/mateweather-xml.h
Examining data/libmateweather-1.24.1/libmateweather/parser.c
Examining data/libmateweather-1.24.1/libmateweather/parser.h
Examining data/libmateweather-1.24.1/libmateweather/test_locations.c
Examining data/libmateweather-1.24.1/libmateweather/test_metar.c
Examining data/libmateweather-1.24.1/libmateweather/test_sun_moon.c
Examining data/libmateweather-1.24.1/libmateweather/timezone-menu.c
Examining data/libmateweather-1.24.1/libmateweather/timezone-menu.h
Examining data/libmateweather-1.24.1/libmateweather/weather-bom.c
Examining data/libmateweather-1.24.1/libmateweather/weather-iwin.c
Examining data/libmateweather-1.24.1/libmateweather/weather-met.c
Examining data/libmateweather-1.24.1/libmateweather/weather-metar.c
Examining data/libmateweather-1.24.1/libmateweather/weather-moon.c
Examining data/libmateweather-1.24.1/libmateweather/weather-priv.h
Examining data/libmateweather-1.24.1/libmateweather/weather-sun.c
Examining data/libmateweather-1.24.1/libmateweather/weather-wx.c
Examining data/libmateweather-1.24.1/libmateweather/weather.c
Examining data/libmateweather-1.24.1/libmateweather/weather.h
FINAL RESULTS:
data/libmateweather-1.24.1/libmateweather/weather.c:724:2: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy (buf, utf8);
data/libmateweather-1.24.1/libmateweather/test_metar.c:28:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[BUFLEN];
data/libmateweather-1.24.1/libmateweather/test_metar.c:41:11: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
stream = fopen (filename, "r");
data/libmateweather-1.24.1/libmateweather/weather-iwin.c:312:64: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
if (strstr ((const char *)val, ph_list [i].name)) {
data/libmateweather-1.24.1/libmateweather/weather-iwin.c:319:64: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
if (strstr ((const char *)val, sky_list [i].name)) {
data/libmateweather-1.24.1/libmateweather/weather-metar.c:94:42: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
dir = (!strcmp (sdir, "VRB")) ? -1 : atoi (sdir);
data/libmateweather-1.24.1/libmateweather/weather-metar.c:99:11: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
spd = atoi (sspd);
data/libmateweather-1.24.1/libmateweather/weather-metar.c:171:23: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
den = atoi (sval);
data/libmateweather-1.24.1/libmateweather/weather-metar.c:178:27: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
val = atoi (tokp);
data/libmateweather-1.24.1/libmateweather/weather-metar.c:184:19: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
val = atoi (sval);
data/libmateweather-1.24.1/libmateweather/weather-metar.c:191:15: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
val = atoi (sval);
data/libmateweather-1.24.1/libmateweather/weather-metar.c:234:16: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
intg = atoi (sintg);
data/libmateweather-1.24.1/libmateweather/weather-metar.c:238:17: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
fract = atoi (sfract);
data/libmateweather-1.24.1/libmateweather/weather-metar.c:247:16: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
pres = atoi (spres);
data/libmateweather-1.24.1/libmateweather/weather-metar.c:263:50: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
info->temp = (*ptemp == 'M') ? TEMP_C_TO_F (-atoi (ptemp + 1))
data/libmateweather-1.24.1/libmateweather/weather-metar.c:264:24: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
: TEMP_C_TO_F (atoi (ptemp));
data/libmateweather-1.24.1/libmateweather/weather-metar.c:266:52: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
info->dew = (*pdew == 'M') ? TEMP_C_TO_F (-atoi (pdew + 1))
data/libmateweather-1.24.1/libmateweather/weather-metar.c:267:28: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
: TEMP_C_TO_F (atoi (pdew));
data/libmateweather-1.24.1/libmateweather/weather.c:715:6: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy (buf, "???");
data/libmateweather-1.24.1/libmateweather/weather.c:718:6: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy (buf, "???");
data/libmateweather-1.24.1/libmateweather/location-entry.c:560:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
match = find_word (name, key, strlen (key), FALSE, is_first_word) != NULL;
data/libmateweather-1.24.1/libmateweather/mateweather-timezone.c:82:31: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strncmp (contents, TZ_MAGIC, strlen (TZ_MAGIC)) != 0) {
data/libmateweather-1.24.1/libmateweather/test_metar.c:51:8: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen (buf);
data/libmateweather-1.24.1/libmateweather/weather-iwin.c:48:41: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
memmove (forecast, ptr, strlen (ptr) + 1);
data/libmateweather-1.24.1/libmateweather/weather-iwin.c:110:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
doc = xmlParseMemory (buff, strlen (buff));
data/libmateweather-1.24.1/libmateweather/weather-metar.c:92:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (sdir, tokp, 3);
data/libmateweather-1.24.1/libmateweather/weather-metar.c:98:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (sspd, tokp + 3, glen);
data/libmateweather-1.24.1/libmateweather/weather-metar.c:106:9: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (sgust, gustp + 1, glen);
data/libmateweather-1.24.1/libmateweather/weather-metar.c:170:17: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (sval, pfrac + 1, pend - pfrac - 1);
data/libmateweather-1.24.1/libmateweather/weather-metar.c:183:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (sval, tokp, pend - tokp);
data/libmateweather-1.24.1/libmateweather/weather-metar.c:190:9: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (sval, tokp, strspn (tokp, CONST_DIGITS));
data/libmateweather-1.24.1/libmateweather/weather-metar.c:201:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (stype, tokp, 3);
data/libmateweather-1.24.1/libmateweather/weather-metar.c:203:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen (tokp) == 6) {
data/libmateweather-1.24.1/libmateweather/weather-metar.c:204:9: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (salt, tokp + 3, 3);
data/libmateweather-1.24.1/libmateweather/weather-metar.c:232:9: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (sintg, tokp + 1, 2);
data/libmateweather-1.24.1/libmateweather/weather-metar.c:236:9: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (sfract, tokp + 3, 2);
data/libmateweather-1.24.1/libmateweather/weather-metar.c:245:9: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (spres, tokp + 1, 4);
data/libmateweather-1.24.1/libmateweather/weather-metar.c:279:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ((strlen (tokp) > 3) && ((*tokp == '+') || (*tokp == '-')))
data/libmateweather-1.24.1/libmateweather/weather-metar.c:284:14: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
else if (strlen (tokp) < 4)
data/libmateweather-1.24.1/libmateweather/weather-metar.c:290:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (squal, tokp, pphen - tokp);
data/libmateweather-1.24.1/libmateweather/weather-metar.c:294:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (sphen, pphen, sizeof (sphen));
data/libmateweather-1.24.1/libmateweather/weather-metar.c:458:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
rm2.rm_so = strlen (p);
data/libmateweather-1.24.1/libmateweather/weather.c:112:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
dir = g_ascii_toupper (latlon[strlen (latlon) - 1]);
data/libmateweather-1.24.1/libmateweather/weather.c:337:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return (strlen (str) > 0) ? str : "-";
data/libmateweather-1.24.1/libmateweather/weather.c:727:9: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy (buf, _("Unknown observation time"), sizeof (buf));
data/libmateweather-1.24.1/libmateweather/weather.c:937:9: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy (buf, _("Calm"), sizeof (buf));
data/libmateweather-1.24.1/libmateweather/weather.c:1266:45: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
g_snprintf(icon, sizeof(icon_buffer) - strlen(icon_buffer),
ANALYSIS SUMMARY:
Hits = 47
Lines analyzed = 7556 in approximately 0.36 seconds (21164 lines/second)
Physical Source Lines of Code (SLOC) = 5109
Hits@level = [0] 23 [1] 27 [2] 19 [3] 0 [4] 1 [5] 0
Hits@level+ = [0+] 70 [1+] 47 [2+] 20 [3+] 1 [4+] 1 [5+] 0
Hits/KSLOC@level+ = [0+] 13.7013 [1+] 9.19945 [2+] 3.91466 [3+] 0.195733 [4+] 0.195733 [5+] 0
Dot directories skipped = 3 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.