Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/cjose-0.6.1+dfsg1/include/cjose/base64.h
Examining data/cjose-0.6.1+dfsg1/include/cjose/cjose.h
Examining data/cjose-0.6.1+dfsg1/include/cjose/error.h
Examining data/cjose-0.6.1+dfsg1/include/cjose/header.h
Examining data/cjose-0.6.1+dfsg1/include/cjose/jwe.h
Examining data/cjose-0.6.1+dfsg1/include/cjose/jwk.h
Examining data/cjose-0.6.1+dfsg1/include/cjose/jws.h
Examining data/cjose-0.6.1+dfsg1/include/cjose/util.h
Examining data/cjose-0.6.1+dfsg1/src/base64.c
Examining data/cjose-0.6.1+dfsg1/src/error.c
Examining data/cjose-0.6.1+dfsg1/src/header.c
Examining data/cjose-0.6.1+dfsg1/src/include/concatkdf_int.h
Examining data/cjose-0.6.1+dfsg1/src/include/header_int.h
Examining data/cjose-0.6.1+dfsg1/src/include/jwe_int.h
Examining data/cjose-0.6.1+dfsg1/src/include/jwk_int.h
Examining data/cjose-0.6.1+dfsg1/src/include/jws_int.h
Examining data/cjose-0.6.1+dfsg1/src/include/util_int.h
Examining data/cjose-0.6.1+dfsg1/src/jwe.c
Examining data/cjose-0.6.1+dfsg1/src/jwk.c
Examining data/cjose-0.6.1+dfsg1/src/jws.c
Examining data/cjose-0.6.1+dfsg1/src/util.c
Examining data/cjose-0.6.1+dfsg1/src/version.c
Examining data/cjose-0.6.1+dfsg1/src/concatkdf.c
Examining data/cjose-0.6.1+dfsg1/test/check_base64.c
Examining data/cjose-0.6.1+dfsg1/test/check_cjose.c
Examining data/cjose-0.6.1+dfsg1/test/check_cjose.h
Examining data/cjose-0.6.1+dfsg1/test/check_header.c
Examining data/cjose-0.6.1+dfsg1/test/check_jwe.c
Examining data/cjose-0.6.1+dfsg1/test/check_jwk.c
Examining data/cjose-0.6.1+dfsg1/test/check_jws.c
Examining data/cjose-0.6.1+dfsg1/test/check_util.c
Examining data/cjose-0.6.1+dfsg1/test/check_version.c
Examining data/cjose-0.6.1+dfsg1/test/check_concatkdf.c
FINAL RESULTS:
data/cjose-0.6.1+dfsg1/src/include/jwe_int.h:38:68: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
bool (*set_cek)(cjose_jwe_t *jwe, const cjose_jwk_t *jwk, bool random, cjose_err *err);
data/cjose-0.6.1+dfsg1/src/jwe.c:31:87: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
static bool _cjose_jwe_set_cek_a256gcm(cjose_jwe_t *jwe, const cjose_jwk_t *jwk, bool random, cjose_err *err);
data/cjose-0.6.1+dfsg1/src/jwe.c:33:87: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
static bool _cjose_jwe_set_cek_aes_cbc(cjose_jwe_t *jwe, const cjose_jwk_t *jwk, bool random, cjose_err *err);
data/cjose-0.6.1+dfsg1/src/jwe.c:181:50: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
static bool _cjose_jwe_malloc(size_t bytes, bool random, uint8_t **buffer, cjose_err *err)
data/cjose-0.6.1+dfsg1/src/jwe.c:189:9: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if (random)
data/cjose-0.6.1+dfsg1/src/jwe.c:364:87: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
static bool _cjose_jwe_set_cek_a256gcm(cjose_jwe_t *jwe, const cjose_jwk_t *jwk, bool random, cjose_err *err)
data/cjose-0.6.1+dfsg1/src/jwe.c:378:41: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if (!_cjose_jwe_malloc(keysize, random, &jwe->cek, err))
data/cjose-0.6.1+dfsg1/src/jwe.c:407:87: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
static bool _cjose_jwe_set_cek_aes_cbc(cjose_jwe_t *jwe, const cjose_jwk_t *jwk, bool random, cjose_err *err)
data/cjose-0.6.1+dfsg1/src/jwe.c:437:42: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if (!_cjose_jwe_malloc(keysize, !random, &jwe->cek, err))
data/cjose-0.6.1+dfsg1/test/check_jwe.c:272:22: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
size_t len = random() % 1024;
data/cjose-0.6.1+dfsg1/test/check_jws.c:204:22: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
size_t len = random() % 1024;
data/cjose-0.6.1+dfsg1/src/concatkdf.c:21:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buffer, &big_endian_int32, 4);
data/cjose-0.6.1+dfsg1/src/concatkdf.c:32:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ptr, data, len);
data/cjose-0.6.1+dfsg1/src/concatkdf.c:148:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ptr, hash, min_len(hashlen, amt));
data/cjose-0.6.1+dfsg1/src/jwe.c:399:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(jwe->cek, jwk->keydata, keysize);
data/cjose-0.6.1+dfsg1/src/jwe.c:458:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(jwe->cek, jwk->keydata, keysize);
data/cjose-0.6.1+dfsg1/src/jwe.c:1056:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(p, jwe->enc_header.b64u, jwe->enc_header.b64u_len);
data/cjose-0.6.1+dfsg1/src/jwe.c:1058:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(p, jwe->enc_iv.raw, jwe->enc_iv.raw_len);
data/cjose-0.6.1+dfsg1/src/jwe.c:1060:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(p, jwe->enc_ct.raw, jwe->enc_ct.raw_len);
data/cjose-0.6.1+dfsg1/src/jwe.c:1072:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(p, &al, sizeof(uint64_t));
data/cjose-0.6.1+dfsg1/src/jwe.c:1185:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(jwe->enc_auth_tag.raw, tag, tag_len);
data/cjose-0.6.1+dfsg1/src/jwe.c:1953:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(cek, jwe->cek, cek_len);
data/cjose-0.6.1+dfsg1/src/jwk.c:475:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buffer, data, len);
data/cjose-0.6.1+dfsg1/src/jwk.c:1867:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char prk[EVP_MAX_MD_SIZE];
data/cjose-0.6.1+dfsg1/src/jws.c:130:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(jws->dat, plaintext, jws->dat_len);
data/cjose-0.6.1+dfsg1/src/jws.c:507:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(jws->sig, jws->dig, jws->sig_len);
data/cjose-0.6.1+dfsg1/src/util.c:125:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(result, str, len);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:1117:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const char *algs[2] = { CJOSE_HDR_ALG_RSA_OAEP, CJOSE_HDR_ALG_RSA1_5 };
data/cjose-0.6.1+dfsg1/test/check_jwe.c:1126:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char kid[32];
data/cjose-0.6.1+dfsg1/src/concatkdf.c:63:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
apuLen = (NULL != apuStr) ? strlen(apuStr) : 0;
data/cjose-0.6.1+dfsg1/src/concatkdf.c:68:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
apvLen = (NULL != apvStr) ? strlen(apvStr) : 0;
data/cjose-0.6.1+dfsg1/src/concatkdf.c:74:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
const size_t algLen = strlen(alg);
data/cjose-0.6.1+dfsg1/src/jwe.c:217:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t len = strlen(hdr_str);
data/cjose-0.6.1+dfsg1/src/jwe.c:793:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
epk_jwk = cjose_jwk_import(epk_json, strlen(epk_json), err);
data/cjose-0.6.1+dfsg1/src/jwe.c:1691:56: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return _cjose_jwe_import_part(part, empty_ok, str, strlen(str), err);
data/cjose-0.6.1+dfsg1/src/jwk.c:257:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(jwk->kid, kid, len + 1);
data/cjose-0.6.1+dfsg1/src/jwk.c:1310:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (str == NULL || strlen(str) == 0)
data/cjose-0.6.1+dfsg1/src/jwk.c:1321:26: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
for (end = str + strlen(str) - 1; *end == '=' && end > str; --end)
data/cjose-0.6.1+dfsg1/src/jwk.c:1336:38: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (!cjose_base64url_decode(str, strlen(str), buffer, buflen, err))
data/cjose-0.6.1+dfsg1/src/jws.c:60:59: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (!cjose_base64url_encode((const uint8_t *)hdr_str, strlen(hdr_str), &jws->hdr_b64u, &jws->hdr_b64u_len, err))
data/cjose-0.6.1+dfsg1/src/jws.c:740:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(*dst, src, len);
data/cjose-0.6.1+dfsg1/src/util.c:116:15: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen(str);
data/cjose-0.6.1+dfsg1/test/check_concatkdf.c:94:42: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ck_assert(_cmp_lendata(&actual, alg, strlen(alg))); // ALG
data/cjose-0.6.1+dfsg1/test/check_concatkdf.c:106:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
const size_t apuLen = strlen((const char *)apu);
data/cjose-0.6.1+dfsg1/test/check_concatkdf.c:108:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
const size_t apvLen = strlen((const char *)apv);
data/cjose-0.6.1+dfsg1/test/check_concatkdf.c:119:42: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ck_assert(_cmp_lendata(&actual, alg, strlen(alg)));
data/cjose-0.6.1+dfsg1/test/check_concatkdf.c:206:68: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_header_t *hdr = _create_otherinfo_header("expected apu", strlen("expected apu"),
data/cjose-0.6.1+dfsg1/test/check_concatkdf.c:207:68: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
"expected apv", strlen("expected apv"),
data/cjose-0.6.1+dfsg1/test/check_jwe.c:107:50: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(JWK_RSA, strlen(JWK_RSA), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:114:50: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwe_t *jwe = cjose_jwe_import(JWE_RSA, strlen(JWE_RSA), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:129:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ck_assert_msg(plain2_len == strlen(PLAINTEXT),
data/cjose-0.6.1+dfsg1/test/check_jwe.c:132:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen(PLAINTEXT), plain2_len);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:145:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(key, strlen(key), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:164:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t plain1_len = strlen(plain1);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:176:51: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwe_t *jwe2 = cjose_jwe_import(compact, strlen(compact), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:193:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ck_assert_msg(plain2_len == strlen(plain1),
data/cjose-0.6.1+dfsg1/test/check_jwe.c:196:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen(plain1), plain2_len);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:289:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t plain_len = strlen(plain);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:301:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(JWK, strlen(JWK), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:352:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t plain_len = strlen(plain);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:383:57: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(JWK_BAD[i], strlen(JWK_BAD[i]), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:421:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(JWK, strlen(JWK), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:457:50: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(JWK_RSA, strlen(JWK_RSA), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:464:50: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwe_t *jwe = cjose_jwe_import(JWE_RSA, strlen(JWE_RSA), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:478:42: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ck_assert_msg(strncmp(JWE_RSA, cser, strlen(JWE_RSA)) == 0, "export of imported JWE doesn't match original");
data/cjose-0.6.1+dfsg1/test/check_jwe.c:590:57: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwe_t *jwe = cjose_jwe_import(JWE_BAD[i], strlen(JWE_BAD[i]), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:625:50: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(JWK_RSA, strlen(JWK_RSA), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:632:50: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwe_t *jwe = cjose_jwe_import(JWE_RSA, strlen(JWE_RSA), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:649:61: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk_bad = cjose_jwk_import(JWK_BAD[i], strlen(JWK_BAD[i]), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:678:48: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(JWK_S, strlen(JWK_S), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:685:48: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwe_t *jwe = cjose_jwe_import(JWE_S, strlen(JWE_S), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:700:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ck_assert_msg(plain1_len == strlen(PLAINTEXT_S),
data/cjose-0.6.1+dfsg1/test/check_jwe.c:703:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen(PLAINTEXT_S), plain1_len);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:716:45: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
jwe = cjose_jwe_import(JWE_TAMPERED_AT, strlen(JWE_TAMPERED_AT), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:736:53: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
jwe = cjose_jwe_import(JWE_TAMPERED_CIPHERTEXT, strlen(JWE_TAMPERED_CIPHERTEXT), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:756:45: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
jwe = cjose_jwe_import(JWE_TAMPERED_IV, strlen(JWE_TAMPERED_IV), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:776:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
jwe = cjose_jwe_import(JWE_TAMPERED_CEK, strlen(JWE_TAMPERED_CEK), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:796:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
jwe = cjose_jwe_import(JWE_TAMPERED_HDR, strlen(JWE_TAMPERED_HDR), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:922:61: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(JWE_RSA[i].jwk, strlen(JWE_RSA[i].jwk), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:929:61: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwe_t *jwe = cjose_jwe_import(JWE_RSA[i].jwe, strlen(JWE_RSA[i].jwe), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:944:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ck_assert_msg(plain1_len == strlen(JWE_RSA[i].plaintext),
data/cjose-0.6.1+dfsg1/test/check_jwe.c:947:23: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen(JWE_RSA[i].plaintext), plain1_len);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:964:39: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
jwe = cjose_jwe_import_json(json, strlen(json), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:976:82: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ck_assert_msg(memcmp(decoded, PLAINTEXT, decoded_len) == 0 && decoded_len == strlen(PLAINTEXT) + 1,
data/cjose-0.6.1+dfsg1/test/check_jwe.c:1024:39: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
jwe = cjose_jwe_import_json(json, strlen(json), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:1128:53: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(rsa[i], strlen(rsa[i]), &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:1137:51: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ck_assert_msg(cjose_jwk_set_kid(jwk, kid, strlen(kid), &err),
data/cjose-0.6.1+dfsg1/test/check_jwe.c:1163:91: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwe_t *jwe = cjose_jwe_encrypt_multi(rec, 2, protected_header, NULL, PLAINTEXT, strlen(PLAINTEXT) + 1, &err);
data/cjose-0.6.1+dfsg1/test/check_jwe.c:1175:82: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ck_assert_msg(memcmp(decoded, PLAINTEXT, decoded_len) == 0 && decoded_len == strlen(PLAINTEXT) + 1,
data/cjose-0.6.1+dfsg1/test/check_jwk.c:92:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(RSA_e, strlen(RSA_e), &specPriv.e, &specPriv.elen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:93:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(RSA_n, strlen(RSA_n), &specPriv.n, &specPriv.nlen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:94:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(RSA_d, strlen(RSA_d), &specPriv.d, &specPriv.dlen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:95:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(RSA_p, strlen(RSA_p), &specPriv.p, &specPriv.plen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:96:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(RSA_q, strlen(RSA_q), &specPriv.q, &specPriv.qlen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:97:36: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(RSA_dp, strlen(RSA_dp), &specPriv.dp, &specPriv.dplen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:98:36: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(RSA_dq, strlen(RSA_dq), &specPriv.dq, &specPriv.dqlen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:99:36: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(RSA_qi, strlen(RSA_qi), &specPriv.qi, &specPriv.qilen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:145:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(RSA_e, strlen(RSA_e), &specPub.e, &specPub.elen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:146:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(RSA_n, strlen(RSA_n), &specPub.n, &specPub.nlen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:211:39: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(EC_P256_d, strlen(EC_P256_d), &spec.d, &spec.dlen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:212:39: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(EC_P256_x, strlen(EC_P256_x), &spec.x, &spec.xlen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:213:39: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(EC_P256_y, strlen(EC_P256_y), &spec.y, &spec.ylen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:262:38: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(EC_384_d, strlen(EC_384_d), &spec.d, &spec.dlen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:263:38: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(EC_384_x, strlen(EC_384_x), &spec.x, &spec.xlen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:264:38: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(EC_384_y, strlen(EC_384_y), &spec.y, &spec.ylen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:313:38: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(EC_521_d, strlen(EC_521_d), &spec.d, &spec.dlen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:314:38: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(EC_521_x, strlen(EC_521_x), &spec.x, &spec.xlen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:315:38: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(EC_521_y, strlen(EC_521_y), &spec.y, &spec.ylen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:361:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(OCT_KEY, strlen(OCT_KEY), &k, &klen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:462:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(OCT_KEY, strlen(OCT_KEY), &k, &klen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:488:39: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(EC_P256_d, strlen(EC_P256_d), &spec.d, &spec.dlen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:489:39: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(EC_P256_x, strlen(EC_P256_x), &spec.x, &spec.xlen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:490:39: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(EC_P256_y, strlen(EC_P256_y), &spec.y, &spec.ylen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:533:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(RSA_e, strlen(RSA_e), &spec.e, &spec.elen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:534:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(RSA_n, strlen(RSA_n), &spec.n, &spec.nlen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:535:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(RSA_d, strlen(RSA_d), &spec.d, &spec.dlen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:536:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(RSA_p, strlen(RSA_p), &spec.p, &spec.plen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:537:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(RSA_q, strlen(RSA_q), &spec.q, &spec.qlen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:538:36: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(RSA_dp, strlen(RSA_dp), &spec.dp, &spec.dplen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:539:36: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(RSA_dq, strlen(RSA_dq), &spec.dq, &spec.dqlen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:540:36: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_base64url_decode(RSA_qi, strlen(RSA_qi), &spec.qi, &spec.qilen, &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:1017:40: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
jwk = cjose_jwk_import(JWK[i], strlen(JWK[i]), &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:1149:40: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
jwk = cjose_jwk_import(JWK[i], strlen(JWK[i]), &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:1236:36: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
jwk = cjose_jwk_import(JWK_IN, strlen(JWK_IN), &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:1278:36: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
jwk = cjose_jwk_import(JWK_IN, strlen(JWK_IN), &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:1309:22: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t ikm_len = strlen(ikm);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:1400:60: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(JWK_BEFORE[i], strlen(JWK_BEFORE[i]), &err);
data/cjose-0.6.1+dfsg1/test/check_jwk.c:1408:50: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ck_assert(cjose_jwk_set_kid(jwk, newKid, strlen(newKid), &err));
data/cjose-0.6.1+dfsg1/test/check_jws.c:84:48: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(s_jwk, strlen(s_jwk), err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:97:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t plain1_len = strlen(plain1);
data/cjose-0.6.1+dfsg1/test/check_jws.c:111:51: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jws_t *jws2 = cjose_jws_import(compact, strlen(compact), err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:132:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ck_assert_msg(plain2_len == strlen(plain1), "length of verified plaintext does not match length of original, "
data/cjose-0.6.1+dfsg1/test/check_jws.c:134:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen(plain1), plain2_len);
data/cjose-0.6.1+dfsg1/test/check_jws.c:232:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t plain_len = strlen(plain);
data/cjose-0.6.1+dfsg1/test/check_jws.c:244:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(JWK, strlen(JWK), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:272:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t plain_len = strlen(plain);
data/cjose-0.6.1+dfsg1/test/check_jws.c:305:57: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(JWK_BAD[i], strlen(JWK_BAD[i]), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:348:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(JWK, strlen(JWK), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:375:53: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(JWK_COMMON, strlen(JWK_COMMON), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:381:53: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jws_t *jws = cjose_jws_import(JWS_COMMON, strlen(JWS_COMMON), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:393:45: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ck_assert_msg(strncmp(JWS_COMMON, cser, strlen(JWS_COMMON)) == 0, "export of imported JWS doesn't match original");
data/cjose-0.6.1+dfsg1/test/check_jws.c:433:57: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jws_t *jws = cjose_jws_import(JWS_BAD[i], strlen(JWS_BAD[i]), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:446:53: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jws_t *jws = cjose_jws_import(JWS_COMMON, strlen(JWS_COMMON), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:466:53: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(JWK_COMMON, strlen(JWK_COMMON), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:472:53: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jws_t *jws = cjose_jws_import(JWS_COMMON, strlen(JWS_COMMON), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:490:52: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ck_assert_msg(strncmp(PLAIN_COMMON, plaintext, strlen(PLAIN_COMMON)) == 0,
data/cjose-0.6.1+dfsg1/test/check_jws.c:525:53: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(JWK_COMMON, strlen(JWK_COMMON), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:531:53: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jws_t *jws = cjose_jws_import(JWS_COMMON, strlen(JWS_COMMON), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:547:61: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk_bad = cjose_jwk_import(JWK_BAD[i], strlen(JWK_BAD[i]), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:571:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jws_t *jws = cjose_jws_import(JWS, strlen(JWS), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:580:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(JWK, strlen(JWK), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:600:32: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ck_assert_msg(plain_len == strlen(PLAINTEXT), "length of verified plaintext does not match length of original, "
data/cjose-0.6.1+dfsg1/test/check_jws.c:602:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen(PLAINTEXT), plain_len);
data/cjose-0.6.1+dfsg1/test/check_jws.c:622:49: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jws_t *jws_ok = cjose_jws_import(JWS, strlen(JWS), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:650:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(JWK, strlen(JWK), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:672:32: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ck_assert_msg(plain_len == strlen(PLAINTEXT), "length of verified plaintext does not match length of original, "
data/cjose-0.6.1+dfsg1/test/check_jws.c:674:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen(PLAINTEXT), plain_len);
data/cjose-0.6.1+dfsg1/test/check_jws.c:686:62: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jws_t *jws_ts = cjose_jws_import(JWS_TAMPERED_SIG, strlen(JWS_TAMPERED_SIG), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:702:66: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jws_t *jws_tc = cjose_jws_import(JWS_TAMPERED_CONTENT, strlen(JWS_TAMPERED_CONTENT), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:728:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jws_t *jws = cjose_jws_import(JWS, strlen(JWS), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:742:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(JWK, strlen(JWK), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:764:32: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ck_assert_msg(plain_len == strlen(PLAINTEXT), "length of verified plaintext does not match length of original, "
data/cjose-0.6.1+dfsg1/test/check_jws.c:766:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen(PLAINTEXT), plain_len);
data/cjose-0.6.1+dfsg1/test/check_jws.c:784:49: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jws_t *jws_ok = cjose_jws_import(JWS, strlen(JWS), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:797:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(JWK, strlen(JWK), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:819:32: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ck_assert_msg(plain_len == strlen(PLAINTEXT), "length of verified plaintext does not match length of original, "
data/cjose-0.6.1+dfsg1/test/check_jws.c:821:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen(PLAINTEXT), plain_len);
data/cjose-0.6.1+dfsg1/test/check_jws.c:832:62: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jws_t *jws_ts = cjose_jws_import(JWS_TAMPERED_SIG, strlen(JWS_TAMPERED_SIG), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:847:66: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jws_t *jws_tc = cjose_jws_import(JWS_TAMPERED_CONTENT, strlen(JWS_TAMPERED_CONTENT), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:870:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jws_t *jws = cjose_jws_import(JWS, strlen(JWS), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:883:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cjose_jwk_t *jwk = cjose_jwk_import(JWK, strlen(JWK), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:900:32: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ck_assert_msg(plain_len == strlen(PLAINTEXT), "length of verified plaintext does not match length of original, "
data/cjose-0.6.1+dfsg1/test/check_jws.c:902:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen(PLAINTEXT), plain_len);
data/cjose-0.6.1+dfsg1/test/check_jws.c:910:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
jws = cjose_jws_import(JWS, strlen(JWS), &err);
data/cjose-0.6.1+dfsg1/test/check_jws.c:916:79: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ck_assert_msg(!cjose_jws_sign(jwk, (cjose_header_t *)jws->hdr, PLAINTEXT, strlen(PLAINTEXT), &err),
ANALYSIS SUMMARY:
Hits = 175
Lines analyzed = 12136 in approximately 0.49 seconds (24802 lines/second)
Physical Source Lines of Code (SLOC) = 8681
Hits@level = [0] 3 [1] 146 [2] 18 [3] 11 [4] 0 [5] 0
Hits@level+ = [0+] 178 [1+] 175 [2+] 29 [3+] 11 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 20.5046 [1+] 20.159 [2+] 3.34063 [3+] 1.26714 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.