Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/aaphoto-0.45/aaresize.c Examining data/aaphoto-0.45/aargb.c Examining data/aaphoto-0.45/aaphoto.c Examining data/aaphoto-0.45/aaio.c FINAL RESULTS: data/aaphoto-0.45/aaio.c:354:12: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fhandle = fopen(file_name, "rb"); data/aaphoto-0.45/aaio.c:369:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char fpath [max_char]; data/aaphoto-0.45/aaio.c:370:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char fname [max_char]; data/aaphoto-0.45/aaio.c:371:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char fext [max_char]; data/aaphoto-0.45/aaio.c:454:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char fext[max_char]; data/aaphoto-0.45/aaio.c:455:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char fextl[max_char]; data/aaphoto-0.45/aaio.c:512:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char file_name_new [max_char]; data/aaphoto-0.45/aaio.c:647:15: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fhandle = fopen(file_name, "rb"); data/aaphoto-0.45/aaio.c:784:16: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fhandle = fopen(file_name, "wb+"); data/aaphoto-0.45/aaio.c:816:16: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fhandle = fopen(file_name, "rb+"); data/aaphoto-0.45/aaio.c:857:12: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fhandle = fopen(file_name, "rb"); data/aaphoto-0.45/aaio.c:1195:12: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fhandle = fopen(file_name, "wb"); data/aaphoto-0.45/aaio.c:1232:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char sig[8]; data/aaphoto-0.45/aaio.c:1237:19: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fhandle = fopen(file_name, "rb"); data/aaphoto-0.45/aaio.c:1596:19: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fhandle = fopen(file_name, "wb"); data/aaphoto-0.45/aaio.c:1665:16: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((infile = fopen(file_name, "rb")) == NULL) { return 1; } data/aaphoto-0.45/aaio.c:1775:18: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((outfile = fopen(file_name, "a+b")) == NULL) { return 1; } } data/aaphoto-0.45/aaio.c:1777:18: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((outfile = fopen(file_name, "wb")) == NULL) { return 1; } } data/aaphoto-0.45/aaio.c:1880:12: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fhandle = fopen(file_name, "rb"); data/aaphoto-0.45/aaphoto.c:217:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char opt_output_path [max_char]; data/aaphoto-0.45/aaphoto.c:459:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char file_name_new [max_char]; data/aaphoto-0.45/aaphoto.c:718:6: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char num [8+1]; data/aaphoto-0.45/aaphoto.c:739:6: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char num [8+1]; data/aaphoto-0.45/aaphoto.c:777:6: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char num [8+1]; data/aaphoto-0.45/aaphoto.c:804:6: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char num [8+1]; data/aaphoto-0.45/aaphoto.c:848:6: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char num [16+1]; data/aaphoto-0.45/aaphoto.c:881:6: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char num [16+1] = ""; data/aaphoto-0.45/aaphoto.c:1018:6: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tt[max_char]; data/aaphoto-0.45/aaio.c:663:11: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch1 = fgetc(fhandle); data/aaphoto-0.45/aaio.c:664:11: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch2 = fgetc(fhandle); data/aaphoto-0.45/aaio.c:678:15: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch1 = fgetc(fhandle); data/aaphoto-0.45/aaio.c:679:15: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch2 = fgetc(fhandle); data/aaphoto-0.45/aaio.c:690:23: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch1 = fgetc(fhandle); data/aaphoto-0.45/aaio.c:691:23: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch2 = fgetc(fhandle); data/aaphoto-0.45/aaio.c:704:23: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch1 = fgetc(fhandle); data/aaphoto-0.45/aaio.c:705:23: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch2 = fgetc(fhandle); data/aaphoto-0.45/aaio.c:710:23: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch1 = fgetc(fhandle); data/aaphoto-0.45/aaio.c:711:23: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch2 = fgetc(fhandle); data/aaphoto-0.45/aaio.c:716:23: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch1 = fgetc(fhandle); data/aaphoto-0.45/aaio.c:717:23: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch2 = fgetc(fhandle); data/aaphoto-0.45/aaio.c:725:27: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch1 = fgetc(fhandle); data/aaphoto-0.45/aaio.c:726:27: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch2 = fgetc(fhandle); ANALYSIS SUMMARY: Hits = 42 Lines analyzed = 5487 in approximately 0.16 seconds (33959 lines/second) Physical Source Lines of Code (SLOC) = 3423 Hits@level = [0] 11 [1] 14 [2] 28 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 53 [1+] 42 [2+] 28 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 15.4835 [1+] 12.2699 [2+] 8.17996 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.