Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/bitshuffle-0.3.5/lz4/lz4.c Examining data/bitshuffle-0.3.5/lz4/lz4.h Examining data/bitshuffle-0.3.5/lzf/example.c Examining data/bitshuffle-0.3.5/lzf/lzf/lzf.h Examining data/bitshuffle-0.3.5/lzf/lzf/lzfP.h Examining data/bitshuffle-0.3.5/lzf/lzf/lzf_c.c Examining data/bitshuffle-0.3.5/lzf/lzf/lzf_d.c Examining data/bitshuffle-0.3.5/lzf/lzf_filter.c Examining data/bitshuffle-0.3.5/lzf/lzf_filter.h Examining data/bitshuffle-0.3.5/src/bitshuffle.c Examining data/bitshuffle-0.3.5/src/bitshuffle.h Examining data/bitshuffle-0.3.5/src/bitshuffle_core.c Examining data/bitshuffle-0.3.5/src/bitshuffle_core.h Examining data/bitshuffle-0.3.5/src/bitshuffle_internals.h Examining data/bitshuffle-0.3.5/src/bshuf_h5filter.c Examining data/bitshuffle-0.3.5/src/bshuf_h5filter.h Examining data/bitshuffle-0.3.5/src/bshuf_h5plugin.c Examining data/bitshuffle-0.3.5/src/iochain.c Examining data/bitshuffle-0.3.5/src/iochain.h Examining data/bitshuffle-0.3.5/src/lzf_h5plugin.c FINAL RESULTS: data/bitshuffle-0.3.5/lz4/lz4.c:148:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&val16, memPtr, 2); data/bitshuffle-0.3.5/lz4/lz4.c:169:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(memPtr, &value, 2); data/bitshuffle-0.3.5/lz4/lz4.c:182:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&val32, memPtr, 4); data/bitshuffle-0.3.5/lz4/lz4.c:189:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&val64, memPtr, 8); data/bitshuffle-0.3.5/lz4/lz4.c:202:59: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. static void LZ4_copy4(void* dstPtr, const void* srcPtr) { memcpy(dstPtr, srcPtr, 4); } data/bitshuffle-0.3.5/lz4/lz4.c:204:59: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. static void LZ4_copy8(void* dstPtr, const void* srcPtr) { memcpy(dstPtr, srcPtr, 8); } data/bitshuffle-0.3.5/lz4/lz4.c:648:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(op, anchor, lastRun); data/bitshuffle-0.3.5/lz4/lz4.c:884:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(op, anchor, lastRunSize); data/bitshuffle-0.3.5/lz4/lz4.c:1186:13: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(op, ip, length); data/bitshuffle-0.3.5/lz4/lz4.c:1228:17: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(op, dictEnd - copySize, copySize); data/bitshuffle-0.3.5/lz4/lz4.c:1239:21: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(op, lowPrefix, copySize); data/bitshuffle-0.3.5/src/bitshuffle.c:69:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy((char *) out + 4, tmp_buf_lz4, nbytes); data/bitshuffle-0.3.5/src/bitshuffle_core.c:137:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out_b, in_b, size * elem_size); data/bitshuffle-0.3.5/src/bitshuffle_core.c:235:13: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&out_b[(jj*lda + ii) * elem_size], data/bitshuffle-0.3.5/src/bitshuffle_core.c:1716:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(last_out, last_in, leftover_bytes); data/bitshuffle-0.3.5/src/bshuf_h5filter.c:41:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char msg[80]; data/bitshuffle-0.3.5/src/bshuf_h5filter.c:69:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(msg, "Error in bitshuffle. Invalid block size: %d.", data/bitshuffle-0.3.5/src/bshuf_h5filter.c:100:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char msg[80]; data/bitshuffle-0.3.5/src/bshuf_h5filter.c:181:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(msg, "Error in bitshuffle with error code %d.", err); ANALYSIS SUMMARY: Hits = 19 Lines analyzed = 5901 in approximately 0.17 seconds (34638 lines/second) Physical Source Lines of Code (SLOC) = 3484 Hits@level = [0] 4 [1] 0 [2] 19 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 23 [1+] 19 [2+] 19 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 6.60161 [1+] 5.4535 [2+] 5.4535 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.