Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/exif-0.6.22/exif/actions.h
Examining data/exif-0.6.22/exif/exif-i18n.c
Examining data/exif-0.6.22/exif/exif-i18n.h
Examining data/exif-0.6.22/exif/main.c
Examining data/exif-0.6.22/exif/utils.c
Examining data/exif-0.6.22/exif/utils.h
Examining data/exif-0.6.22/exif/actions.c
Examining data/exif-0.6.22/libjpeg/jpeg-data.c
Examining data/exif-0.6.22/libjpeg/jpeg-data.h
Examining data/exif-0.6.22/libjpeg/jpeg-marker.c
Examining data/exif-0.6.22/libjpeg/jpeg-marker.h
FINAL RESULTS:
data/exif-0.6.22/exif/actions.c:71:4: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy ((char *) e->data, set_value);
data/exif-0.6.22/exif/actions.c:441:5: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
printf (ENTRY_FOUND);
data/exif-0.6.22/exif/actions.c:443:5: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
printf (ENTRY_NOT_FOUND);
data/exif-0.6.22/exif/actions.c:518:4: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
printf (ngettext("MakerNote contains %i value:\n",
data/exif-0.6.22/exif/main.c:115:3: [4] (format) vfprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
vfprintf (stderr, format, args);
data/exif-0.6.22/exif/main.c:123:4: [4] (format) vfprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
vfprintf (stdout, format, args);
data/exif-0.6.22/exif/main.c:140:3: [4] (format) vfprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
vfprintf (stderr, format, args);
data/exif-0.6.22/exif/main.c:160:4: [4] (format) vprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
vprintf (format, args);
data/exif-0.6.22/exif/actions.c:67:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy ((char *) e->data, "ASCII\0\0\0", 8);
data/exif-0.6.22/exif/actions.c:68:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy ((char *) e->data + 8, set_value,
data/exif-0.6.22/exif/actions.c:110:42: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
exif_set_short (e->data + (s * i), o, atoi (value_p));
data/exif-0.6.22/exif/actions.c:113:43: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
exif_set_sshort (e->data + (s * i), o, atoi (value_p));
data/exif-0.6.22/exif/actions.c:124:41: [2] (integer) atol:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
exif_set_long (e->data + (s * i), o, atol (value_p));
data/exif-0.6.22/exif/actions.c:135:42: [2] (integer) atol:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
exif_set_slong (e->data + (s * i), o, atol (value_p));
data/exif-0.6.22/exif/actions.c:140:21: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
e->data[s * i] = atoi (value_p);
data/exif-0.6.22/exif/actions.c:198:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char b[TAG_VALUE_BUF];
data/exif-0.6.22/exif/actions.c:296:6: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
f = fopen (p.set_thumb, "rb");
data/exif-0.6.22/exif/actions.c:379:6: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
f = fopen (fout, "wb");
data/exif-0.6.22/exif/actions.c:401:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char txt[TAG_VALUE_BUF];
data/exif-0.6.22/exif/actions.c:452:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char v[TAG_VALUE_BUF];
data/exif-0.6.22/exif/actions.c:498:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char b[TAG_VALUE_BUF], b1[TAG_VALUE_BUF], b2[TAG_VALUE_BUF];
data/exif-0.6.22/exif/actions.c:526:4: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(b1,"0x%04x",id);
data/exif-0.6.22/exif/actions.c:603:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char v[TAG_VALUE_BUF];
data/exif-0.6.22/exif/actions.c:682:5: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(out, "&");
data/exif-0.6.22/exif/actions.c:687:5: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(out, "<");
data/exif-0.6.22/exif/actions.c:692:5: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(out, ">");
data/exif-0.6.22/exif/actions.c:709:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char v[TAG_VALUE_BUF], t[TAG_VALUE_BUF];
data/exif-0.6.22/exif/exif-i18n.c:28:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char buf[2048];
data/exif-0.6.22/exif/main.c:246:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char fout[1024] = {0, };
data/exif-0.6.22/exif/utils.c:41:11: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
return (atoi (string));
data/exif-0.6.22/libjpeg/jpeg-data.c:102:6: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
f = fopen (path, "wb");
data/exif-0.6.22/libjpeg/jpeg-data.c:153:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (*d + *ds, ed, eds);
data/exif-0.6.22/libjpeg/jpeg-data.c:163:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (*d + *ds, s.content.generic.data,
data/exif-0.6.22/libjpeg/jpeg-data.c:170:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (*d + *ds, data->data, data->size);
data/exif-0.6.22/libjpeg/jpeg-data.c:252:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (s->content.generic.data, &d[o], len);
data/exif-0.6.22/libjpeg/jpeg-data.c:276:6: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (data->data, d + o + len,
data/exif-0.6.22/libjpeg/jpeg-data.c:308:6: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
f = fopen (path, "rb");
data/exif-0.6.22/exif/actions.c:54:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
e->components = strlen (set_value) + 1;
data/exif-0.6.22/exif/actions.c:69:5: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen (set_value));
data/exif-0.6.22/exif/actions.c:529:4: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (b1, s && *s ? s : _("Unknown Tag"), TAG_VALUE_BUF);
data/exif-0.6.22/exif/actions.c:541:3: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (b2, s ? s : _("Unknown value"), TAG_VALUE_BUF);
data/exif-0.6.22/exif/actions.c:683:12: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len += strlen(out) - 1;
data/exif-0.6.22/exif/actions.c:688:12: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len += strlen(out) - 1;
data/exif-0.6.22/exif/actions.c:693:12: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len += strlen(out) - 1;
data/exif-0.6.22/exif/actions.c:716:3: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (t, exif_tag_get_title_in_ifd(e->tag, exif_entry_get_ifd(e)), sizeof (t));
data/exif-0.6.22/exif/exif-i18n.c:27:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t t = (in ? strlen (in) : 0);
data/exif-0.6.22/exif/main.c:387:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (fout, output, sizeof (fout) - 1);
data/exif-0.6.22/exif/main.c:389:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (fout, *args, sizeof (fout) - 1);
data/exif-0.6.22/exif/main.c:390:5: [1] (buffer) strncat:
Easily used incorrectly (e.g., incorrectly computing the correct maximum
size to add) [MS-banned] (CWE-120). Consider strcat_s, strlcat, snprintf,
or automatically resizing strings. Risk is low because the source is a
constant string.
strncat (fout, ".modified.jpeg",
data/exif-0.6.22/exif/main.c:391:22: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
sizeof (fout) - strlen(fout) - 1);
data/exif-0.6.22/exif/utils.c:40:39: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strspn (string, "0123456789") == strlen (string))
data/exif-0.6.22/exif/utils.c:126:39: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t blen = 0, count = 0, maxlen = strlen(mbs);
data/exif-0.6.22/exif/utils.c:146:16: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t clen = strlen(mbs);
ANALYSIS SUMMARY:
Hits = 53
Lines analyzed = 2420 in approximately 0.10 seconds (23813 lines/second)
Physical Source Lines of Code (SLOC) = 1767
Hits@level = [0] 65 [1] 16 [2] 29 [3] 0 [4] 8 [5] 0
Hits@level+ = [0+] 118 [1+] 53 [2+] 37 [3+] 8 [4+] 8 [5+] 0
Hits/KSLOC@level+ = [0+] 66.7799 [1+] 29.9943 [2+] 20.9394 [3+] 4.52745 [4+] 4.52745 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.