Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/xwax-1.7/alsa.c
Examining data/xwax-1.7/alsa.h
Examining data/xwax-1.7/controller.c
Examining data/xwax-1.7/controller.h
Examining data/xwax-1.7/cues.c
Examining data/xwax-1.7/cues.h
Examining data/xwax-1.7/debug.h
Examining data/xwax-1.7/deck.c
Examining data/xwax-1.7/deck.h
Examining data/xwax-1.7/device.c
Examining data/xwax-1.7/device.h
Examining data/xwax-1.7/dicer.c
Examining data/xwax-1.7/dicer.h
Examining data/xwax-1.7/dummy.c
Examining data/xwax-1.7/dummy.h
Examining data/xwax-1.7/excrate.c
Examining data/xwax-1.7/excrate.h
Examining data/xwax-1.7/external.c
Examining data/xwax-1.7/external.h
Examining data/xwax-1.7/index.c
Examining data/xwax-1.7/index.h
Examining data/xwax-1.7/interface.c
Examining data/xwax-1.7/interface.h
Examining data/xwax-1.7/jack.c
Examining data/xwax-1.7/jack.h
Examining data/xwax-1.7/layout.h
Examining data/xwax-1.7/library.c
Examining data/xwax-1.7/library.h
Examining data/xwax-1.7/list.h
Examining data/xwax-1.7/listbox.c
Examining data/xwax-1.7/listbox.h
Examining data/xwax-1.7/lut.c
Examining data/xwax-1.7/lut.h
Examining data/xwax-1.7/midi.c
Examining data/xwax-1.7/midi.h
Examining data/xwax-1.7/mktimecode.c
Examining data/xwax-1.7/mutex.h
Examining data/xwax-1.7/observer.h
Examining data/xwax-1.7/oss.c
Examining data/xwax-1.7/oss.h
Examining data/xwax-1.7/pitch.h
Examining data/xwax-1.7/player.c
Examining data/xwax-1.7/player.h
Examining data/xwax-1.7/realtime.c
Examining data/xwax-1.7/realtime.h
Examining data/xwax-1.7/rig.c
Examining data/xwax-1.7/rig.h
Examining data/xwax-1.7/selector.c
Examining data/xwax-1.7/selector.h
Examining data/xwax-1.7/spin.h
Examining data/xwax-1.7/status.c
Examining data/xwax-1.7/status.h
Examining data/xwax-1.7/tests/cues.c
Examining data/xwax-1.7/tests/external.c
Examining data/xwax-1.7/tests/library.c
Examining data/xwax-1.7/tests/midi.c
Examining data/xwax-1.7/tests/observer.c
Examining data/xwax-1.7/tests/status.c
Examining data/xwax-1.7/tests/timecoder.c
Examining data/xwax-1.7/tests/track.c
Examining data/xwax-1.7/tests/ttf.c
Examining data/xwax-1.7/thread.c
Examining data/xwax-1.7/thread.h
Examining data/xwax-1.7/timecoder.c
Examining data/xwax-1.7/timecoder.h
Examining data/xwax-1.7/track.c
Examining data/xwax-1.7/track.h
Examining data/xwax-1.7/xwax.c
Examining data/xwax-1.7/xwax.h
FINAL RESULTS:
data/xwax-1.7/debug.h:28:5: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf(stderr, __VA_ARGS__); \
data/xwax-1.7/external.c:64:13: [4] (shell) execv:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
if (execv(path, argv) == -1) {
data/xwax-1.7/index.c:243:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(h->buf, d);
data/xwax-1.7/interface.c:303:9: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(buf, "%s/%s", *dir, name);
data/xwax-1.7/interface.c:1041:10: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
c += sprintf(c, "%s: ", pl->timecoder->def->name);
data/xwax-1.7/interface.c:1050:5: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(c, "pitch:%+0.2f (sync %0.2f %+.5fs = %+0.2f) %s%s",
data/xwax-1.7/jack.c:202:2: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(port_name, "%s_timecode_%c", name, channel[n]);
data/xwax-1.7/jack.c:210:2: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(port_name, "%s_playback_%c", name, channel[n]);
data/xwax-1.7/library.c:498:5: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(buf, "%s %s", artist, title);
data/xwax-1.7/status.c:72:5: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
vsnprintf(buf, sizeof buf, t, l);
data/xwax-1.7/dicer.c:68:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char obuf[180];
data/xwax-1.7/dicer.c:331:45: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static void event(struct dicer *d, unsigned char buf[3])
data/xwax-1.7/dicer.c:429:18: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char buf[3];
data/xwax-1.7/external.c:46:11: [2] (race) vfork:
On some old systems, vfork() permits race conditions, and it's very
difficult to use correctly (CWE-362). Use fork() instead.
pid = vfork();
data/xwax-1.7/external.c:89:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *args[16];
data/xwax-1.7/external.h:36:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[4096];
data/xwax-1.7/index.h:54:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[512];
data/xwax-1.7/index.h:55:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *words[32]; /* NULL-terminated array */
data/xwax-1.7/interface.c:213:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buf, "%02d:%02d.", minutes, seconds);
data/xwax-1.7/interface.c:214:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(deci, "%03d", frac);
data/xwax-1.7/interface.c:292:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[256];
data/xwax-1.7/interface.c:419:13: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ubuf[256], /* fixed buffer is reasonable for rendering */
data/xwax-1.7/interface.c:611:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[32];
data/xwax-1.7/interface.c:614:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buf, "%5.1f", bpm);
data/xwax-1.7/interface.c:680:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hms[8], deci[8];
data/xwax-1.7/interface.c:1035:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[128], *c;
data/xwax-1.7/interface.c:1045:14: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
c += sprintf(c, "%7d ", tc);
data/xwax-1.7/interface.c:1047:14: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
c += sprintf(c, " ");
data/xwax-1.7/interface.c:1148:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char cm[32];
data/xwax-1.7/interface.c:1169:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(cm, "%zd matches", sel->view_index->entries);
data/xwax-1.7/interface.c:1171:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(cm, "1 match");
data/xwax-1.7/interface.c:1173:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(cm, "no matches");
data/xwax-1.7/interface.c:1767:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[128];
data/xwax-1.7/interface.c:1779:17: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
width = atoi(buf);
data/xwax-1.7/interface.c:1796:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buf, "SDL_VIDEO_WINDOW_POS=%d,%d", x, y);
data/xwax-1.7/jack.c:200:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char port_name[32];
data/xwax-1.7/library.c:536:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *field[4];
data/xwax-1.7/oss.c:165:10: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fd = open(filename, O_RDWR, 0);
data/xwax-1.7/selector.h:44:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char search[256];
data/xwax-1.7/status.c:68:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char buf[256];
data/xwax-1.7/tests/midi.c:39:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[32];
data/xwax-1.7/track.h:38:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char ppm[TRACK_BLOCK_SAMPLES / TRACK_PPM_RES],
data/xwax-1.7/external.c:229:9: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
z = read(fd, rb->buf + rb->len, remain);
data/xwax-1.7/index.c:242:12: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
assert(strlen(d) < sizeof h->buf);
data/xwax-1.7/interface.c:430:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen(in);
data/xwax-1.7/library.c:493:11: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen(artist) + strlen(title) + 1;
data/xwax-1.7/library.c:493:28: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen(artist) + strlen(title) + 1;
data/xwax-1.7/oss.c:86:9: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
r = read(fd, pcm, bytes);
data/xwax-1.7/rig.c:147:21: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
z = read(event[0], &e, 1);
data/xwax-1.7/track.c:410:13: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
z = read(tr->fd, pcm, len);
ANALYSIS SUMMARY:
Hits = 50
Lines analyzed = 12243 in approximately 0.28 seconds (43752 lines/second)
Physical Source Lines of Code (SLOC) = 6907
Hits@level = [0] 120 [1] 8 [2] 32 [3] 0 [4] 10 [5] 0
Hits@level+ = [0+] 170 [1+] 50 [2+] 42 [3+] 10 [4+] 10 [5+] 0
Hits/KSLOC@level+ = [0+] 24.6127 [1+] 7.23903 [2+] 6.08079 [3+] 1.44781 [4+] 1.44781 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.