Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/libuninameslist-20200413/buildnameslist.c Examining data/libuninameslist-20200413/nameslist-dll.h Examining data/libuninameslist-20200413/nameslist-fr.c Examining data/libuninameslist-20200413/nameslist.c Examining data/libuninameslist-20200413/tests/call-test.c Examining data/libuninameslist-20200413/tests/call-test0.c Examining data/libuninameslist-20200413/tests/call-test1.c Examining data/libuninameslist-20200413/tests/call-test2.c Examining data/libuninameslist-20200413/tests/call-test3.c Examining data/libuninameslist-20200413/tests/call-test4.c Examining data/libuninameslist-20200413/tests/call-test5.c Examining data/libuninameslist-20200413/tests/call-test6.c Examining data/libuninameslist-20200413/tests/call-test7.c Examining data/libuninameslist-20200413/uninameslist-fr.h Examining data/libuninameslist-20200413/uninameslist.h FINAL RESULTS: data/libuninameslist-20200413/buildnameslist.c:190:8: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(temp,buffer+2); data/libuninameslist-20200413/buildnameslist.c:251:7: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(temp,buffer); data/libuninameslist-20200413/buildnameslist.c:23:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char *uninames[2][17*65536]; data/libuninameslist-20200413/buildnameslist.c:24:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char *uniannot[2][17*65536]; data/libuninameslist-20200413/buildnameslist.c:29:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char names2pt[2][17*65536]; data/libuninameslist-20200413/buildnameslist.c:30:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char names2ln[2][17*65536]; data/libuninameslist-20200413/buildnameslist.c:31:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char names2cnt[2]; data/libuninameslist-20200413/buildnameslist.c:38:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const char *lg[2] = { "", "FR" }; data/libuninameslist-20200413/buildnameslist.c:39:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const char *lgb[2] = { "UNICODE_EN_BLOCK_MAX", "UNICODE_FR_BLOCK_MAX" }; data/libuninameslist-20200413/buildnameslist.c:40:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const char *lgv[2] = { NL_VERSION, NFR_VERSION }; data/libuninameslist-20200413/buildnameslist.c:159:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[2000]; data/libuninameslist-20200413/buildnameslist.c:173:7: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). nl = fopen( nameslistfiles[i],"r" ); data/libuninameslist-20200413/buildnameslist.c:188:16: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. temp = (char *)(realloc(uniannot[i][a_char],strlen(uniannot[i][a_char])+strlen(buffer+2)+1)); data/libuninameslist-20200413/buildnameslist.c:249:15: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. temp = (char *)(realloc(uniannot[i][a_char],strlen(uniannot[i][a_char])+strlen(buffer)+1)); data/libuninameslist-20200413/buildnameslist.c:748:17: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *out = fopen(is_fr ? "nameslist-fr.c":"nameslist.c","w"); data/libuninameslist-20200413/buildnameslist.c:753:20: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *header = fopen( is_fr ? "uninameslist-fr.h": "uninameslist.h","w"); data/libuninameslist-20200413/buildnameslist.c:118:33: [1] (buffer) getc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). for ( pt=buf; pt<end && (ch=getc(file))!=EOF && ch!='\n' && ch!='\r'; ) data/libuninameslist-20200413/buildnameslist.c:123:9: [1] (buffer) getc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getc(file); data/libuninameslist-20200413/buildnameslist.c:188:52: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). temp = (char *)(realloc(uniannot[i][a_char],strlen(uniannot[i][a_char])+strlen(buffer+2)+1)); data/libuninameslist-20200413/buildnameslist.c:188:80: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). temp = (char *)(realloc(uniannot[i][a_char],strlen(uniannot[i][a_char])+strlen(buffer+2)+1)); data/libuninameslist-20200413/buildnameslist.c:249:51: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). temp = (char *)(realloc(uniannot[i][a_char],strlen(uniannot[i][a_char])+strlen(buffer)+1)); data/libuninameslist-20200413/buildnameslist.c:249:79: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). temp = (char *)(realloc(uniannot[i][a_char],strlen(uniannot[i][a_char])+strlen(buffer)+1)); data/libuninameslist-20200413/buildnameslist.c:640:40: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ( uninames[is_fr][i]!=NULL && maxn<strlen(uninames[is_fr][i])) maxn = (unsigned int) strlen(uninames[is_fr][i]); data/libuninameslist-20200413/buildnameslist.c:640:90: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ( uninames[is_fr][i]!=NULL && maxn<strlen(uninames[is_fr][i])) maxn = (unsigned int) strlen(uninames[is_fr][i]); data/libuninameslist-20200413/buildnameslist.c:641:40: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ( uniannot[is_fr][i]!=NULL && maxa<strlen(uniannot[is_fr][i])) maxa = (unsigned int) strlen(uniannot[is_fr][i]); data/libuninameslist-20200413/buildnameslist.c:641:90: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ( uniannot[is_fr][i]!=NULL && maxa<strlen(uniannot[is_fr][i])) maxa = (unsigned int) strlen(uniannot[is_fr][i]); ANALYSIS SUMMARY: Hits = 26 Lines analyzed = 100586 in approximately 6.03 seconds (16678 lines/second) Physical Source Lines of Code (SLOC) = 99746 Hits@level = [0] 367 [1] 10 [2] 14 [3] 0 [4] 2 [5] 0 Hits@level+ = [0+] 393 [1+] 26 [2+] 16 [3+] 2 [4+] 2 [5+] 0 Hits/KSLOC@level+ = [0+] 3.94001 [1+] 0.260662 [2+] 0.160407 [3+] 0.0200509 [4+] 0.0200509 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.