Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/libofa-0.9.3/include/ofa1/ofa.h
Examining data/libofa-0.9.3/lib/error_op.h
Examining data/libofa-0.9.3/lib/fftlib_op.h
Examining data/libofa-0.9.3/lib/fft_op.h
Examining data/libofa-0.9.3/lib/frametracker_op.h
Examining data/libofa-0.9.3/lib/signal_op.h
Examining data/libofa-0.9.3/lib/trackdata_op.h
Examining data/libofa-0.9.3/lib/trackframe_op.h
Examining data/libofa-0.9.3/lib/tracklist_op.h
Examining data/libofa-0.9.3/lib/fftlibw3_op.cpp
Examining data/libofa-0.9.3/lib/fft_op.cpp
Examining data/libofa-0.9.3/lib/frametracker_op.cpp
Examining data/libofa-0.9.3/lib/mainprint.cpp
Examining data/libofa-0.9.3/lib/trackdata_op.cpp
Examining data/libofa-0.9.3/lib/trackframe_op.cpp
Examining data/libofa-0.9.3/lib/tracklist_op.cpp
Examining data/libofa-0.9.3/lib/fftlibvdsp_op.cpp
Examining data/libofa-0.9.3/lib/JAMA/jama_svd.h
Examining data/libofa-0.9.3/lib/JAMA/tnt_array1d.h
Examining data/libofa-0.9.3/lib/JAMA/tnt_array1d_utils.h
Examining data/libofa-0.9.3/lib/JAMA/tnt_array2d.h
Examining data/libofa-0.9.3/lib/JAMA/tnt_array2d_utils.h
Examining data/libofa-0.9.3/lib/JAMA/tnt_math_utils.h
Examining data/libofa-0.9.3/lib/AFLIB/aflibConverter.cpp
Examining data/libofa-0.9.3/lib/AFLIB/aflibConverter.h
Examining data/libofa-0.9.3/lib/AFLIB/aflibConverterLargeFilter.h
Examining data/libofa-0.9.3/lib/AFLIB/aflibConverterSmallFilter.h
Examining data/libofa-0.9.3/lib/signal_op.cpp
Examining data/libofa-0.9.3/examples/protocol.h
Examining data/libofa-0.9.3/examples/example.cpp
Examining data/libofa-0.9.3/examples/protocol.cpp
Examining data/libofa-0.9.3/examples/uselame.cpp
Examining data/libofa-0.9.3/examples/wavefile.cpp
Examining data/libofa-0.9.3/debian/tests/test.cpp
FINAL RESULTS:
data/libofa-0.9.3/examples/example.cpp:29:6: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(fext, p+1);
data/libofa-0.9.3/examples/protocol.cpp:232:5: [4] (format) sprintf:
Potential format string problem (CWE-134). Make format string constant.
sprintf(buf, lookupByPrint ? request_format : request_format2,
data/libofa-0.9.3/examples/uselame.cpp:36:5: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(cmd,"lame --decode \"%s\" fpTemp.wav", file);
data/libofa-0.9.3/examples/uselame.cpp:59:9: [4] (shell) execv:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
if (execv(cmd, (char **) argv) == -1) {
data/libofa-0.9.3/examples/uselame.cpp:37:10: [3] (shell) CreateProcess:
This causes a new process to execute and is difficult to use safely
(CWE-78). Specify the application path in the first argument, NOT as part
of the second, or embedded spaces could allow an attacker to force a
different program to run.
if (!CreateProcess(NULL, // No module name (use command line).
data/libofa-0.9.3/examples/uselame.cpp:37:10: [3] (shell) CreateProcess:
This causes a new process to execute and is difficult to use safely
(CWE-78). Specify the application path in the first argument, NOT as part
of the second, or embedded spaces could allow an attacker to force a
different program to run.
if (!CreateProcess(NULL, // No module name (use command line).
data/libofa-0.9.3/examples/example.cpp:26:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char fext[100] = "";
data/libofa-0.9.3/examples/protocol.cpp:172:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char num[10];
data/libofa-0.9.3/examples/protocol.cpp:173:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(num, "%d", XML_GetCurrentLineNumber(parser));
data/libofa-0.9.3/examples/uselame.cpp:58:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char * argv[4] = {cmd, flag, file, temp};
data/libofa-0.9.3/examples/wavefile.cpp:19:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char tmp[4096];
data/libofa-0.9.3/examples/wavefile.cpp:47:14: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int fd = open(file, O_RDONLY | O_BINARY);
data/libofa-0.9.3/examples/wavefile.cpp:49:14: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int fd = open(file, O_RDONLY);
data/libofa-0.9.3/examples/wavefile.cpp:59:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char hdr[36];
data/libofa-0.9.3/examples/wavefile.cpp:110:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char b[8];
data/libofa-0.9.3/lib/mainprint.cpp:88:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char bytes[Dim * Res * 2 + 5];
data/libofa-0.9.3/lib/mainprint.cpp:276:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char encodingTable[64] = {
data/libofa-0.9.3/lib/mainprint.cpp:286:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char out[758];
data/libofa-0.9.3/lib/mainprint.cpp:287:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char inbuf[3], outbuf[4];
data/libofa-0.9.3/examples/protocol.cpp:147:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(temp, (char *)charData, len);
data/libofa-0.9.3/examples/protocol.cpp:216:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
int bufSize = strlen(lookupByPrint ? request_format : request_format2) +
data/libofa-0.9.3/examples/protocol.cpp:223:49: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
((info->getArtist().c_str() == 0) ? strlen(unknown) : info->getArtist().length()) +
data/libofa-0.9.3/examples/protocol.cpp:224:49: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
((info->getTrack().c_str() == 0) ? strlen(unknown) : info->getTrack().length()) +
data/libofa-0.9.3/examples/protocol.cpp:225:49: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
((info->getAlbum().c_str() == 0) ? strlen(unknown) : info->getAlbum().length()) +
data/libofa-0.9.3/examples/protocol.cpp:227:49: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
((info->getGenre().c_str() == 0) ? strlen(unknown) : info->getGenre().length()) +
data/libofa-0.9.3/examples/wavefile.cpp:25:10: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
int n = read(fd, tmp, x);
ANALYSIS SUMMARY:
Hits = 26
Lines analyzed = 26488 in approximately 0.37 seconds (72554 lines/second)
Physical Source Lines of Code (SLOC) = 24504
Hits@level = [0] 10 [1] 7 [2] 13 [3] 2 [4] 4 [5] 0
Hits@level+ = [0+] 36 [1+] 26 [2+] 19 [3+] 6 [4+] 4 [5+] 0
Hits/KSLOC@level+ = [0+] 1.46915 [1+] 1.06105 [2+] 0.775384 [3+] 0.244858 [4+] 0.163239 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.