Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h
Examining data/php-gnupg-1.4.0/gnupg-1.4.0/gnupg.c
Examining data/php-gnupg-1.4.0/gnupg-1.4.0/gnupg_keylistiterator.c
Examining data/php-gnupg-1.4.0/gnupg-1.4.0/php_gnupg.h
Examining data/php-gnupg-1.4.0/gnupg-1.4.0/php_gnupg_keylistiterator.h
FINAL RESULTS:
data/php-gnupg-1.4.0/gnupg-1.4.0/gnupg.c:402:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char uid[17];
data/php-gnupg-1.4.0/gnupg-1.4.0/gnupg.c:440:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char uid[17];
data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:51:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&PHPC_OBJ_GET_HANDLER_VAR_NAME(_name), \
data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:204:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(PHPC_STR_VAL(_name), _cstr, _len); \
data/php-gnupg-1.4.0/gnupg-1.4.0/gnupg.c:295:73: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_declare_class_constant_long(gnupg_class_entry, (char*)const_name, strlen(const_name), value TSRMLS_CC);
data/php-gnupg-1.4.0/gnupg-1.4.0/gnupg.c:426:28: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (write(fd, passphrase, strlen(passphrase)) == strlen(passphrase) && write(fd, "\n", 1) == 1) {
data/php-gnupg-1.4.0/gnupg-1.4.0/gnupg.c:426:51: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (write(fd, passphrase, strlen(passphrase)) == strlen(passphrase) && write(fd, "\n", 1) == 1) {
data/php-gnupg-1.4.0/gnupg-1.4.0/gnupg.c:463:28: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (write(fd, passphrase, strlen(passphrase)) == strlen(passphrase) && write(fd, "\n", 1) == 1) {
data/php-gnupg-1.4.0/gnupg-1.4.0/gnupg.c:463:51: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (write(fd, passphrase, strlen(passphrase)) == strlen(passphrase) && write(fd, "\n", 1) == 1) {
data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:177:47: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define PHPC_STR_LEN_FROM_VAL(_name) strlen(PHPC_STR_VAL(_name))
data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:197:23: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
PHPC_STR_LEN(_str) = strlen(*PHPC_STR_VAL(_strpv))
data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:374:34: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_hash_add(_ht, _cstr_value, strlen(_cstr_value) + 1, _ptr, _ptr_size, NULL)
data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:383:34: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_hash_add(_ht, _cstr_value, strlen(_cstr_value) + 1, &_pzv, sizeof(_pzv), NULL)
data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:393:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_hash_update(_ht, _cstr_value, strlen(_cstr_value) + 1, _ptr, _ptr_size, NULL)
data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:402:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_hash_update(_ht, _cstr_value, strlen(_cstr_value) + 1, &_pzv, sizeof(_pzv), NULL)
data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:412:34: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_hash_del(_ht, _cstr_value, strlen(_cstr_value) + 1)
data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:422:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_hash_exists(_ht, _cstr_value, strlen(_cstr_value) + 1)
data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:432:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_hash_find(_ht, _cstr_value, strlen(_cstr_value) + 1, (void **) &_ppv)
data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:964:42: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_hash_str_add_ptr(_ht, _cstr_value, strlen(_cstr_value), _ptr)
data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:970:38: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_hash_str_add(_ht, _cstr_value, strlen(_cstr_value), _pzv)
data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:980:45: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_hash_str_update_ptr(_ht, _cstr_value, strlen(_cstr_value), _ptr)
data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:986:41: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_hash_str_update(_ht, _cstr_value, strlen(_cstr_value), _pzv)
data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:993:38: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_hash_str_del(_ht, _cstr_value, strlen(_cstr_value))
data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:1000:41: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_hash_str_exists(_ht, _cstr_value, strlen(_cstr_value))
data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:1008:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
_ppv = zend_hash_str_find(_ht, _cstr_value, strlen(_cstr_value))
data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:1017:50: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
_ptr = zend_hash_str_find_ptr(_ht, _cstr_value, strlen(_cstr_value))
ANALYSIS SUMMARY:
Hits = 26
Lines analyzed = 3368 in approximately 0.08 seconds (40791 lines/second)
Physical Source Lines of Code (SLOC) = 2511
Hits@level = [0] 0 [1] 22 [2] 4 [3] 0 [4] 0 [5] 0
Hits@level+ = [0+] 26 [1+] 26 [2+] 4 [3+] 0 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 10.3544 [1+] 10.3544 [2+] 1.59299 [3+] 0 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.