Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/dvdtape-1.6/config.h
Examining data/dvdtape-1.6/dvdtape.c
Examining data/dvdtape-1.6/isosize.c
FINAL RESULTS:
data/dvdtape-1.6/dvdtape.c:421:4: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf((char *)buf,
data/dvdtape-1.6/dvdtape.c:134:16: [3] (buffer) getopt_long:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
while ((opt = getopt_long(argc, argv, "l:L:s:S:o:O:u:l:",
data/dvdtape-1.6/dvdtape.c:70:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char time_string[7];
data/dvdtape-1.6/dvdtape.c:82:1: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char master_id[49] = "\0";
data/dvdtape-1.6/dvdtape.c:158:22: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
case 'l': layer = atoi(optarg); break;
data/dvdtape-1.6/dvdtape.c:160:14: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
layers = atoi(optarg);
data/dvdtape-1.6/dvdtape.c:179:23: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
readout_speed = atoi(optarg);
data/dvdtape-1.6/dvdtape.c:188:21: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
case 's': side = atoi(optarg); break;
data/dvdtape-1.6/dvdtape.c:190:15: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
sides = atoi(optarg);
data/dvdtape-1.6/dvdtape.c:315:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char buf[blocksize];
data/dvdtape-1.6/dvdtape.c:338:13: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char buf[81];
data/dvdtape-1.6/dvdtape.c:339:4: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf((char *)buf,
data/dvdtape-1.6/dvdtape.c:354:13: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char buf[81];
data/dvdtape-1.6/dvdtape.c:355:4: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf((char *)buf,
data/dvdtape-1.6/dvdtape.c:397:13: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char buf[81];
data/dvdtape-1.6/dvdtape.c:398:4: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf((char *)buf,
data/dvdtape-1.6/dvdtape.c:414:13: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char buf[129];
data/dvdtape-1.6/dvdtape.c:415:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char txtsize[3];
data/dvdtape-1.6/dvdtape.c:417:6: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(txtsize, " ");
data/dvdtape-1.6/dvdtape.c:419:6: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (txtsize, "%02lu", strlen(usertext));
data/dvdtape-1.6/dvdtape.c:459:13: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char buf[129];
data/dvdtape-1.6/dvdtape.c:460:4: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf((char *)buf,
data/dvdtape-1.6/dvdtape.c:530:23: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
make_control(unsigned char control[DEFAULT_CONTROL_SIZE]) {
data/dvdtape-1.6/dvdtape.c:581:21: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
(control_fd = open(control_filename, O_RDONLY)) < 0) {
data/dvdtape-1.6/dvdtape.c:661:2: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (time_string, "%c%02d%03d",
data/dvdtape-1.6/dvdtape.c:678:14: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((infd = open (input_filename, O_RDONLY, 0644)) < 0) {
data/dvdtape-1.6/dvdtape.c:684:15: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((outfd = open (output_filename, O_WRONLY|O_CREAT, 0644)) < 0) {
data/dvdtape-1.6/isosize.c:29:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char type [ISODCL ( 1, 1)]; /* 711 */
data/dvdtape-1.6/isosize.c:30:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char id [ISODCL ( 2, 6)];
data/dvdtape-1.6/isosize.c:31:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char version [ISODCL ( 7, 7)]; /* 711 */
data/dvdtape-1.6/isosize.c:32:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char unused1 [ISODCL ( 8, 8)];
data/dvdtape-1.6/isosize.c:33:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char system_id [ISODCL ( 9, 40)]; /* aunsigned chars */
data/dvdtape-1.6/isosize.c:34:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char volume_id [ISODCL ( 41, 72)]; /* dunsigned chars */
data/dvdtape-1.6/isosize.c:35:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char unused2 [ISODCL ( 73, 80)];
data/dvdtape-1.6/isosize.c:36:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char volume_space_size [ISODCL ( 81, 88)]; /* 733 */
data/dvdtape-1.6/isosize.c:37:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char unused3 [ISODCL ( 89, 120)];
data/dvdtape-1.6/isosize.c:38:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char volume_set_size [ISODCL (121, 124)]; /* 723 */
data/dvdtape-1.6/isosize.c:39:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char volume_sequence_number [ISODCL (125, 128)]; /* 723 */
data/dvdtape-1.6/isosize.c:40:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char logical_block_size [ISODCL (129, 132)]; /* 723 */
data/dvdtape-1.6/isosize.c:41:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char path_table_size [ISODCL (133, 140)]; /* 733 */
data/dvdtape-1.6/isosize.c:42:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char type_l_path_table [ISODCL (141, 144)]; /* 731 */
data/dvdtape-1.6/isosize.c:43:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char opt_type_l_path_table [ISODCL (145, 148)]; /* 731 */
data/dvdtape-1.6/isosize.c:44:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char type_m_path_table [ISODCL (149, 152)]; /* 732 */
data/dvdtape-1.6/isosize.c:45:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char opt_type_m_path_table [ISODCL (153, 156)]; /* 732 */
data/dvdtape-1.6/isosize.c:46:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char root_directory_record [ISODCL (157, 190)]; /* 9.1 */
data/dvdtape-1.6/isosize.c:47:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char volume_set_id [ISODCL (191, 318)]; /* dunsigned chars */
data/dvdtape-1.6/isosize.c:48:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char publisher_id [ISODCL (319, 446)]; /* achars */
data/dvdtape-1.6/isosize.c:49:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char preparer_id [ISODCL (447, 574)]; /* achars */
data/dvdtape-1.6/isosize.c:50:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char application_id [ISODCL (575, 702)]; /* achars */
data/dvdtape-1.6/isosize.c:51:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char copyright_file_id [ISODCL (703, 739)]; /* 7.5 dchars */
data/dvdtape-1.6/isosize.c:52:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char abstract_file_id [ISODCL (740, 776)]; /* 7.5 dchars */
data/dvdtape-1.6/isosize.c:53:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char bibliographic_file_id [ISODCL (777, 813)]; /* 7.5 dchars */
data/dvdtape-1.6/isosize.c:54:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char creation_date [ISODCL (814, 830)]; /* 8.4.26.1 */
data/dvdtape-1.6/isosize.c:55:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char modification_date [ISODCL (831, 847)]; /* 8.4.26.1 */
data/dvdtape-1.6/isosize.c:56:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char expiration_date [ISODCL (848, 864)]; /* 8.4.26.1 */
data/dvdtape-1.6/isosize.c:57:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char effective_date [ISODCL (865, 881)]; /* 8.4.26.1 */
data/dvdtape-1.6/isosize.c:58:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char file_structure_version [ISODCL (882, 882)]; /* 711 */
data/dvdtape-1.6/isosize.c:59:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char unused4 [ISODCL (883, 883)];
data/dvdtape-1.6/isosize.c:60:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char application_data [ISODCL (884, 1395)];
data/dvdtape-1.6/isosize.c:61:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char unused5 [ISODCL (1396, 2048)];
data/dvdtape-1.6/dvdtape.c:164:7: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(master_id,optarg,sizeof(master_id)-1);
data/dvdtape-1.6/dvdtape.c:275:20: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
int this_len = read(infd, buf, len);
data/dvdtape-1.6/dvdtape.c:416:6: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(usertext) == 0)
data/dvdtape-1.6/dvdtape.c:419:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
sprintf (txtsize, "%02lu", strlen(usertext));
data/dvdtape-1.6/isosize.c:71:3: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
read(infile, &ipd, sizeof(ipd));
ANALYSIS SUMMARY:
Hits = 65
Lines analyzed = 812 in approximately 0.04 seconds (18592 lines/second)
Physical Source Lines of Code (SLOC) = 679
Hits@level = [0] 26 [1] 5 [2] 58 [3] 1 [4] 1 [5] 0
Hits@level+ = [0+] 91 [1+] 65 [2+] 60 [3+] 2 [4+] 1 [5+] 0
Hits/KSLOC@level+ = [0+] 134.021 [1+] 95.729 [2+] 88.3652 [3+] 2.94551 [4+] 1.47275 [5+] 0
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.