Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/libquvi-0.9.3/src/net/http_metainfo.c Examining data/libquvi-0.9.3/src/net/resolve.h Examining data/libquvi-0.9.3/src/net/handle.h Examining data/libquvi-0.9.3/src/net/resolve.c Examining data/libquvi-0.9.3/src/net/fetch.h Examining data/libquvi-0.9.3/src/net/fetch.c Examining data/libquvi-0.9.3/src/net/handle.c Examining data/libquvi-0.9.3/src/_quvi_s.h Examining data/libquvi-0.9.3/src/_quvi_script_s.h Examining data/libquvi-0.9.3/src/lua/chk.h Examining data/libquvi-0.9.3/src/lua/exec_subtitle_script_parse.c Examining data/libquvi-0.9.3/src/lua/exec_scan_script_parse.c Examining data/libquvi-0.9.3/src/lua/match_url_to_media_script.c Examining data/libquvi-0.9.3/src/lua/chk.c Examining data/libquvi-0.9.3/src/lua/init.c Examining data/libquvi-0.9.3/src/lua/quvi/base64/encode.c Examining data/libquvi-0.9.3/src/lua/quvi/base64/decode.c Examining data/libquvi-0.9.3/src/lua/quvi/crypto/err.c Examining data/libquvi-0.9.3/src/lua/quvi/crypto/hash.c Examining data/libquvi-0.9.3/src/lua/quvi/crypto/en_decrypt.c Examining data/libquvi-0.9.3/src/lua/quvi/crypto/copts.c Examining data/libquvi-0.9.3/src/lua/quvi/crypto/opts.h Examining data/libquvi-0.9.3/src/lua/quvi/crypto/err.h Examining data/libquvi-0.9.3/src/lua/quvi/http/resolve.c Examining data/libquvi-0.9.3/src/lua/quvi/http/cookie.c Examining data/libquvi-0.9.3/src/lua/quvi/http/header.c Examining data/libquvi-0.9.3/src/lua/quvi/http/metainfo.c Examining data/libquvi-0.9.3/src/lua/quvi/http/fetch.c Examining data/libquvi-0.9.3/src/lua/quvi/opts.h Examining data/libquvi-0.9.3/src/lua/quvi/opts.c Examining data/libquvi-0.9.3/src/lua/load_util_script.c Examining data/libquvi-0.9.3/src/lua/load_util_script.h Examining data/libquvi-0.9.3/src/lua/match_url_to_subtitle_script.c Examining data/libquvi-0.9.3/src/lua/exec_subtitle_export_script_export.c Examining data/libquvi-0.9.3/src/lua/exec.h Examining data/libquvi-0.9.3/src/lua/exec_subtitle_export_script_ident.c Examining data/libquvi-0.9.3/src/lua/exec_media_script_parse.c Examining data/libquvi-0.9.3/src/lua/def.h Examining data/libquvi-0.9.3/src/lua/setfield.h Examining data/libquvi-0.9.3/src/lua/exec_playlist_script_ident.c Examining data/libquvi-0.9.3/src/lua/exec_playlist_script_parse.c Examining data/libquvi-0.9.3/src/lua/util/exec_util_resolve_redirections.c Examining data/libquvi-0.9.3/src/lua/util/exec_util_convert_entities.c Examining data/libquvi-0.9.3/src/lua/util/exec_util_to_file_ext.c Examining data/libquvi-0.9.3/src/lua/match_url_to_playlist_script.c Examining data/libquvi-0.9.3/src/lua/modify_pkgpath.c Examining data/libquvi-0.9.3/src/lua/exec_media_script_ident.c Examining data/libquvi-0.9.3/src/lua/getfield.c Examining data/libquvi-0.9.3/src/lua/setfield.c Examining data/libquvi-0.9.3/src/lua/getfield.h Examining data/libquvi-0.9.3/src/lua/exec_subtitle_script_ident.c Examining data/libquvi-0.9.3/src/_quvi_net_resolve_s.h Examining data/libquvi-0.9.3/src/gcrypt/crypto.c Examining data/libquvi-0.9.3/src/gcrypt/crypto.h Examining data/libquvi-0.9.3/src/gcrypt/init.c Examining data/libquvi-0.9.3/src/quvi-0.9/quvi/qversion.h Examining data/libquvi-0.9.3/src/quvi-0.9/quvi/qsupp.h Examining data/libquvi-0.9.3/src/quvi-0.9/quvi/qmediaprop.h Examining data/libquvi-0.9.3/src/quvi-0.9/quvi/qhttpmiprop.h Examining data/libquvi-0.9.3/src/quvi-0.9/quvi/qplaylistprop.h Examining data/libquvi-0.9.3/src/quvi-0.9/quvi/qscript.h Examining data/libquvi-0.9.3/src/quvi-0.9/quvi/qcallback.h Examining data/libquvi-0.9.3/src/quvi-0.9/quvi/qbool.h Examining data/libquvi-0.9.3/src/quvi-0.9/quvi/qdef.h Examining data/libquvi-0.9.3/src/quvi-0.9/quvi/qinfo.h Examining data/libquvi-0.9.3/src/quvi-0.9/quvi/qoption.h Examining data/libquvi-0.9.3/src/quvi-0.9/quvi/qerror.h Examining data/libquvi-0.9.3/src/quvi-0.9/quvi/qsubtprop.h Examining data/libquvi-0.9.3/src/quvi-0.9/quvi/qfunc.h Examining data/libquvi-0.9.3/src/quvi-0.9/quvi.h Examining data/libquvi-0.9.3/src/_quvi_scan_s.h Examining data/libquvi-0.9.3/src/_quvi_media_s.h Examining data/libquvi-0.9.3/src/curl/init.c Examining data/libquvi-0.9.3/src/curl/temp.h Examining data/libquvi-0.9.3/src/curl/http_metainfo.c Examining data/libquvi-0.9.3/src/curl/close.c Examining data/libquvi-0.9.3/src/curl/autoproxy.h Examining data/libquvi-0.9.3/src/curl/resolve.c Examining data/libquvi-0.9.3/src/curl/temp.c Examining data/libquvi-0.9.3/src/curl/autoproxy.c Examining data/libquvi-0.9.3/src/curl/fetch.c Examining data/libquvi-0.9.3/src/curl/reset.c Examining data/libquvi-0.9.3/src/_quvi_subtitle_export_s.h Examining data/libquvi-0.9.3/src/_quvi_http_metainfo_s.h Examining data/libquvi-0.9.3/src/_quvi_subtitle_s.h Examining data/libquvi-0.9.3/src/_quvi_playlist_s.h Examining data/libquvi-0.9.3/src/_quvi_net_s.h Examining data/libquvi-0.9.3/src/api/resolve_forwarded.c Examining data/libquvi-0.9.3/src/api/playlist_free.c Examining data/libquvi-0.9.3/src/api/version.c Examining data/libquvi-0.9.3/src/api/supports.c Examining data/libquvi-0.9.3/src/api/http_metainfo_get.c Examining data/libquvi-0.9.3/src/api/playlist_new.c Examining data/libquvi-0.9.3/src/api/scan_new.c Examining data/libquvi-0.9.3/src/api/subtitle_type_next.c Examining data/libquvi-0.9.3/src/api/http_metainfo_free.c Examining data/libquvi-0.9.3/src/api/http_metainfo_new.c Examining data/libquvi-0.9.3/src/api/script_next.c Examining data/libquvi-0.9.3/src/api/media_stream_next.c Examining data/libquvi-0.9.3/src/api/subtitle_free.c Examining data/libquvi-0.9.3/src/api/ok.c Examining data/libquvi-0.9.3/src/api/media_stream_select.c Examining data/libquvi-0.9.3/src/api/subtitle_lang_next.c Examining data/libquvi-0.9.3/src/api/media_stream_reset.c Examining data/libquvi-0.9.3/src/api/errmsg.c Examining data/libquvi-0.9.3/src/api/subtitle_export_data.c Examining data/libquvi-0.9.3/src/api/playlist_get.c Examining data/libquvi-0.9.3/src/api/resolve_free.c Examining data/libquvi-0.9.3/src/api/media_new.c Examining data/libquvi-0.9.3/src/api/media_get.c Examining data/libquvi-0.9.3/src/api/file_ext_new.c Examining data/libquvi-0.9.3/src/api/subtitle_select.c Examining data/libquvi-0.9.3/src/api/resolve_new.c Examining data/libquvi-0.9.3/src/api/file_ext_get.c Examining data/libquvi-0.9.3/src/api/subtitle_type_get.c Examining data/libquvi-0.9.3/src/api/script_get.c Examining data/libquvi-0.9.3/src/api/playlist_media_next.c Examining data/libquvi-0.9.3/src/api/subtitle_lang_get.c Examining data/libquvi-0.9.3/src/api/file_ext_free.c Examining data/libquvi-0.9.3/src/api/subtitle_export_new.c Examining data/libquvi-0.9.3/src/api/media_stream_choose_best.c Examining data/libquvi-0.9.3/src/api/playlist_media_reset.c Examining data/libquvi-0.9.3/src/api/set.c Examining data/libquvi-0.9.3/src/api/subtitle_type_reset.c Examining data/libquvi-0.9.3/src/api/subtitle_new.c Examining data/libquvi-0.9.3/src/api/subtitle_lang_reset.c Examining data/libquvi-0.9.3/src/api/subtitle_export_free.c Examining data/libquvi-0.9.3/src/api/scan_next_media_url.c Examining data/libquvi-0.9.3/src/api/resolve_destination_url.c Examining data/libquvi-0.9.3/src/api/free.c Examining data/libquvi-0.9.3/src/api/scan_free.c Examining data/libquvi-0.9.3/src/api/new.c Examining data/libquvi-0.9.3/src/api/media_free.c Examining data/libquvi-0.9.3/src/api/errcode.c Examining data/libquvi-0.9.3/src/api/get.c Examining data/libquvi-0.9.3/src/_quvi_file_ext_s.h Examining data/libquvi-0.9.3/src/_quvi_macro.h Examining data/libquvi-0.9.3/src/misc/match_subtitle_export_script.h Examining data/libquvi-0.9.3/src/misc/script_free.c Examining data/libquvi-0.9.3/src/misc/subtitle_export.c Examining data/libquvi-0.9.3/src/misc/playlist.h Examining data/libquvi-0.9.3/src/misc/subtitle.c Examining data/libquvi-0.9.3/src/misc/scan_new.c Examining data/libquvi-0.9.3/src/misc/match.c Examining data/libquvi-0.9.3/src/misc/trim.c Examining data/libquvi-0.9.3/src/misc/playlist.c Examining data/libquvi-0.9.3/src/misc/match_playlist_script.h Examining data/libquvi-0.9.3/src/misc/slst.h Examining data/libquvi-0.9.3/src/misc/resolve.h Examining data/libquvi-0.9.3/src/misc/slst.c Examining data/libquvi-0.9.3/src/misc/media.c Examining data/libquvi-0.9.3/src/misc/capture.c Examining data/libquvi-0.9.3/src/misc/resolve.c Examining data/libquvi-0.9.3/src/misc/match_subtitle_script.c Examining data/libquvi-0.9.3/src/misc/re.h Examining data/libquvi-0.9.3/src/misc/scan_new.h Examining data/libquvi-0.9.3/src/misc/unescape.c Examining data/libquvi-0.9.3/src/misc/media.h Examining data/libquvi-0.9.3/src/misc/match_media_script.h Examining data/libquvi-0.9.3/src/misc/match_media_script.c Examining data/libquvi-0.9.3/src/misc/unescape.h Examining data/libquvi-0.9.3/src/misc/script_free.h Examining data/libquvi-0.9.3/src/misc/to_utf8.c Examining data/libquvi-0.9.3/src/misc/subtitle_export.h Examining data/libquvi-0.9.3/src/misc/match_playlist_script.c Examining data/libquvi-0.9.3/src/misc/match_subtitle_script.h Examining data/libquvi-0.9.3/src/misc/scan_scripts.c Examining data/libquvi-0.9.3/src/misc/match_subtitle_export_script.c Examining data/libquvi-0.9.3/src/misc/subtitle.h Examining data/libquvi-0.9.3/tests/lib/tests.h Examining data/libquvi-0.9.3/tests/lib/re.c Examining data/libquvi-0.9.3/tests/lib/env.c Examining data/libquvi-0.9.3/tests/lib/qerr.c Examining data/libquvi-0.9.3/tests/supports.c Examining data/libquvi-0.9.3/tests/subtitle.c Examining data/libquvi-0.9.3/tests/playlist.c Examining data/libquvi-0.9.3/tests/http_metainfo.c Examining data/libquvi-0.9.3/tests/script.c Examining data/libquvi-0.9.3/tests/media.c Examining data/libquvi-0.9.3/tests/resolve.c Examining data/libquvi-0.9.3/tests/quvi.c Examining data/libquvi-0.9.3/tests/scan.c Examining data/libquvi-0.9.3/tests/goto.c Examining data/libquvi-0.9.3/examples/lib/chk.c Examining data/libquvi-0.9.3/examples/lib/exit_if_error.c Examining data/libquvi-0.9.3/examples/lib/enable_cookies.c Examining data/libquvi-0.9.3/examples/lib/status.c Examining data/libquvi-0.9.3/examples/lib/cleanup.c Examining data/libquvi-0.9.3/examples/lib/enable_verbose.c Examining data/libquvi-0.9.3/examples/lib/enable_autoproxy.c Examining data/libquvi-0.9.3/examples/lib/examples.h Examining data/libquvi-0.9.3/examples/lib/var.c Examining data/libquvi-0.9.3/examples/version.c Examining data/libquvi-0.9.3/examples/supports.c Examining data/libquvi-0.9.3/examples/subtitle.c Examining data/libquvi-0.9.3/examples/playlist.c Examining data/libquvi-0.9.3/examples/http_metainfo.c Examining data/libquvi-0.9.3/examples/script.c Examining data/libquvi-0.9.3/examples/file_ext.c Examining data/libquvi-0.9.3/examples/media.c Examining data/libquvi-0.9.3/examples/resolve.c Examining data/libquvi-0.9.3/examples/scan.c FINAL RESULTS: data/libquvi-0.9.3/src/curl/temp.c:58:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&(ct->p[ct->size]), p, rsize); data/libquvi-0.9.3/src/gcrypt/crypto.c:185:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out, data, dlen); data/libquvi-0.9.3/src/gcrypt/crypto.c:210:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&(c->out.data[c->out.dlen]), out, c->cipher.blklen); data/libquvi-0.9.3/src/gcrypt/crypto.c:223:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out, data, dlen); data/libquvi-0.9.3/src/gcrypt/crypto.c:253:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&(c->out.data[c->out.dlen]), out, n); data/libquvi-0.9.3/src/gcrypt/crypto.c:359:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). n = strlen(hexstr); data/libquvi-0.9.3/src/lua/quvi/http/header.c:65:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(s) >0) data/libquvi-0.9.3/src/misc/match_media_script.c:89:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (show_script != NULL && strlen(show_script) >0) data/libquvi-0.9.3/src/misc/match_playlist_script.c:78:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (show_script != NULL && strlen(show_script) >0) data/libquvi-0.9.3/src/misc/match_subtitle_export_script.c:79:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (show_script != NULL && strlen(show_script) >0) data/libquvi-0.9.3/src/misc/match_subtitle_script.c:76:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (show_script != NULL && strlen(show_script) >0) data/libquvi-0.9.3/src/misc/scan_scripts.c:130:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (show_script != NULL && strlen(show_script) >0) data/libquvi-0.9.3/src/misc/scan_scripts.c:407:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (show_dir != NULL && strlen(show_dir) >0) data/libquvi-0.9.3/src/misc/scan_scripts.c:423:42: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (show_script != NULL && strlen(show_script) >0) data/libquvi-0.9.3/src/misc/scan_scripts.c:442:42: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (show_script != NULL && strlen(show_script) >0) data/libquvi-0.9.3/src/misc/scan_scripts.c:527:32: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (scripts_dir != NULL && strlen(scripts_dir) >0) data/libquvi-0.9.3/src/misc/scan_scripts.c:609:32: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (scripts_dir != NULL && strlen(scripts_dir) >0) data/libquvi-0.9.3/src/misc/scan_scripts.c:685:38: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). excl_scripts_dir = (s != NULL && strlen(s) >0) data/libquvi-0.9.3/src/misc/to_utf8.c:35:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (from != NULL && strlen(from) >0) data/libquvi-0.9.3/tests/http_metainfo.c:35:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). g_assert_cmpint(strlen(s), >, 1);\ data/libquvi-0.9.3/tests/lib/env.c:33:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (s == NULL || strlen(s) == 0) data/libquvi-0.9.3/tests/lib/env.c:68:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (e == NULL || strlen(e) == 0) data/libquvi-0.9.3/tests/media.c:55:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). g_assert_cmpint(strlen(s), >, 1); \ data/libquvi-0.9.3/tests/playlist.c:62:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). g_assert_cmpint(strlen(s), >, 0); data/libquvi-0.9.3/tests/playlist.c:103:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). g_assert_cmpint(strlen(s), >, 0); data/libquvi-0.9.3/tests/playlist.c:117:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). g_assert_cmpint(strlen(s), >, 0); data/libquvi-0.9.3/tests/playlist.c:151:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). g_assert_cmpint(strlen(s), >, 0); data/libquvi-0.9.3/tests/playlist.c:167:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). g_assert_cmpint(strlen(s), >, 0); data/libquvi-0.9.3/tests/scan.c:44:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). g_assert_cmpint(strlen(s), >, 0); data/libquvi-0.9.3/tests/script.c:46:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). return (strlen(s)); data/libquvi-0.9.3/tests/subtitle.c:57:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). g_assert_cmpint(strlen(s), >, 1); data/libquvi-0.9.3/tests/subtitle.c:168:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). g_assert_cmpint(strlen(quvi_subtitle_export_data(qse)), >, 0); data/libquvi-0.9.3/tests/subtitle.c:273:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). g_assert_cmpint(strlen(s), >, 1); ANALYSIS SUMMARY: Hits = 33 Lines analyzed = 17553 in approximately 0.55 seconds (31748 lines/second) Physical Source Lines of Code (SLOC) = 9449 Hits@level = [0] 1 [1] 28 [2] 5 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 34 [1+] 33 [2+] 5 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 3.59826 [1+] 3.49243 [2+] 0.529157 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.