Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/libmatheval-1.1.11+dfsg/tests/matheval.c
Examining data/libmatheval-1.1.11+dfsg/lib/node.c
Examining data/libmatheval-1.1.11+dfsg/lib/matheval.c
Examining data/libmatheval-1.1.11+dfsg/lib/matheval.h
Examining data/libmatheval-1.1.11+dfsg/lib/symbol_table.c
Examining data/libmatheval-1.1.11+dfsg/lib/xmalloc.h
Examining data/libmatheval-1.1.11+dfsg/lib/parser.h
Examining data/libmatheval-1.1.11+dfsg/lib/parser.c
Examining data/libmatheval-1.1.11+dfsg/lib/scanner.c
Examining data/libmatheval-1.1.11+dfsg/lib/xmalloc.c
Examining data/libmatheval-1.1.11+dfsg/lib/common.h
Examining data/libmatheval-1.1.11+dfsg/lib/error.c
Examining data/libmatheval-1.1.11+dfsg/lib/node.h
Examining data/libmatheval-1.1.11+dfsg/lib/xmath.c
Examining data/libmatheval-1.1.11+dfsg/lib/error.h
Examining data/libmatheval-1.1.11+dfsg/lib/g77_interface.c
Examining data/libmatheval-1.1.11+dfsg/lib/symbol_table.h
Examining data/libmatheval-1.1.11+dfsg/lib/xmath.h
FINAL RESULTS:
data/libmatheval-1.1.11+dfsg/lib/matheval.c:71:2: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(stringn, string);
data/libmatheval-1.1.11+dfsg/lib/node.c:1475:3: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(string, "%s", node->data.constant->name);
data/libmatheval-1.1.11+dfsg/lib/node.c:1479:3: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(string, "%s", node->data.variable->name);
data/libmatheval-1.1.11+dfsg/lib/node.c:1483:3: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(string, "%s%c", node->data.function.record->name,
data/libmatheval-1.1.11+dfsg/lib/parser.c:672:21: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# define YYFPRINTF fprintf
data/libmatheval-1.1.11+dfsg/lib/symbol_table.c:149:2: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(record->name, name);
data/libmatheval-1.1.11+dfsg/lib/g77_interface.c:50:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(stringz, string, length * sizeof(char));
data/libmatheval-1.1.11+dfsg/lib/g77_interface.c:92:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(names_copy[i], names + j, n * sizeof(char));
data/libmatheval-1.1.11+dfsg/lib/g77_interface.c:123:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(string, evaluator_get_string((void *) *evaluator),
data/libmatheval-1.1.11+dfsg/lib/g77_interface.c:177:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(string, names[i], n * sizeof(char));
data/libmatheval-1.1.11+dfsg/lib/g77_interface.c:196:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(stringz, name, length * sizeof(char));
data/libmatheval-1.1.11+dfsg/lib/node.c:1422:10: [2] (tmpfile) tmpfile:
Function tmpfile() has a security flaw on some systems (e.g., older System
V systems) (CWE-377).
file = tmpfile();
data/libmatheval-1.1.11+dfsg/lib/node.c:1465:4: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(string, "%c", '(');
data/libmatheval-1.1.11+dfsg/lib/node.c:1468:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(string, "%g", node->data.number);
data/libmatheval-1.1.11+dfsg/lib/node.c:1471:4: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(string, "%c", ')');
data/libmatheval-1.1.11+dfsg/lib/node.c:1488:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(string, "%c", ')');
data/libmatheval-1.1.11+dfsg/lib/node.c:1492:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(string, "%c", '(');
data/libmatheval-1.1.11+dfsg/lib/node.c:1494:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(string, "%c", node->data.un_op.operation);
data/libmatheval-1.1.11+dfsg/lib/node.c:1498:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(string, "%c", ')');
data/libmatheval-1.1.11+dfsg/lib/node.c:1502:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(string, "%c", '(');
data/libmatheval-1.1.11+dfsg/lib/node.c:1506:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(string, "%c", node->data.bin_op.operation);
data/libmatheval-1.1.11+dfsg/lib/node.c:1510:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(string, "%c", ')');
data/libmatheval-1.1.11+dfsg/lib/parser.c:969:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM];
data/libmatheval-1.1.11+dfsg/lib/parser.c:1203:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char yymsgbuf[128];
data/libmatheval-1.1.11+dfsg/lib/scanner.c:1980:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buffer, input_string, count);
data/libmatheval-1.1.11+dfsg/lib/g77_interface.c:114:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return strlen(evaluator_get_string((void *) *evaluator));
data/libmatheval-1.1.11+dfsg/lib/g77_interface.c:146:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
length += strlen(names[i]);
data/libmatheval-1.1.11+dfsg/lib/g77_interface.c:174:7: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
n = strlen(names[i]);
data/libmatheval-1.1.11+dfsg/lib/matheval.c:69:26: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
stringn = XMALLOC(char, strlen(string) + 2);
data/libmatheval-1.1.11+dfsg/lib/matheval.c:72:2: [1] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused). Risk is low because the
source is a constant character.
strcat(stringn, "\n");
data/libmatheval-1.1.11+dfsg/lib/node.c:1435:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return strlen(node->data.constant->name);
data/libmatheval-1.1.11+dfsg/lib/node.c:1438:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return strlen(node->data.variable->name);
data/libmatheval-1.1.11+dfsg/lib/node.c:1441:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return strlen(node->data.function.record->name) + 1 +
data/libmatheval-1.1.11+dfsg/lib/node.c:1466:14: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
string += strlen(string);
data/libmatheval-1.1.11+dfsg/lib/node.c:1469:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
string += strlen(string);
data/libmatheval-1.1.11+dfsg/lib/node.c:1485:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
string += strlen(string);
data/libmatheval-1.1.11+dfsg/lib/node.c:1487:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
string += strlen(string);
data/libmatheval-1.1.11+dfsg/lib/node.c:1493:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
string += strlen(string);
data/libmatheval-1.1.11+dfsg/lib/node.c:1495:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
string += strlen(string);
data/libmatheval-1.1.11+dfsg/lib/node.c:1497:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
string += strlen(string);
data/libmatheval-1.1.11+dfsg/lib/node.c:1503:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
string += strlen(string);
data/libmatheval-1.1.11+dfsg/lib/node.c:1505:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
string += strlen(string);
data/libmatheval-1.1.11+dfsg/lib/node.c:1507:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
string += strlen(string);
data/libmatheval-1.1.11+dfsg/lib/node.c:1509:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
string += strlen(string);
data/libmatheval-1.1.11+dfsg/lib/parser.c:854:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
# define yystrlen strlen
data/libmatheval-1.1.11+dfsg/lib/scanner.c:697:14: [1] (buffer) getc:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
(c = getc( yyin )) != EOF && c != '\n'; ++n ) \
data/libmatheval-1.1.11+dfsg/lib/scanner.c:1721:29: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return yy_scan_bytes(yystr,strlen(yystr) );
data/libmatheval-1.1.11+dfsg/lib/scanner.c:1975:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
count = strlen (input_string);
data/libmatheval-1.1.11+dfsg/lib/symbol_table.c:148:31: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
record->name = XMALLOC(char, strlen(name) + 1);
ANALYSIS SUMMARY:
Hits = 49
Lines analyzed = 7357 in approximately 0.21 seconds (34364 lines/second)
Physical Source Lines of Code (SLOC) = 4786
Hits@level = [0] 4 [1] 24 [2] 19 [3] 0 [4] 6 [5] 0
Hits@level+ = [0+] 53 [1+] 49 [2+] 25 [3+] 6 [4+] 6 [5+] 0
Hits/KSLOC@level+ = [0+] 11.074 [1+] 10.2382 [2+] 5.22357 [3+] 1.25366 [4+] 1.25366 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.