Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/alsamixergui-0.9.0rc2-1/src/Fl_AM.H
Examining data/alsamixergui-0.9.0rc2-1/src/Fl_Menu_Button.cxx
Examining data/alsamixergui-0.9.0rc2-1/src/defines.H
Examining data/alsamixergui-0.9.0rc2-1/src/ncurser_to_fl.H
Examining data/alsamixergui-0.9.0rc2-1/src/Fl_AM.cxx
Examining data/alsamixergui-0.9.0rc2-1/src/Fl_Pixmap_Button.H
Examining data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx
Parsing failed to find end of parameter list; semicolon terminated it in (errorstr,
#else
fprintf (stderr,
#endif /* #ifdef ALSAMIXER_GUI */
PRGNAME ": function %s failed for %s: %s\n",
err_string,
card_id,
snd_strerror (xerrno)
Parsing failed to find end of parameter list; semicolon terminated it in (errorstr,
#else
fprintf (stderr,
#endif /* #ifdef ALSAMIXER_GUI */
PRGNAME ": function %s failed: %s\n",
err_string,
snd_strerror (xerrno));
break;
case
Parsing failed to find end of parameter list; semicolon terminated it in (errorstr,
#else
fprintf (stderr,
#endif /* #ifdef ALSAMIXER_GUI */
PRGNAME ": aborting due to signal `%s'\n",
err_string);
break;
case ERR_WINSIZE:
#ifdef ALSAM
Parsing failed to find end of parameter list; semicolon terminated it in (errorstr,
#else
fprintf (stderr,
#endif /* #ifdef ALSAMIXER_GUI */
PRGNAME ": screen size too small (%dx%d)\n",
mixer_max_x,
mixer_max_y);
break;
defaul
FINAL RESULTS:
data/alsamixergui-0.9.0rc2-1/src/Fl_AM.cxx:203:2: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat(tmp,mixer_card_name);
data/alsamixergui-0.9.0rc2-1/src/Fl_AM.cxx:208:2: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat(tmp,mixer_device_name);
data/alsamixergui-0.9.0rc2-1/src/Fl_AM.cxx:244:5: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(string1, "%s %d", snd_mixer_selem_id_get_name(sid), snd_mixer_selem_id_get_index(sid));
data/alsamixergui-0.9.0rc2-1/src/Fl_AM.cxx:246:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(string1, snd_mixer_selem_id_get_name(sid));
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:450:7: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf (errorstr,
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:452:7: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf (stderr,
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:461:7: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf (errorstr,
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:463:7: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf (stderr,
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:471:7: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf (errorstr,
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:473:7: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf (stderr,
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:480:7: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf (errorstr,
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:482:7: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf (stderr,
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:818:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(string, snd_mixer_selem_id_get_name(sid));
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:841:5: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(string1, "%s%s %d", snd_mixer_selem_id_get_name(sid), suffix, snd_mixer_selem_id_get_index(sid));
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:843:5: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(string1, "%s%s", snd_mixer_selem_id_get_name(sid), suffix);
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:849:3: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf (string + (8 - strlen (string1)) / 2, "%s ", string1);
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:1071:3: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf (string, "%s", mixer_card_name);
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:1082:3: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf (string, "%s", mixer_device_name);
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:1119:3: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf (string, "%s %s", PRGNAME_UPPER, VERSION);
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:1517:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(mixer_card_name, snd_ctl_card_info_get_name(hw_info));
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:1518:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(mixer_device_name, snd_ctl_card_info_get_mixername(hw_info));
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:2107:13: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
opt = getopt (argc, argv, "c:D:shg");
data/alsamixergui-0.9.0rc2-1/src/Fl_AM.cxx:80:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
extern char mixer_card_name[128];
data/alsamixergui-0.9.0rc2-1/src/Fl_AM.cxx:81:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
extern char mixer_device_name[128];
data/alsamixergui-0.9.0rc2-1/src/Fl_AM.cxx:135:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char tmp[256];
data/alsamixergui-0.9.0rc2-1/src/Fl_AM.cxx:200:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char tmp[256];
data/alsamixergui-0.9.0rc2-1/src/Fl_AM.cxx:202:2: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(tmp,"Card: ");
data/alsamixergui-0.9.0rc2-1/src/Fl_AM.cxx:207:2: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(tmp,"Chip: ");
data/alsamixergui-0.9.0rc2-1/src/Fl_AM.cxx:260:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char string[256];
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:210:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char card_id[64] = "default";
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:212:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char mixer_card_name[128];
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:213:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char mixer_device_name[128];
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:443:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char errorstr[256];
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:748:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char string[128], string1[64], *suffix;
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:820:7: [2] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused). Risk is low because the
source is a constant string.
strcat(string, " Capture");
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:822:7: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(string + strlen(string), " %i", snd_mixer_selem_id_get_index(sid));
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:859:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (string, "%ld", vleft);
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:865:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (string, "%ld", vright);
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:1060:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char string[128];
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:1395:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (vbuf->buffer + vbuf->len, text, len);
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:1406:8: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fd = open (name, O_RDONLY);
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:1409:7: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[1025];
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:2122:6: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(card_id, "hw:%i", i);
data/alsamixergui-0.9.0rc2-1/src/Fl_AM.cxx:264:5: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen("PCM Chorus ")) &&
data/alsamixergui-0.9.0rc2-1/src/Fl_AM.cxx:266:5: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen("PCM Front ")) &&
data/alsamixergui-0.9.0rc2-1/src/Fl_AM.cxx:268:5: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen("PCM Pan Playback Control ")) &&
data/alsamixergui-0.9.0rc2-1/src/Fl_AM.cxx:269:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strncmp(string,"PCM Reverb ",strlen("PCM Reverb "))
data/alsamixergui-0.9.0rc2-1/src/Fl_AM.cxx:467:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
int n=strlen(substr[i]);
data/alsamixergui-0.9.0rc2-1/src/Fl_AM.cxx:479:3: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(ptr,substr[i],n);
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:444:3: [1] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant character.
strcpy(errorstr,"");
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:822:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
sprintf(string + strlen(string), " %i", snd_mixer_selem_id_get_index(sid));
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:824:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(string1, string, strlen(string));
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:824:30: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strncpy(string1, string, strlen(string));
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:849:26: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
sprintf (string + (8 - strlen (string1)) / 2, "%s ", string1);
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:860:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
mvaddstr (y, x + 3 - strlen (string), string);
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:1073:7: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen (string) > max_len)
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:1084:7: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen (string) > max_len)
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:1120:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
max_len = strlen (string);
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:1292:11: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
l = strlen (title);
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:1380:64: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define vbuffer_append_string(vb,str) vbuffer_append (vb, str, strlen (str))
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:1414:8: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
l = read (fd, buffer, 1024);
data/alsamixergui-0.9.0rc2-1/src/alsamixer.cxx:2126:4: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(card_id, optarg, sizeof(card_id));
ANALYSIS SUMMARY:
Hits = 62
Lines analyzed = 3175 in approximately 0.07 seconds (44073 lines/second)
Physical Source Lines of Code (SLOC) = 2584
Hits@level = [0] 6 [1] 19 [2] 21 [3] 1 [4] 21 [5] 0
Hits@level+ = [0+] 68 [1+] 62 [2+] 43 [3+] 22 [4+] 21 [5+] 0
Hits/KSLOC@level+ = [0+] 26.3158 [1+] 23.9938 [2+] 16.6409 [3+] 8.51393 [4+] 8.12693 [5+] 0
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.