Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/nekobee-0.1.8~repack1/src/nekobee_types.h
Examining data/nekobee-0.1.8~repack1/src/nekobee_synth.c
Examining data/nekobee-0.1.8~repack1/src/nekobee_ports.c
Examining data/nekobee-0.1.8~repack1/src/minblep_tables.c
Examining data/nekobee-0.1.8~repack1/src/nekobee_voice.c
Examining data/nekobee-0.1.8~repack1/src/nekobee_synth.h
Examining data/nekobee-0.1.8~repack1/src/gui_interface.c
Examining data/nekobee-0.1.8~repack1/src/nekobee.h
Examining data/nekobee-0.1.8~repack1/src/nekobee-dssi.c
Examining data/nekobee-0.1.8~repack1/src/nekobee_ports.h
Examining data/nekobee-0.1.8~repack1/src/gtkknob.c
Examining data/nekobee-0.1.8~repack1/src/nekobee_voice_render.c
Examining data/nekobee-0.1.8~repack1/src/gui_main.h
Examining data/nekobee-0.1.8~repack1/src/gui_main.c
Examining data/nekobee-0.1.8~repack1/src/gtkknob.h
Examining data/nekobee-0.1.8~repack1/src/gui_data.h
Examining data/nekobee-0.1.8~repack1/src/nekobee_voice.h
Examining data/nekobee-0.1.8~repack1/src/gui_interface.h
Examining data/nekobee-0.1.8~repack1/src/gui_callbacks.h
Examining data/nekobee-0.1.8~repack1/src/nekobee_data.c
Examining data/nekobee-0.1.8~repack1/src/gui_data.c
Examining data/nekobee-0.1.8~repack1/src/gui_callbacks.c
FINAL RESULTS:
data/nekobee-0.1.8~repack1/src/gui_interface.c:391:13: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(tag, instance_tag);
data/nekobee-0.1.8~repack1/src/nekobee-dssi.c:274:5: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
vsnprintf(buffer, 256, fmt, args);
data/nekobee-0.1.8~repack1/src/nekobee.h:51:62: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
#define XDB_MESSAGE(type, fmt...) { if (XSYNTH_DEBUG & type) fprintf(stderr, "nekobee-dssi.so" fmt); }
data/nekobee-0.1.8~repack1/src/nekobee.h:52:62: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
#define GDB_MESSAGE(type, fmt...) { if (XSYNTH_DEBUG & type) fprintf(stderr, "nekobee_gtk" fmt); }
data/nekobee-0.1.8~repack1/src/gui_callbacks.c:103:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[256];
data/nekobee-0.1.8~repack1/src/gui_callbacks.c:190:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char midi[4];
data/nekobee-0.1.8~repack1/src/gui_callbacks.c:216:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[4];
data/nekobee-0.1.8~repack1/src/gui_data.c:52:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&patches[0], &nekobee_init_voice, sizeof(nekobee_patch_t));
data/nekobee-0.1.8~repack1/src/gui_interface.c:381:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char tag[50];
data/nekobee-0.1.8~repack1/src/gui_interface.c:385:9: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(tag, "nekobee-DSSI");
data/nekobee-0.1.8~repack1/src/gui_main.c:68:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[256];
data/nekobee-0.1.8~repack1/src/nekobee-dssi.c:271:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[256];
data/nekobee-0.1.8~repack1/src/nekobee_synth.c:224:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&synth->patches[0], &nekobee_init_voice, sizeof(nekobee_patch_t));
data/nekobee-0.1.8~repack1/src/nekobee_synth.h:65:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
signed char held_keys[8]; /* for monophonic key tracking, an array of note-ons, most recently received first */
data/nekobee-0.1.8~repack1/src/nekobee_synth.h:80:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char key_pressure[128];
data/nekobee-0.1.8~repack1/src/nekobee_synth.h:81:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char cc[128]; /* controller values */
data/nekobee-0.1.8~repack1/src/nekobee_voice_render.c:399:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(voice->osc_audio, voice->osc_audio + osc_index,
data/nekobee-0.1.8~repack1/src/gui_callbacks.c:75:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
} else if (project_directory && strlen(project_directory)) {
data/nekobee-0.1.8~repack1/src/gui_callbacks.c:76:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t path_len = strlen(project_directory);
data/nekobee-0.1.8~repack1/src/gui_interface.c:384:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(instance_tag) == 0) {
data/nekobee-0.1.8~repack1/src/gui_interface.c:388:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(instance_tag) > 49) {
data/nekobee-0.1.8~repack1/src/gui_interface.c:389:55: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
snprintf(tag, 50, "...%s", instance_tag + strlen(instance_tag) - 46); /* hope the unique info is at the end */
data/nekobee-0.1.8~repack1/src/gui_interface.c:394:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(instance_tag) > 37) {
data/nekobee-0.1.8~repack1/src/gui_interface.c:395:68: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
snprintf(tag, 50, "nekobee-DSSI ...%s", instance_tag + strlen(instance_tag) - 34);
data/nekobee-0.1.8~repack1/src/gui_main.c:261:45: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
osc_self_url = osc_build_path(tmp_url, (strlen(path) > 1 ? path + 1 : path));
data/nekobee-0.1.8~repack1/src/nekobee-dssi.c:289:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(key) == 8 && !strncmp(key, "patches", 7)) {
ANALYSIS SUMMARY:
Hits = 26
Lines analyzed = 6060 in approximately 0.46 seconds (13181 lines/second)
Physical Source Lines of Code (SLOC) = 4425
Hits@level = [0] 12 [1] 9 [2] 13 [3] 0 [4] 4 [5] 0
Hits@level+ = [0+] 38 [1+] 26 [2+] 17 [3+] 4 [4+] 4 [5+] 0
Hits/KSLOC@level+ = [0+] 8.58757 [1+] 5.87571 [2+] 3.84181 [3+] 0.903955 [4+] 0.903955 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.