Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/ipe-tools-7.2.20/figtoipe/figtoipe.cpp Examining data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c Examining data/ipe-tools-7.2.20/ipepython/ipepython.cpp Examining data/ipe-tools-7.2.20/pdftoipe/parseargs.cc Examining data/ipe-tools-7.2.20/pdftoipe/parseargs.h Examining data/ipe-tools-7.2.20/pdftoipe/pdftoipe.cpp Examining data/ipe-tools-7.2.20/pdftoipe/xmloutputdev.cpp Examining data/ipe-tools-7.2.20/pdftoipe/xmloutputdev.h FINAL RESULTS: data/ipe-tools-7.2.20/figtoipe/figtoipe.cpp:986:26: [4] (shell) popen: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. FILE* anytopnm = popen( cmd.c_str(), "r" ); data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:361:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(ns, rd.str); data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:363:2: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(ns, linebuf); data/ipe-tools-7.2.20/pdftoipe/xmloutputdev.cpp:631:3: [4] (format) vsprintf: Potential format string problem (CWE-134). Make format string constant. vsprintf(buf, fmt, args); data/ipe-tools-7.2.20/figtoipe/figtoipe.cpp:244:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[BUFSIZE]; data/ipe-tools-7.2.20/figtoipe/figtoipe.cpp:330:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1024]; data/ipe-tools-7.2.20/figtoipe/figtoipe.cpp:441:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char image_filename[1024]; data/ipe-tools-7.2.20/figtoipe/figtoipe.cpp:1062:13: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char zbuf[zbuf_size]; data/ipe-tools-7.2.20/figtoipe/figtoipe.cpp:1327:15: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *fig = fopen(figname, "r"); data/ipe-tools-7.2.20/figtoipe/figtoipe.cpp:1349:15: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *xml = fopen(xmlname, "w"); data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:181:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char linebuf[MAX_LINE_LENGTH]; data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:372:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *p, *strbits, buf[3]; data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:1066:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char preamble[MAX_LINE_LENGTH]; data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:1067:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char pspreamble[MAX_LINE_LENGTH]; data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:1075:14: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!(fh = fopen(ipename, "rb"))) { data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:1153:14: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!(fh = fopen(xmlname, "wb"))) { data/ipe-tools-7.2.20/ipepython/ipepython.cpp:664:5: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(buf, "return "); data/ipe-tools-7.2.20/pdftoipe/parseargs.cc:129:26: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). *(int *)arg->val = atoi(argv[i+1]); data/ipe-tools-7.2.20/pdftoipe/pdftoipe.cpp:31:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char ownerPassword[33] = ""; data/ipe-tools-7.2.20/pdftoipe/pdftoipe.cpp:32:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char userPassword[33] = ""; data/ipe-tools-7.2.20/pdftoipe/xmloutputdev.cpp:34:13: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!(f = fopen(fileName.c_str(), "wb"))) { data/ipe-tools-7.2.20/pdftoipe/xmloutputdev.cpp:628:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[512]; data/ipe-tools-7.2.20/figtoipe/figtoipe.cpp:329:28: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if (objType == -1 && fgetc(iFig)=='#' ) { data/ipe-tools-7.2.20/figtoipe/figtoipe.cpp:443:11: [1] (buffer) fscanf: It's unclear if the %s limit in the format string is small enough (CWE-120). Check that the limit is sufficiently small, or use a different input function. if( fscanf(iFig, "%d %1020s", &orientation, image_filename) != 2 ) { data/ipe-tools-7.2.20/figtoipe/figtoipe.cpp:515:3: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). fgetc(iFig); data/ipe-tools-7.2.20/figtoipe/figtoipe.cpp:518:14: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). int ch = fgetc(iFig); data/ipe-tools-7.2.20/figtoipe/figtoipe.cpp:807:13: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). jpeg_in.read( reinterpret_cast<char*>(&c), 1 ); data/ipe-tools-7.2.20/figtoipe/figtoipe.cpp:970:17: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). jpeg_in.read( const_cast<char*>(image_data.data()), jpeg_size ); data/ipe-tools-7.2.20/figtoipe/figtoipe.cpp:1023:23: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). (void)fgetc( anytopnm ); data/ipe-tools-7.2.20/figtoipe/figtoipe.cpp:1028:45: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). int component = fgetc( anytopnm ); data/ipe-tools-7.2.20/figtoipe/figtoipe.cpp:1032:50: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). int component2 = fgetc( anytopnm ); data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:214:16: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). while ((ch = fgetc(fh)) != EOF && data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:229:16: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). while ((*p = fgetc(fh)), *p != EOF && (p < (linebuf + sizeof(linebuf) -1)) && !isspace(*p)) data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:341:9: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch = fgetc(fh); data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:348:17: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). while ((ch = fgetc(fh)) != EOF && ch != '\n') data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:355:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). linebuf[strlen(linebuf) - 1] = '\0'; data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:360:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char *ns = NEWARRAY(char, (strlen(rd.str) + strlen(linebuf) + 2)); data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:360:46: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char *ns = NEWARRAY(char, (strlen(rd.str) + strlen(linebuf) + 2)); data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:362:2: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(ns, "\n"); data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:380:14: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if ((ch = fgetc(fh)) == EOF) { data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:421:16: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if ((ch = fgetc(fh)) == EOF) { data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:1091:18: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). while ((ch = fgetc(fh)) != '\n' && ch != EOF) data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:1094:12: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch = fgetc(fh); data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:1114:18: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). while ((ch = fgetc(fh)) != '\n' && ch != EOF) data/ipe-tools-7.2.20/ipe5toxml/ipe5toxml.c:1117:12: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch = fgetc(fh); data/ipe-tools-7.2.20/ipepython/ipepython.cpp:663:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). buf = (char *) malloc(strlen("return ")+len+1); data/ipe-tools-7.2.20/ipepython/ipepython.cpp:665:5: [1] (buffer) strncat: Easily used incorrectly (e.g., incorrectly computing the correct maximum size to add) [MS-banned] (CWE-120). Consider strcat_s, strlcat, snprintf, or automatically resizing strings. strncat(buf, s, len); data/ipe-tools-7.2.20/ipepython/ipepython.cpp:667:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen("return ")+len; data/ipe-tools-7.2.20/pdftoipe/parseargs.cc:67:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((w1 = strlen(arg->arg)) > w) data/ipe-tools-7.2.20/pdftoipe/parseargs.cc:78:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). w1 = 9 + w - strlen(arg->arg); data/ipe-tools-7.2.20/pdftoipe/parseargs.cc:147:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy((char *)arg->val, argv[i+1], arg->size - 1); data/ipe-tools-7.2.20/pdftoipe/xmloutputdev.cpp:622:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). fwrite(s, 1, strlen(s), outputStream); data/ipe-tools-7.2.20/pdftoipe/xmloutputdev.cpp:633:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). fwrite(buf, 1, strlen(buf), outputStream); ANALYSIS SUMMARY: Hits = 53 Lines analyzed = 4645 in approximately 0.18 seconds (25508 lines/second) Physical Source Lines of Code (SLOC) = 3730 Hits@level = [0] 270 [1] 31 [2] 18 [3] 0 [4] 4 [5] 0 Hits@level+ = [0+] 323 [1+] 53 [2+] 22 [3+] 4 [4+] 4 [5+] 0 Hits/KSLOC@level+ = [0+] 86.5952 [1+] 14.2091 [2+] 5.89812 [3+] 1.07239 [4+] 1.07239 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.