Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/r-cran-utf8-1.1.4/src/utf8_valid.c Examining data/r-cran-utf8-1.1.4/src/string.c Examining data/r-cran-utf8-1.1.4/src/util.c Examining data/r-cran-utf8-1.1.4/src/bytes.c Examining data/r-cran-utf8-1.1.4/src/utf8_encode.c Examining data/r-cran-utf8-1.1.4/src/utf8_normalize.c Examining data/r-cran-utf8-1.1.4/src/rutf8.h Examining data/r-cran-utf8-1.1.4/src/render.c Examining data/r-cran-utf8-1.1.4/src/utf8_format.c Examining data/r-cran-utf8-1.1.4/src/context.c Examining data/r-cran-utf8-1.1.4/src/utf8lite/tests/testutil.h Examining data/r-cran-utf8-1.1.4/src/utf8lite/tests/testutil.c Examining data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_textmap.c Examining data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_unicode.c Examining data/r-cran-utf8-1.1.4/src/utf8lite/tests/wcwidth9/wcwidth9.h Examining data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_text.c Examining data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_render.c Examining data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_graphscan.c Examining data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_charwidth.c Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/graphscan.c Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/private/charwidth.h Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/private/compose.h Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/private/array.h Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/private/combining.h Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/private/graphbreak.h Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/private/decompose.h Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/private/casefold.h Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/char.c Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/utf8lite.h Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/error.c Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/graph.c Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/escape.c Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/encode.c Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/textiter.c Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/array.c Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/textmap.c Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/textassign.c Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/normalize.c Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/text.c Examining data/r-cran-utf8-1.1.4/src/utf8lite/util/table-graphbreak.c Examining data/r-cran-utf8-1.1.4/src/init.c Examining data/r-cran-utf8-1.1.4/src/as_utf8.c Examining data/r-cran-utf8-1.1.4/src/render_table.c Examining data/r-cran-utf8-1.1.4/src/utf8_width.c Examining data/r-cran-utf8-1.1.4/src/text.c FINAL RESULTS: data/r-cran-utf8-1.1.4/src/utf8lite/src/error.c:39:3: [4] (format) vsnprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. vsnprintf(msg->string, sizeof(msg->string), fmt, ap); data/r-cran-utf8-1.1.4/src/utf8lite/src/error.c:57:3: [4] (format) vsnprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. vsnprintf(msg->string + n, nmax - n, fmt, ap); data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:300:16: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. r->length += sprintf(&r->string[r->length], data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:547:8: [4] (format) vsnprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. len = vsnprintf(NULL, 0, format, ap); data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:559:2: [4] (format) vsprintf: Potential format string problem (CWE-134). Make format string constant. vsprintf(buffer, format, ap2); data/r-cran-utf8-1.1.4/src/utf8lite/src/utf8lite.h:77:26: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. __attribute__ ((format (printf, 2, 3))); data/r-cran-utf8-1.1.4/src/utf8lite/src/utf8lite.h:91:26: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. __attribute__ ((format (printf, 2, 3))); data/r-cran-utf8-1.1.4/src/utf8lite/src/utf8lite.h:993:26: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. __attribute__ ((format (printf, 2, 3))); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_unicode.c:200:14: [4] (buffer) fscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. If the scanf format is influenceable by an attacker, it's exploitable. ck_assert(fscanf(file, "%"SCNx32, &code)); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_text.c:622:2: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srand((unsigned)_i); data/r-cran-utf8-1.1.4/src/bytes.c:363:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char ch, buf[5]; data/r-cran-utf8-1.1.4/src/bytes.c:391:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf, "\\x%02x", (unsigned)byte); data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:183:22: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). const char *open, const char *close) data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:188:6: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (open) { data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:189:26: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((open_len = strlen(open)) >= INT_MAX) { data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:200:18: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). r->style_open = open; data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:236:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(end, r->newline, r->newline_length + 1); // include '\0' data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:260:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(end, r->tab, r->tab_length + 1); // include '\0' data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:292:16: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. r->length += sprintf(&r->string[r->length], data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:297:16: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. r->length += sprintf(&r->string[r->length], data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:324:18: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. r->length += sprintf(&r->string[r->length], data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:359:18: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. r->length += sprintf(&r->string[r->length], data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:368:17: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. r->length += sprintf(&r->string[r->length], data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:620:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(r->string + r->length, bytes, size); data/r-cran-utf8-1.1.4/src/utf8lite/src/text.c:35:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(text->ptr, other->ptr, size); data/r-cran-utf8-1.1.4/src/utf8lite/src/utf8lite.h:56:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char string[UTF8LITE_MESSAGE_MAX + 1]; /**< NUL-terminated message */ data/r-cran-utf8-1.1.4/src/utf8lite/src/utf8lite.h:913:22: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). const char *open, const char *close); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_graphscan.c:125:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char comment[4096]; data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_graphscan.c:168:9: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file = fopen(GRAPH_BREAK_TEST, "r"); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_graphscan.c:170:10: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file = fopen("../"GRAPH_BREAK_TEST, "r"); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_render.c:471:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[32]; data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_render.c:694:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[32]; data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_render.c:730:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[32]; data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_text.c:632:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buffer + size, types[id].string, len); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_textmap.c:43:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(val->ptr, map.text.ptr, size); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_textmap.c:92:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char str[256]; data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_textmap.c:107:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(str, "\\u%04X", i); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_textmap.c:135:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf((char *)str, "\\u%04X", i); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_textmap.c:209:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf((char *)str, "\\u%04x", ws[i]); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_textmap.c:233:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char str[256]; data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_textmap.c:253:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(str, "\\u%04X", i); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_textmap.c:278:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf((char *)str, "\\u%04X", i); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_textmap.c:316:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf((char *)str, "\\u%04x", ws[i]); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_unicode.c:30:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char comment[1024]; data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_unicode.c:114:9: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file = fopen(NORMALIZATION_TEST, "r"); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_unicode.c:116:10: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file = fopen("../"NORMALIZATION_TEST, "r"); data/r-cran-utf8-1.1.4/src/utf8lite/tests/testutil.c:84:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ptr, str, size + 1); data/r-cran-utf8-1.1.4/src/util.c:57:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ans + 2, CHAR(elt), n); data/r-cran-utf8-1.1.4/src/util.c:122:9: [2] (buffer) MultiByteToWideChar: Requires maximum length in CHARACTERS, not bytes (CWE-120). wlen = MultiByteToWideChar(cp, 0, raw, n, NULL, 0); data/r-cran-utf8-1.1.4/src/util.c:124:2: [2] (buffer) MultiByteToWideChar: Requires maximum length in CHARACTERS, not bytes (CWE-120). MultiByteToWideChar(cp, 0, raw, n, wstr, wlen); data/r-cran-utf8-1.1.4/src/as_utf8.c:86:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size = strlen((const char *)str); data/r-cran-utf8-1.1.4/src/render_table.c:294:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). s.names_len = (int)strlen(s.names); data/r-cran-utf8-1.1.4/src/render_table.c:297:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). s.rownames_len = (int)strlen(s.rownames); data/r-cran-utf8-1.1.4/src/string.c:60:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size = strlen((const char *)ptr); data/r-cran-utf8-1.1.4/src/utf8_format.c:62:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). nellipsis = strlen(ellipsis); data/r-cran-utf8-1.1.4/src/utf8_normalize.c:102:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size = strlen((const char *)ptr); data/r-cran-utf8-1.1.4/src/utf8_valid.c:64:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size = strlen((const char *)str); data/r-cran-utf8-1.1.4/src/utf8lite/src/error.c:53:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). n = strlen(msg->string); data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:109:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). r->tab_length = (int)strlen(r->tab); data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:112:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). r->newline_length = (int)strlen(r->newline); data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:153:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((len = strlen(tab)) >= INT_MAX) { data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:170:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((len = strlen(newline)) >= INT_MAX) { data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:189:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((open_len = strlen(open)) >= INT_MAX) { data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:195:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((close_len = strlen(close)) >= INT_MAX) { data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:528:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(str); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_graphscan.c:184:15: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). while ((ch = fgetc(file)) != EOF) { data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_graphscan.c:190:10: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch = fgetc(file); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_graphscan.c:221:9: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch = fgetc(file); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_text.c:41:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t n = strlen(str); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_text.c:51:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t n = strlen(str); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_text.c:631:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(types[id].string); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_text.c:655:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(types[id].string); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_text.c:673:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(types[id].string); data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_unicode.c:135:15: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). while ((ch = fgetc(file)) != EOF) { data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_unicode.c:141:10: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch = fgetc(file); data/r-cran-utf8-1.1.4/src/utf8lite/tests/testutil.c:80:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t size = strlen(str); ANALYSIS SUMMARY: Hits = 76 Lines analyzed = 26549 in approximately 1.47 seconds (18027 lines/second) Physical Source Lines of Code (SLOC) = 21818 Hits@level = [0] 26 [1] 26 [2] 40 [3] 1 [4] 9 [5] 0 Hits@level+ = [0+] 102 [1+] 76 [2+] 50 [3+] 10 [4+] 9 [5+] 0 Hits/KSLOC@level+ = [0+] 4.67504 [1+] 3.48336 [2+] 2.29169 [3+] 0.458337 [4+] 0.412503 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.