Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/tf-4.0s1/src/command.c Examining data/tf-4.0s1/src/command.h Examining data/tf-4.0s1/src/commands.h Examining data/tf-4.0s1/src/dstring.c Examining data/tf-4.0s1/src/dstring.h Examining data/tf-4.0s1/src/enumlist.h Examining data/tf-4.0s1/src/expand.c Examining data/tf-4.0s1/src/expand.h Examining data/tf-4.0s1/src/expr.c Examining data/tf-4.0s1/src/expr.h Examining data/tf-4.0s1/src/fd_set.h Examining data/tf-4.0s1/src/funclist.h Examining data/tf-4.0s1/src/globals.h Examining data/tf-4.0s1/src/help.c Examining data/tf-4.0s1/src/hooklist.h Examining data/tf-4.0s1/src/keyboard.c Examining data/tf-4.0s1/src/keyboard.h Examining data/tf-4.0s1/src/keylist.h Examining data/tf-4.0s1/src/macro.c Examining data/tf-4.0s1/src/macro.h Examining data/tf-4.0s1/src/main.c Examining data/tf-4.0s1/src/makehelp.c Examining data/tf-4.0s1/src/malloc.c Examining data/tf-4.0s1/src/malloc.h Examining data/tf-4.0s1/src/output.c Examining data/tf-4.0s1/src/output.h Examining data/tf-4.0s1/src/parse.h Examining data/tf-4.0s1/src/port.h Examining data/tf-4.0s1/src/process.c Examining data/tf-4.0s1/src/process.h Examining data/tf-4.0s1/src/search.c Examining data/tf-4.0s1/src/search.h Examining data/tf-4.0s1/src/signals.c Examining data/tf-4.0s1/src/signals.h Examining data/tf-4.0s1/src/tf.h Examining data/tf-4.0s1/src/tfio.c Examining data/tf-4.0s1/src/tfio.h Examining data/tf-4.0s1/src/tfselect.h Examining data/tf-4.0s1/src/tty.c Examining data/tf-4.0s1/src/tty.h Examining data/tf-4.0s1/src/util.h Examining data/tf-4.0s1/src/variable.c Examining data/tf-4.0s1/src/variable.h Examining data/tf-4.0s1/src/varlist.h Examining data/tf-4.0s1/src/world.c Examining data/tf-4.0s1/src/world.h Examining data/tf-4.0s1/src/regexp/regerror.c Examining data/tf-4.0s1/src/regexp/regexp.c Examining data/tf-4.0s1/src/regexp/regexp.h Examining data/tf-4.0s1/src/regexp/regmagic.h Examining data/tf-4.0s1/src/regexp/regsub.c Examining data/tf-4.0s1/src/regexp/timer.c Examining data/tf-4.0s1/src/regexp/try.c Examining data/tf-4.0s1/src/history.c Examining data/tf-4.0s1/src/history.h Examining data/tf-4.0s1/src/mccp.c Examining data/tf-4.0s1/src/mccp.h Examining data/tf-4.0s1/src/socket.c Examining data/tf-4.0s1/src/socket.h Examining data/tf-4.0s1/src/util.c Examining data/tf-4.0s1/os2/config.h FINAL RESULTS: data/tf-4.0s1/src/dstring.c:140:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(dest->s, src); data/tf-4.0s1/src/dstring.c:152:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(dest->s, src->s ? src->s : ""); data/tf-4.0s1/src/dstring.c:184:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(dest->s + len, src); data/tf-4.0s1/src/dstring.c:198:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(dest->s + len, src->s ? src->s : ""); data/tf-4.0s1/src/output.c:1605:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(buf, "start_color_%s", enum_color[color]); data/tf-4.0s1/src/port.h:80:61: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. # define format_printf(fmt, var) __attribute__((format(printf, fmt, var))) data/tf-4.0s1/src/process.c:131:17: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(nbuf, "%8s", "pending"); data/tf-4.0s1/src/process.c:133:9: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(obuf, "%-8s ", p->world ? p->world->name : ""); data/tf-4.0s1/src/process.c:138:13: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(obuf+9, p->ptime == -2 ? "S " : " "); data/tf-4.0s1/src/regexp/regexp.c:1200:10: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). (void) strcat(buf, p); data/tf-4.0s1/src/regexp/timer.c:104:2: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(stderr, s1, s2); data/tf-4.0s1/src/regexp/timer.c:180:2: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(stderr, s1, s2); data/tf-4.0s1/src/regexp/try.c:106:2: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(stderr, s1, s2); data/tf-4.0s1/src/regexp/try.c:235:2: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(stderr, s1, s2); data/tf-4.0s1/src/signals.c:324:5: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(stderr, fmt, n); data/tf-4.0s1/src/signals.c:404:14: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. result = system(cmd); data/tf-4.0s1/src/socket.c:1441:13: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(linebuf, "%7s", "foregnd"); data/tf-4.0s1/src/tfio.c:189:20: [4] (shell) popen: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. if (!(fp = popen(name, "r"))) return NULL; data/tf-4.0s1/src/tfio.c:221:9: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(strcpy(newname, name), suffix); data/tf-4.0s1/src/tfio.c:221:16: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcat(strcpy(newname, name), suffix); data/tf-4.0s1/src/tfio.c:231:18: [4] (shell) popen: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. fp = popen(buffer->s, mode); data/tf-4.0s1/src/tfio.c:479:13: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. sprintf(tempbuf, spec, va_arg(ap, int)); data/tf-4.0s1/src/tfio.c:486:13: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. sprintf(tempbuf, spec, va_arg(ap, unsigned int)); data/tf-4.0s1/src/tfio.c:495:13: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. sprintf(tempbuf, spec, va_arg(ap, double)); data/tf-4.0s1/src/util.h:38:6: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). (strcpy(xmalloc((len) + 1, __FILE__, __LINE__), (src))) data/tf-4.0s1/src/variable.c:303:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(str, "%s=%s", var->name, var->value); data/tf-4.0s1/src/command.c:366:43: [3] (buffer) getwd: This does not protect against buffer overflows by itself, so use with caution (CWE-120, CWE-20). Use getcwd instead. oprintf("%% Current directory is %s", getwd(buffer)); data/tf-4.0s1/src/port.h:251:30: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. # define RAND() (int)random() data/tf-4.0s1/src/port.h:252:25: [3] (random) srandom: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. # define SRAND(seed) srandom(seed) data/tf-4.0s1/src/port.h:257:26: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. # define SRAND(seed) srand(seed) data/tf-4.0s1/src/port.h:290:19: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. extern long NDECL(random); data/tf-4.0s1/src/port.h:291:19: [3] (random) srandom: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. extern int FDECL(srandom,(unsigned)); data/tf-4.0s1/src/port.h:302:19: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. extern long NDECL(random); data/tf-4.0s1/src/port.h:303:19: [3] (random) srandom: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. extern int FDECL(srandom,(unsigned)); data/tf-4.0s1/src/command.c:354:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[PATH_MAX + 1]; data/tf-4.0s1/src/command.c:577:38: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). else if (is_digit(*args) && (n = atoi(args)) < 0) return newint(0); data/tf-4.0s1/src/command.c:615:20: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). if ((exiting = atoi(args)) <= 0) exiting = 1; data/tf-4.0s1/src/expand.c:421:37: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). if ((breaking = atoi(ip)) <= 0) breaking = 1; data/tf-4.0s1/src/expand.c:586:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[sizeof("elseif")]; /* "elseif" is the longest keyword. */ data/tf-4.0s1/src/expand.c:1071:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). count = (*args) ? atoi(args) : 1; data/tf-4.0s1/src/expr.c:286:44: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). if (*str == '-' || *str == '+') return atol(str); data/tf-4.0s1/src/expr.c:322:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buffer[32]; data/tf-4.0s1/src/expr.c:326:25: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. case TYPE_INT: sprintf(buffer, "%ld", val->u.ival); return buffer; data/tf-4.0s1/src/expr.c:333:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buffer, "%.15g", val->u.fval); data/tf-4.0s1/src/expr.c:335:17: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(buffer, ".0"); data/tf-4.0s1/src/expr.c:369:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[16]; data/tf-4.0s1/src/expr.c:478:25: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf, "%ld", i); data/tf-4.0s1/src/expr.c:585:20: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file = fopen(expand_filename(ptr), "a"); data/tf-4.0s1/src/expr.c:910:25: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(numbuf, "%ld", i); data/tf-4.0s1/src/help.c:35:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf0[HELPLEN], buf1[HELPLEN], buf2[HELPLEN]; data/tf-4.0s1/src/help.c:93:22: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). offset = atol(input); data/tf-4.0s1/src/history.c:440:17: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(partials + buffer->len, aline->partials, data/tf-4.0s1/src/keyboard.c:127:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[64]; data/tf-4.0s1/src/keyboard.c:252:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(keybuf->s + keyboard_pos, input, len); data/tf-4.0s1/src/macro.c:94:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[16]; data/tf-4.0s1/src/macro.c:430:45: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). if (*name == '#') return find_num_macro(atoi(name + 1)); data/tf-4.0s1/src/macro.c:833:21: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). spec->num = atoi(spec->name + 1); data/tf-4.0s1/src/macro.c:950:21: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). spec->num = atoi(spec->name + 1); data/tf-4.0s1/src/macro.c:1119:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char numbuf[16]; data/tf-4.0s1/src/macro.c:1124:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(numbuf, "#%d", macro->num); data/tf-4.0s1/src/macro.c:1346:17: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char numbuf[16]; data/tf-4.0s1/src/macro.c:1347:36: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. if (!*macro->name) sprintf(numbuf, "#%d", macro->num); data/tf-4.0s1/src/makehelp.c:24:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[240+1]; data/tf-4.0s1/src/mccp.c:189:13: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(state->outbuf + state->outsize, state->inbuf, state->insize); data/tf-4.0s1/src/mccp.c:231:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(state->outbuf + state->outsize, data, len); data/tf-4.0s1/src/mccp.c:233:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(state->outbuf + state->outsize, state->inbuf, state->insize); data/tf-4.0s1/src/mccp.c:305:21: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(state->inbuf, data/tf-4.0s1/src/mccp.c:338:17: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(state->inbuf + state->insize, state->outbuf + residual, state->outsize - residual); data/tf-4.0s1/src/mccp.c:347:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(state->inbuf + state->insize, data, len); data/tf-4.0s1/src/mccp.c:379:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, state->outbuf, copied); data/tf-4.0s1/src/output.c:385:41: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). lines = ((str = getvar("LINES"))) ? atoi(str) : 0; data/tf-4.0s1/src/output.c:386:45: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). columns = ((str = getvar("COLUMNS"))) ? atoi(str) : 0; data/tf-4.0s1/src/output.c:415:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char termcap_entry[4096]; data/tf-4.0s1/src/output.c:417:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char termcap_buffer[1024]; data/tf-4.0s1/src/output.c:1609:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf, "start_color_%ld", color); data/tf-4.0s1/src/port.h:147:11: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. # define memcpy(dst, src, len) bcopy((src), (dst), (len)) data/tf-4.0s1/src/port.h:147:33: [2] (buffer) bcopy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. # define memcpy(dst, src, len) bcopy((src), (dst), (len)) data/tf-4.0s1/src/port.h:236:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy((GENERIC*)&(dst), (GENERIC*)&(src), sizeof(src)) data/tf-4.0s1/src/process.c:83:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char obuf[18], nbuf[10]; data/tf-4.0s1/src/process.c:122:13: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(nbuf, " 0"); data/tf-4.0s1/src/process.c:124:13: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(nbuf, " ?"); data/tf-4.0s1/src/process.c:128:17: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(nbuf, "%2ld:%02ld:%02ld", data/tf-4.0s1/src/process.c:135:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(obuf+9, "%2ld:%02ld:%02ld", (long)p->ptime/3600, data/tf-4.0s1/src/regexp/regexp.c:1130:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf[50]; data/tf-4.0s1/src/regexp/regexp.c:1174:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf+strlen(buf), "OPEN%d", OP(op)-OPEN); data/tf-4.0s1/src/regexp/regexp.c:1186:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf+strlen(buf), "CLOSE%d", OP(op)-CLOSE); data/tf-4.0s1/src/regexp/regexp.h:9:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *startp[NSUBEXP]; data/tf-4.0s1/src/regexp/regexp.h:10:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *endp[NSUBEXP]; data/tf-4.0s1/src/regexp/regexp.h:15:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char program[1]; /* Unwarranted chumminess with compiler. */ data/tf-4.0s1/src/regexp/timer.c:54:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char dummy[512]; data/tf-4.0s1/src/regexp/timer.c:61:11: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). ncomp = atoi(argv[1]); data/tf-4.0s1/src/regexp/timer.c:62:11: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). nexec = atoi(argv[2]); data/tf-4.0s1/src/regexp/timer.c:63:10: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). nsub = atoi(argv[3]); data/tf-4.0s1/src/regexp/timer.c:130:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char dbuf[BUFSIZ]; data/tf-4.0s1/src/regexp/try.c:44:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[BUFSIZ]; data/tf-4.0s1/src/regexp/try.c:118:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char rbuf[BUFSIZ]; data/tf-4.0s1/src/regexp/try.c:119:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *field[5]; data/tf-4.0s1/src/regexp/try.c:193:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char dbuf[BUFSIZ]; data/tf-4.0s1/src/socket.c:42:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char sin_zero[8]; data/tf-4.0s1/src/socket.c:263:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static CONST char *telnet_label[0x100]; data/tf-4.0s1/src/socket.c:847:38: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). xsock->addr.sin_port = htons(atoi(xsock->port)); data/tf-4.0s1/src/socket.c:1062:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy((GENERIC *)sin_addr, (GENERIC *)host->h_addr, sizeof(*sin_addr)); data/tf-4.0s1/src/socket.c:1389:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char idlebuf[16], linebuf[16]; data/tf-4.0s1/src/socket.c:1443:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(linebuf, "%7d", sock->activity); data/tf-4.0s1/src/socket.c:1446:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(idlebuf, "%3ds", t); data/tf-4.0s1/src/socket.c:1448:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(idlebuf, "%3dm", t); data/tf-4.0s1/src/socket.c:1450:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(idlebuf, "%3dh", t); data/tf-4.0s1/src/socket.c:1452:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(idlebuf, "%3dd", t); data/tf-4.0s1/src/socket.c:1454:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(idlebuf, "long"); data/tf-4.0s1/src/socket.c:1716:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[4]; data/tf-4.0s1/src/socket.c:1717:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf, "%c%c%c", TN_IAC, cmd, opt); data/tf-4.0s1/src/socket.c:1728:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *place, localchar, buffer[4096]; data/tf-4.0s1/src/tf.h:40:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. typedef char smallstr[65]; /* Short buffer */ data/tf-4.0s1/src/tfio.c:205:15: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fp = fopen(name, mode)) && fstat(fileno(fp), &buf) == 0) { data/tf-4.0s1/src/tfio.c:223:19: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fp = fopen(newname, mode)) != NULL) { /* test readability */ data/tf-4.0s1/src/tfio.c:890:14: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). id = atoi(handle); data/tf-4.0s1/src/tfio.h:54:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1024]; data/tf-4.0s1/src/tty.c:93:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char bs[2], dline[2], bword[2], refresh[2], lnext[2]; data/tf-4.0s1/src/util.c:57:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tf_ctype[0x100]; data/tf-4.0s1/src/util.c:169:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). c = atoi(*sp); data/tf-4.0s1/src/util.c:186:9: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). i = atoi(*sp); data/tf-4.0s1/src/util.c:196:9: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). i = atol(*sp); data/tf-4.0s1/src/util.c:1125:16: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char fmtbuf[3] = "%?"; /* static to allow init in K&R C */ data/tf-4.0s1/src/variable.c:98:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char **oldenv, **p, *value, buf[20], *str; data/tf-4.0s1/src/variable.c:119:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf, "%ld", var->ival); data/tf-4.0s1/src/variable.c:583:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buffer[20]; data/tf-4.0s1/src/variable.c:609:23: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). var->ival=atol(value); data/tf-4.0s1/src/variable.c:620:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buffer, "%ld", var->ival); data/tf-4.0s1/src/world.c:139:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buffer, "(unnamed%d)", unnamed++); data/tf-4.0s1/src/command.c:400:38: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). write(STDOUT_FILENO, string, strlen(string)); data/tf-4.0s1/src/dstring.c:138:17: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). dest->len = strlen(src); data/tf-4.0s1/src/dstring.c:163:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). unsigned len = strlen(src); data/tf-4.0s1/src/dstring.c:169:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(dest->s, src, n); data/tf-4.0s1/src/dstring.c:182:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). dest->len += strlen(src); data/tf-4.0s1/src/dstring.c:211:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). unsigned int len = strlen(src); data/tf-4.0s1/src/dstring.c:217:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(dest->s + oldlen, src, n); data/tf-4.0s1/src/dstring.c:235:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(dest->s + oldlen, src, n); data/tf-4.0s1/src/expand.c:595:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(buf, ip, end - ip); data/tf-4.0s1/src/expr.c:239:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (len < 0) len = strlen(str); data/tf-4.0s1/src/expr.c:240:11: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). new = strncpy((char *)xmalloc(len + 1, file, line), str, len); data/tf-4.0s1/src/expr.c:347:49: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). return (val->type == TYPE_STR) ? val->len : strlen(valstr(val)); data/tf-4.0s1/src/help.c:88:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). place[strlen(place)-1] = '\0'; data/tf-4.0s1/src/help.c:113:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (*input) input[strlen(input)-1] = '\0'; data/tf-4.0s1/src/help.c:143:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (*input) input[strlen(input)-1] = '\0'; data/tf-4.0s1/src/history.c:155:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). for (remaining = strlen(str); remaining; str += len, remaining -= len) { data/tf-4.0s1/src/keyboard.c:143:22: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if ((count = read(STDIN_FILENO, buf, sizeof(buf))) < 0) { data/tf-4.0s1/src/keyboard.c:265:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). handle_input_string(args, strlen(args)); data/tf-4.0s1/src/macro.c:114:24: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). name = strncpy(buf, *argp, end - *argp); data/tf-4.0s1/src/mccp.c:246:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). clen = (i + strlen(will_v1) < state->outsize) ? strlen(will_v1) : state->outsize - i; data/tf-4.0s1/src/mccp.c:246:65: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). clen = (i + strlen(will_v1) < state->outsize) ? strlen(will_v1) : state->outsize - i; data/tf-4.0s1/src/mccp.c:249:33: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (clen != strlen(will_v1)) { data/tf-4.0s1/src/mccp.c:265:48: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). &state->outbuf[i + strlen(will_v1)], data/tf-4.0s1/src/mccp.c:266:46: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). state->outsize - strlen(will_v1)); data/tf-4.0s1/src/mccp.c:267:39: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). state->outsize -= strlen(will_v1); data/tf-4.0s1/src/mccp.c:273:33: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (clen != strlen(will_v2)) { data/tf-4.0s1/src/mccp.c:283:48: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). &state->outbuf[i + strlen(will_v2)], data/tf-4.0s1/src/mccp.c:284:46: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). state->outsize - strlen(will_v2)); data/tf-4.0s1/src/mccp.c:285:39: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). state->outsize -= strlen(will_v2); data/tf-4.0s1/src/mccp.c:290:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). clen = (i + strlen(on_v1) < state->outsize) ? strlen(on_v1) : state->outsize - i; data/tf-4.0s1/src/mccp.c:290:63: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). clen = (i + strlen(on_v1) < state->outsize) ? strlen(on_v1) : state->outsize - i; data/tf-4.0s1/src/mccp.c:294:33: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (clen != strlen(on_v1)) { data/tf-4.0s1/src/mccp.c:303:60: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). grow_inbuf(state, state->outsize - i - strlen(on_v1)); data/tf-4.0s1/src/mccp.c:306:48: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). state->outbuf + i + strlen(on_v1), data/tf-4.0s1/src/mccp.c:307:49: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). state->outsize - i - strlen(on_v1)); data/tf-4.0s1/src/mccp.c:309:58: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). state->insize = state->outsize - i - strlen(on_v1); data/tf-4.0s1/src/output.c:770:28: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). field->width = strlen(field->name); data/tf-4.0s1/src/regexp/regexp.c:276:32: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (OP(scan) == EXACTLY && strlen(OPERAND(scan)) >= len) { data/tf-4.0s1/src/regexp/regexp.c:278:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(OPERAND(scan)); data/tf-4.0s1/src/regexp/regexp.c:862:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(opnd); data/tf-4.0s1/src/regexp/regexp.c:1021:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). count = strlen(scan); data/tf-4.0s1/src/regexp/regexp.c:1132:9: [1] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant character. (void) strcpy(buf, ":"); data/tf-4.0s1/src/regexp/regexp.c:1174:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sprintf(buf+strlen(buf), "OPEN%d", OP(op)-OPEN); data/tf-4.0s1/src/regexp/regexp.c:1186:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sprintf(buf+strlen(buf), "CLOSE%d", OP(op)-CLOSE); data/tf-4.0s1/src/regexp/regsub.c:46:15: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). extern char *strncpy(); data/tf-4.0s1/src/regexp/regsub.c:73:11: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). (void) strncpy(dst, prog->startp[no], len); data/tf-4.0s1/src/regexp/try.c:128:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). rbuf[strlen(rbuf)-1] = '\0'; /* Dispense with \n. */ data/tf-4.0s1/src/socket.c:911:13: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if (read(xsock->fd, &err, sizeof(err)) < 0 || err != 0) { data/tf-4.0s1/src/socket.c:927:9: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). read(xsock->fd, (char*)&xsock->addr.sin_addr, sizeof(struct in_addr)); data/tf-4.0s1/src/socket.c:1216:17: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if (read(xsock->fd, &ch, 0) < 0) { data/tf-4.0s1/src/socket.c:1222:17: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). read(xsock->fd, &ch, 1); /* must fail */ data/tf-4.0s1/src/socket.c:1485:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). send_line(text, strlen(text), eol_flag); data/tf-4.0s1/src/socket.c:1809:17: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). transmit(resp,strlen(resp)); data/tf-4.0s1/src/socket.c:2069:9: [1] (buffer) sscanf: It's unclear if the %s limit in the format string is small enough (CWE-120). Check that the limit is sufficiently small, or use a different input function. if (sscanf(str, data/tf-4.0s1/src/tfio.c:220:34: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). newname = (char*)XMALLOC(strlen(name) + strlen(suffix) + 1); data/tf-4.0s1/src/tfio.c:220:49: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). newname = (char*)XMALLOC(strlen(name) + strlen(suffix) + 1); data/tf-4.0s1/src/tfio.c:530:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = sval ? strlen(sval) : 0; data/tf-4.0s1/src/tfio.c:686:5: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). read(STDIN_FILENO, &c, 1); data/tf-4.0s1/src/tfio.c:764:25: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). file->len = read(fileno(file->u.fp), file->buf, sizeof(file->buf)); data/tf-4.0s1/src/tfio.c:814:18: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). aline->str = strncpy((char*)memory + sizeof(Aline), str, len); data/tf-4.0s1/src/tfio.h:123:49: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). #define new_aline(s,a) dnew_aline((s), (a), strlen(s), __FILE__, __LINE__) data/tf-4.0s1/src/util.c:274:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((len = strlen(s2) - 1) < 0) return (char*)s1; data/tf-4.0s1/src/util.c:444:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). return strlen(re->endp[0]); data/tf-4.0s1/src/util.c:700:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). for (end = s + strlen(s) - 1; is_space(*end); end--); data/tf-4.0s1/src/util.c:901:26: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). info->name = strncpy(XMALLOC(end-name+1), name, end-name); data/tf-4.0s1/src/util.c:1144:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). Stringncat(dest, str, strlen(str) - 1); /* remove ctime()'s '\n' */ data/tf-4.0s1/src/util.h:39:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). #define STRDUP(src) STRNDUP((src), strlen(src)) data/tf-4.0s1/src/variable.c:110:28: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). var->len = strlen(var->value); data/tf-4.0s1/src/variable.c:116:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). var->len = strlen(var->value); data/tf-4.0s1/src/variable.c:120:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). var->len = strlen(buf); data/tf-4.0s1/src/variable.c:250:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). var->len = strlen(value); data/tf-4.0s1/src/variable.c:269:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). var->len = strlen(value); data/tf-4.0s1/src/variable.c:302:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). str = (char *)XMALLOC(strlen(var->name) + 1 + var->len + 1); data/tf-4.0s1/src/variable.c:380:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). var->len = strlen(value); data/tf-4.0s1/src/variable.c:468:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). var->len = strlen(value); data/tf-4.0s1/src/variable.c:625:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). var->len = strlen(value); ANALYSIS SUMMARY: Hits = 205 Lines analyzed = 20221 in approximately 0.54 seconds (37662 lines/second) Physical Source Lines of Code (SLOC) = 15663 Hits@level = [0] 38 [1] 76 [2] 95 [3] 8 [4] 26 [5] 0 Hits@level+ = [0+] 243 [1+] 205 [2+] 129 [3+] 34 [4+] 26 [5+] 0 Hits/KSLOC@level+ = [0+] 15.5143 [1+] 13.0882 [2+] 8.23597 [3+] 2.17072 [4+] 1.65996 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.