Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/libxmltok-1.2/xmltok/ascii.h
Examining data/libxmltok-1.2/xmltok/asciitab.h
Examining data/libxmltok-1.2/xmltok/dllmain.c
Examining data/libxmltok-1.2/xmltok/iasciitab.h
Examining data/libxmltok-1.2/xmltok/latin1tab.h
Examining data/libxmltok-1.2/xmltok/nametab.h
Examining data/libxmltok-1.2/xmltok/utf8tab.h
Examining data/libxmltok-1.2/xmltok/xmldef.h
Examining data/libxmltok-1.2/xmltok/xmlrole.c
Examining data/libxmltok-1.2/xmltok/xmlrole.h
Examining data/libxmltok-1.2/xmltok/xmltok.c
Examining data/libxmltok-1.2/xmltok/xmltok.h
Examining data/libxmltok-1.2/xmltok/xmltok_impl.c
Examining data/libxmltok-1.2/xmltok/xmltok_impl.h
Examining data/libxmltok-1.2/xmltok/xmltok_ns.c
Examining data/libxmltok-1.2/gennmtab/gennmtab.c
Examining data/libxmltok-1.2/xmlparse/xmlparse.c
Examining data/libxmltok-1.2/xmlparse/xmlparse.h
Examining data/libxmltok-1.2/xmlwf/codepage.c
Examining data/libxmltok-1.2/xmlwf/codepage.h
Examining data/libxmltok-1.2/xmlwf/filemap.h
Examining data/libxmltok-1.2/xmlwf/readfilemap.c
Examining data/libxmltok-1.2/xmlwf/unixfilemap.c
Examining data/libxmltok-1.2/xmlwf/win32filemap.c
Examining data/libxmltok-1.2/xmlwf/xmlfile.c
Examining data/libxmltok-1.2/xmlwf/xmlfile.h
Examining data/libxmltok-1.2/xmlwf/xmltchar.h
Examining data/libxmltok-1.2/xmlwf/xmlwf.c
Examining data/libxmltok-1.2/sample/elements.c

FINAL RESULTS:

data/libxmltok-1.2/xmlwf/xmltchar.h:6:18:  [4] (format) fwprintf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
#define ftprintf fwprintf
data/libxmltok-1.2/xmlwf/xmltchar.h:11:16:  [4] (buffer) wcscpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using a function version that stops copying at the end
  of the buffer.
#define tcscpy wcscpy
data/libxmltok-1.2/xmlwf/xmltchar.h:12:16:  [4] (buffer) wcscat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120).
#define tcscat wcscat
data/libxmltok-1.2/xmlwf/xmltchar.h:22:18:  [4] (format) fprintf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
#define ftprintf fprintf
data/libxmltok-1.2/xmlwf/xmltchar.h:27:16:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
#define tcscpy strcpy
data/libxmltok-1.2/xmlwf/xmltchar.h:28:16:  [4] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused).
#define tcscat strcat
data/libxmltok-1.2/gennmtab/gennmtab.c:375:12:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  unsigned char pageIndex[512];
data/libxmltok-1.2/gennmtab/gennmtab.c:420:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char tab[2*65536];
data/libxmltok-1.2/gennmtab/gennmtab.c:423:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(tab + 65536, tab, 65536);
data/libxmltok-1.2/sample/elements.c:27:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char buf[BUFSIZ];
data/libxmltok-1.2/xmlparse/xmlparse.c:116:8:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
  char open;
data/libxmltok-1.2/xmlparse/xmlparse.c:922:7:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
      memcpy(buffer, end, nLeftOver);
data/libxmltok-1.2/xmlparse/xmlparse.c:929:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(XML_GetBuffer(parser, len), s, len);
data/libxmltok-1.2/xmlparse/xmlparse.c:979:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(newBuf, bufferPtr, bufferEnd - bufferPtr);
data/libxmltok-1.2/xmlparse/xmlparse.c:1265:14:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	if (entity->open)
data/libxmltok-1.2/xmlparse/xmlparse.c:1354:4:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	  memcpy(tag->buf, tag->rawName, tag->rawNameLength);
data/libxmltok-1.2/xmlparse/xmlparse.c:1816:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(uri, binding->uri, binding->uriLen * sizeof(XML_Char));
data/libxmltok-1.2/xmlparse/xmlparse.c:1823:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(binding->uri + binding->uriLen, localPart, i * sizeof(XML_Char));
data/libxmltok-1.2/xmlparse/xmlparse.c:1859:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(b->uri, uri, len * sizeof(XML_Char));
data/libxmltok-1.2/xmlparse/xmlparse.c:2070:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char encodingBuf[128];
data/libxmltok-1.2/xmlparse/xmlparse.c:2656:14:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	if (entity->open)
data/libxmltok-1.2/xmlparse/xmlparse.c:2922:19:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	else if (entity->open) {
data/libxmltok-1.2/xmlparse/xmlparse.c:2985:14:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	if (entity->open) {
data/libxmltok-1.2/xmlparse/xmlparse.c:3336:13:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    if (!e->open)
data/libxmltok-1.2/xmlparse/xmlparse.c:3452:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(&tem, p1, sizeof(DTD));
data/libxmltok-1.2/xmlparse/xmlparse.c:3453:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(p1, p2, sizeof(DTD));
data/libxmltok-1.2/xmlparse/xmlparse.c:3454:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(p2, &tem, sizeof(DTD));
data/libxmltok-1.2/xmlparse/xmlparse.c:3888:7:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
      memcpy(pool->blocks->s, pool->start, (pool->end - pool->start) * sizeof(XML_Char));
data/libxmltok-1.2/xmlparse/xmlparse.c:3919:7:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
      memcpy(tem->s, pool->start, (pool->ptr - pool->start) * sizeof(XML_Char));
data/libxmltok-1.2/xmltok/xmltok.c:123:12:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  unsigned char type[256];
data/libxmltok-1.2/xmltok/xmltok.c:883:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char buf[1];
data/libxmltok-1.2/xmltok/xmltok.c:917:8:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
  char open;
data/libxmltok-1.2/xmltok/xmltok.c:976:14:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    if (c == open)
data/libxmltok-1.2/xmltok/xmltok.c:1176:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char utf8[256][4];
data/libxmltok-1.2/xmltok/xmltok.c:1217:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char buf[XML_UTF8_ENCODE_MAX];
data/libxmltok-1.2/xmltok/xmltok.c:1275:7:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    ((char *)mem)[i] = ((char *)&latin1_encoding)[i];
data/libxmltok-1.2/xmltok/xmltok_impl.c:572:6:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	int open;
data/libxmltok-1.2/xmltok/xmltok_impl.c:584:12:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	  switch (open) {
data/libxmltok-1.2/xmltok/xmltok_impl.c:601:13:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	  if (t == open)
data/libxmltok-1.2/xmltok/xmltok_impl.c:936:25:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
int PREFIX(scanLit)(int open, const ENCODING *enc,
data/libxmltok-1.2/xmltok/xmltok_impl.c:947:16:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
      if (t != open)
data/libxmltok-1.2/xmltok/xmltok_impl.c:1489:53:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	           || BYTE_TYPE(enc, ptr + MINBPC(enc)) == open))
data/libxmltok-1.2/xmltok/xmltok_ns.c:61:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char buf[ENCODING_MAX];
data/libxmltok-1.2/xmlwf/codepage.c:36:10:  [2] (buffer) MultiByteToWideChar:
  Requires maximum length in CHARACTERS, not bytes (CWE-120).
     if (MultiByteToWideChar(cp, MB_PRECOMPOSED|MB_ERR_INVALID_CHARS,
data/libxmltok-1.2/xmlwf/codepage.c:47:7:  [2] (buffer) MultiByteToWideChar:
  Requires maximum length in CHARACTERS, not bytes (CWE-120).
  if (MultiByteToWideChar(cp, MB_PRECOMPOSED|MB_ERR_INVALID_CHARS,
data/libxmltok-1.2/xmlwf/readfilemap.c:40:8:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
  fd = open(name, O_RDONLY|O_BINARY);
data/libxmltok-1.2/xmlwf/unixfilemap.c:29:8:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
  fd = open(name, O_RDONLY);
data/libxmltok-1.2/xmlwf/xmltchar.h:23:16:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
#define tfopen fopen
data/libxmltok-1.2/xmlwf/xmltchar.h:33:15:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
#define topen open
data/libxmltok-1.2/xmlwf/readfilemap.c:59:7:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
  n = read(fd, p, nbytes);
data/libxmltok-1.2/xmlwf/xmlfile.c:153:13:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
    nread = read(fd, buf, READ_SIZE);
data/libxmltok-1.2/xmlwf/xmltchar.h:15:16:  [1] (buffer) wcslen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define tcslen wcslen
data/libxmltok-1.2/xmlwf/xmltchar.h:31:16:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define tcslen strlen

ANALYSIS SUMMARY:

Hits = 53
Lines analyzed = 11852 in approximately 0.28 seconds (41980 lines/second)
Physical Source Lines of Code (SLOC) = 10532
Hits@level = [0]  16 [1]   4 [2]  43 [3]   0 [4]   6 [5]   0
Hits@level+ = [0+]  69 [1+]  53 [2+]  49 [3+]   6 [4+]   6 [5+]   0
Hits/KSLOC@level+ = [0+] 6.55146 [1+] 5.03228 [2+] 4.65249 [3+] 0.569692 [4+] 0.569692 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.