Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/libxrender-0.9.10/include/X11/extensions/Xrender.h Examining data/libxrender-0.9.10/src/Tri.c Examining data/libxrender-0.9.10/src/AddTrap.c Examining data/libxrender-0.9.10/src/Composite.c Examining data/libxrender-0.9.10/src/Cursor.c Examining data/libxrender-0.9.10/src/FillRects.c Examining data/libxrender-0.9.10/src/Picture.c Examining data/libxrender-0.9.10/src/Xrender.c Examining data/libxrender-0.9.10/src/Color.c Examining data/libxrender-0.9.10/src/Xrenderint.h Examining data/libxrender-0.9.10/src/Filter.c Examining data/libxrender-0.9.10/src/Glyph.c Examining data/libxrender-0.9.10/src/FillRect.c Examining data/libxrender-0.9.10/src/Poly.c Examining data/libxrender-0.9.10/src/Trap.c FINAL RESULTS: data/libxrender-0.9.10/src/Glyph.c:205:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy ((char *) (elt + 1), string, MAX_8); data/libxrender-0.9.10/src/Glyph.c:217:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy ((char *) (elt + 1), string, nchar); data/libxrender-0.9.10/src/Glyph.c:284:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy ((char *) (elt + 1), (char *) string, MAX_16 * 2); data/libxrender-0.9.10/src/Glyph.c:296:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy ((char *) (elt + 1), (char *) string, nchar * 2); data/libxrender-0.9.10/src/Glyph.c:364:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy ((char *) (elt + 1), (char *) string, MAX_32 * 4); data/libxrender-0.9.10/src/Glyph.c:376:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy ((char *) (elt + 1), (char *) string, nchar * 4); data/libxrender-0.9.10/src/Filter.c:161:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int nbytes = strlen (filter); ANALYSIS SUMMARY: Hits = 7 Lines analyzed = 3861 in approximately 0.11 seconds (33707 lines/second) Physical Source Lines of Code (SLOC) = 2926 Hits@level = [0] 3 [1] 1 [2] 6 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 10 [1+] 7 [2+] 6 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 3.41763 [1+] 2.39234 [2+] 2.05058 [3+] 0 [4+] 0 [5+] 0 Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.