Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/ices2-2.0.3/src/im_alsa.c
Examining data/ices2-2.0.3/src/event.h
Examining data/ices2-2.0.3/src/im_sun.h
Examining data/ices2-2.0.3/src/resample.h
Examining data/ices2-2.0.3/src/im_stdinpcm.h
Examining data/ices2-2.0.3/src/inputmodule.h
Examining data/ices2-2.0.3/src/audio.h
Examining data/ices2-2.0.3/src/input.h
Examining data/ices2-2.0.3/src/stream_shared.c
Examining data/ices2-2.0.3/src/im_oss.c
Examining data/ices2-2.0.3/src/encode.h
Examining data/ices2-2.0.3/src/cfgparse.c
Examining data/ices2-2.0.3/src/metadata.c
Examining data/ices2-2.0.3/src/metadata.h
Examining data/ices2-2.0.3/src/im_roar.c
Examining data/ices2-2.0.3/src/resample.c
Examining data/ices2-2.0.3/src/audio.c
Examining data/ices2-2.0.3/src/im_stdinpcm.c
Examining data/ices2-2.0.3/src/ices.c
Examining data/ices2-2.0.3/src/im_alsa.h
Examining data/ices2-2.0.3/src/im_playlist.h
Examining data/ices2-2.0.3/src/common/avl/avl.c
Examining data/ices2-2.0.3/src/common/avl/avl.h
Examining data/ices2-2.0.3/src/common/avl/test.c
Examining data/ices2-2.0.3/src/common/timing/timing.h
Examining data/ices2-2.0.3/src/common/timing/timing.c
Examining data/ices2-2.0.3/src/common/thread/thread.h
Examining data/ices2-2.0.3/src/common/thread/thread.c
Examining data/ices2-2.0.3/src/common/log/log.c
Examining data/ices2-2.0.3/src/common/log/log.h
Examining data/ices2-2.0.3/src/common/log/test.c
Examining data/ices2-2.0.3/src/signals.h
Examining data/ices2-2.0.3/src/input.c
Examining data/ices2-2.0.3/src/stream.h
Examining data/ices2-2.0.3/src/playlist_script.c
Examining data/ices2-2.0.3/src/im_oss.h
Examining data/ices2-2.0.3/src/stream_shared.h
Examining data/ices2-2.0.3/src/im_roar.h
Examining data/ices2-2.0.3/src/playlist_basic.h
Examining data/ices2-2.0.3/src/encode.c
Examining data/ices2-2.0.3/src/playlist_basic.c
Examining data/ices2-2.0.3/src/stream.c
Examining data/ices2-2.0.3/src/signals.c
Examining data/ices2-2.0.3/src/logging.h
Examining data/ices2-2.0.3/src/reencode.c
Examining data/ices2-2.0.3/src/im_sun.c
Examining data/ices2-2.0.3/src/cfgparse.h
Examining data/ices2-2.0.3/src/reencode.h
Examining data/ices2-2.0.3/src/im_playlist.c
FINAL RESULTS:
data/ices2-2.0.3/src/common/avl/test.c:5:9: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#define snprintf _snprintf
data/ices2-2.0.3/src/common/avl/test.c:5:18: [4] (format) _snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#define snprintf _snprintf
data/ices2-2.0.3/src/common/log/log.c:61:9: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#define snprintf _snprintf
data/ices2-2.0.3/src/common/log/log.c:61:18: [4] (format) _snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#define snprintf _snprintf
data/ices2-2.0.3/src/common/log/log.c:62:9: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#define vsnprintf _vsnprintf
data/ices2-2.0.3/src/ices.c:49:9: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf(stderr, PACKAGE_STRING "\n"
data/ices2-2.0.3/src/playlist_script.c:50:12: [4] (shell) popen:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
pipe = popen(prog, "r");
data/ices2-2.0.3/src/playlist_script.c:100:12: [4] (shell) popen:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
pipe = popen(pl->on_ended, "w");
data/ices2-2.0.3/src/cfgparse.c:462:5: [3] (random) srandom:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
srandom(time(NULL));
data/ices2-2.0.3/src/common/log/log.c:183:5: [3] (misc) InitializeCriticalSection:
Exceptions can be thrown in low-memory situations. Use
InitializeCriticalSectionAndSpinCount instead.
InitializeCriticalSection(&_logger_mutex);
data/ices2-2.0.3/src/common/log/log.c:668:5: [3] (misc) EnterCriticalSection:
On some versions of Windows, exceptions can be thrown in low-memory
situations. Use InitializeCriticalSectionAndSpinCount instead.
EnterCriticalSection(&_logger_mutex);
data/ices2-2.0.3/src/encode.c:42:18: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
serial = random();
data/ices2-2.0.3/src/playlist_basic.c:48:17: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
d = random();
data/ices2-2.0.3/src/playlist_basic.c:147:14: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if(data->random)
data/ices2-2.0.3/src/playlist_basic.c:212:17: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if (pl->random)
data/ices2-2.0.3/src/playlist_basic.h:32:9: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
int random;
data/ices2-2.0.3/src/cfgparse.c:82:15: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
(x) = atoi(tmp);\
data/ices2-2.0.3/src/common/avl/avl.c:1072:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char balance_chars[3] = {'\\', '-', '/'};
data/ices2-2.0.3/src/common/avl/avl.c:1119:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[AVL_KEY_PRINTER_BUFLEN];
data/ices2-2.0.3/src/common/avl/test.c:21:21: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
max_nodes = atoi(argv[1]);
data/ices2-2.0.3/src/common/log/log.c:122:17: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char new_name [4096];
data/ices2-2.0.3/src/common/log/log.c:128:21: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char timestamp [128];
data/ices2-2.0.3/src/common/log/log.c:143:38: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
loglist [id] . logfile = fopen (loglist [id] . filename, "a");
data/ices2-2.0.3/src/common/log/log.c:214:12: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file = fopen(filename, "a");
data/ices2-2.0.3/src/common/log/log.c:449:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[80];
data/ices2-2.0.3/src/common/log/log.c:494:33: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
block_len = atoi(format);
data/ices2-2.0.3/src/common/log/log.c:577:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char pre[256];
data/ices2-2.0.3/src/common/log/log.c:578:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char line[LOG_MAXLINELEN];
data/ices2-2.0.3/src/common/log/log.c:608:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char line[LOG_MAXLINELEN];
data/ices2-2.0.3/src/common/thread/thread.c:579:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char name[40];
data/ices2-2.0.3/src/encode.c:163:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buf[i], pcm[i], samples*sizeof(float));
data/ices2-2.0.3/src/ices.c:44:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char logpath[FILENAME_MAX];
data/ices2-2.0.3/src/ices.c:129:19: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
FILE *f = fopen (ices_config->pidfile, "w");
data/ices2-2.0.3/src/im_alsa.c:191:23: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
s->rate = atoi(current->value);
data/ices2-2.0.3/src/im_alsa.c:193:27: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
s->channels = atoi(current->value);
data/ices2-2.0.3/src/im_alsa.c:197:28: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
use_metadata = atoi(current->value);
data/ices2-2.0.3/src/im_alsa.c:201:30: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
s->buffer_time = atoi (current->value) * 1000;
data/ices2-2.0.3/src/im_alsa.c:203:26: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
s->periods = atoi (current->value);
data/ices2-2.0.3/src/im_oss.c:189:23: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
s->rate = atoi(current->value);
data/ices2-2.0.3/src/im_oss.c:191:27: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
s->channels = atoi(current->value);
data/ices2-2.0.3/src/im_oss.c:195:28: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
use_metadata = atoi(current->value);
data/ices2-2.0.3/src/im_oss.c:205:17: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if((s->fd = open(device, O_RDONLY, 0)) == -1)
data/ices2-2.0.3/src/im_playlist.c:145:32: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
pl->current_file = fopen(pl->filename, "rb");
data/ices2-2.0.3/src/im_playlist.c:192:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(rb->buf, og.header, og.header_len);
data/ices2-2.0.3/src/im_playlist.c:193:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(rb->buf+og.header_len, og.body, og.body_len);
data/ices2-2.0.3/src/im_roar.c:272:32: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
use_metadata = atoi(current->value);
data/ices2-2.0.3/src/im_stdinpcm.c:169:23: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
s->rate = atoi(current->value);
data/ices2-2.0.3/src/im_stdinpcm.c:171:27: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
s->channels = atoi(current->value);
data/ices2-2.0.3/src/im_stdinpcm.c:173:28: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
use_metadata = atoi(current->value);
data/ices2-2.0.3/src/im_sun.c:187:63: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
sample_rate = s->device_info.record.sample_rate = atoi(current->value);
data/ices2-2.0.3/src/im_sun.c:189:57: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
channels = s->device_info.record.channels = atoi(current->value);
data/ices2-2.0.3/src/im_sun.c:193:28: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
use_metadata = atoi(current->value);
data/ices2-2.0.3/src/im_sun.c:202:17: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if((s->fd = open(device, O_RDONLY, 0)) < 0) {
data/ices2-2.0.3/src/input.c:81:23: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
input_module_t *(*open)(module_param_t *params);
data/ices2-2.0.3/src/input.c:134:48: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static uint32_t __read_int32_le(const unsigned char in[4])
data/ices2-2.0.3/src/input.c:147:48: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static uint32_t __read_int20_be(const unsigned char in[3])
data/ices2-2.0.3/src/input.c:387:67: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
while(ices_config->playlist_module && modules[current_module].open)
data/ices2-2.0.3/src/input.c:392:45: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
inmod = modules[current_module].open(ices_config->module_params);
data/ices2-2.0.3/src/metadata.c:43:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[1024];
data/ices2-2.0.3/src/metadata.c:100:17: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(md[comments], buf, strlen(buf)+1);
data/ices2-2.0.3/src/metadata.c:119:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[1024];
data/ices2-2.0.3/src/metadata.c:141:16: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file = fopen(ices_config->metadata_filename, "r");
data/ices2-2.0.3/src/metadata.c:160:17: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(md[comments], buf, strlen(buf)+1);
data/ices2-2.0.3/src/playlist_basic.c:73:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[1024];
data/ices2-2.0.3/src/playlist_basic.c:78:12: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file = fopen(data->file, "rb");
data/ices2-2.0.3/src/playlist_basic.c:253:28: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
data->random = atoi(params->value);
data/ices2-2.0.3/src/playlist_basic.c:255:26: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
data->once = atoi(params->value);
data/ices2-2.0.3/src/playlist_basic.c:257:32: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
pl->allow_repeat = atoi(params->value);
data/ices2-2.0.3/src/playlist_basic.c:259:40: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
data->restartafterreread = atoi(params->value);
data/ices2-2.0.3/src/playlist_script.c:136:32: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
pl->allow_repeat = atoi(params->value);
data/ices2-2.0.3/src/reencode.c:103:17: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(retbuf+old, encog.header, encog.header_len);
data/ices2-2.0.3/src/reencode.c:104:17: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(retbuf+old+encog.header_len, encog.body,
data/ices2-2.0.3/src/reencode.c:228:21: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(retbuf+old, encog.header, encog.header_len);
data/ices2-2.0.3/src/reencode.c:229:21: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(retbuf+old+encog.header_len, encog.body,
data/ices2-2.0.3/src/stream.c:62:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char audio_info[11];
data/ices2-2.0.3/src/stream.c:267:28: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
stream->savefile = fopen(stream->savefilename, "wb");
data/ices2-2.0.3/src/common/log/log.c:390:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
entry->len = strlen (pre) + strlen (line) + 2;
data/ices2-2.0.3/src/common/log/log.c:390:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
entry->len = strlen (pre) + strlen (line) + 2;
data/ices2-2.0.3/src/common/log/log.c:540:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
block_len = strlen(arg);
data/ices2-2.0.3/src/im_oss.c:131:14: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
result = read(s->fd, rb->buf, BUFSIZE*2*s->channels);
data/ices2-2.0.3/src/im_sun.c:128:14: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
result = read(s->fd, rb->buf, BUFSIZE*2*s->device_info.record.channels);
data/ices2-2.0.3/src/metadata.c:95:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(buf[strlen(buf)-1] == '\n')
data/ices2-2.0.3/src/metadata.c:96:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
buf[strlen(buf)-1] = 0;
data/ices2-2.0.3/src/metadata.c:98:39: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
md[comments] = malloc(strlen(buf)+1);
data/ices2-2.0.3/src/metadata.c:100:43: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
memcpy(md[comments], buf, strlen(buf)+1);
data/ices2-2.0.3/src/metadata.c:155:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(buf[strlen(buf)-1] == '\n')
data/ices2-2.0.3/src/metadata.c:156:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
buf[strlen(buf)-1] = 0;
data/ices2-2.0.3/src/metadata.c:158:39: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
md[comments] = malloc(strlen(buf)+1);
data/ices2-2.0.3/src/metadata.c:160:43: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
memcpy(md[comments], buf, strlen(buf)+1);
data/ices2-2.0.3/src/playlist_basic.c:108:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ret[strlen(ret)-1] = 0;
data/ices2-2.0.3/src/playlist_basic.c:111:12: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(strlen(ret) > 0 && ret[strlen(ret)-1] == '\r')
data/ices2-2.0.3/src/playlist_basic.c:111:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(strlen(ret) > 0 && ret[strlen(ret)-1] == '\r')
data/ices2-2.0.3/src/playlist_basic.c:112:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ret[strlen(ret)-1] = 0;
data/ices2-2.0.3/src/playlist_script.c:72:12: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(buf[strlen(buf)-1] == '\n')
data/ices2-2.0.3/src/playlist_script.c:73:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
buf[strlen(buf)-1] = 0;
data/ices2-2.0.3/src/playlist_script.c:78:8: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(strlen(buf) > 0 && buf[strlen(buf)-1] == '\r')
data/ices2-2.0.3/src/playlist_script.c:78:31: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(strlen(buf) > 0 && buf[strlen(buf)-1] == '\r')
data/ices2-2.0.3/src/playlist_script.c:79:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
buf[strlen(buf)-1] = 0;
ANALYSIS SUMMARY:
Hits = 98
Lines analyzed = 10021 in approximately 0.37 seconds (27123 lines/second)
Physical Source Lines of Code (SLOC) = 7361
Hits@level = [0] 43 [1] 22 [2] 60 [3] 8 [4] 8 [5] 0
Hits@level+ = [0+] 141 [1+] 98 [2+] 76 [3+] 16 [4+] 8 [5+] 0
Hits/KSLOC@level+ = [0+] 19.155 [1+] 13.3134 [2+] 10.3247 [3+] 2.17362 [4+] 1.08681 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.