Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/itk4-4.1.0/generic/itkStubInit.c
Examining data/itk4-4.1.0/generic/itkArchetype.c
Examining data/itk4-4.1.0/generic/itkArchBase.c
Examining data/itk4-4.1.0/generic/itkOption.c
Examining data/itk4-4.1.0/generic/itkUtil.c
Examining data/itk4-4.1.0/generic/itkDecls.h
Examining data/itk4-4.1.0/generic/itkStubLib.c
Examining data/itk4-4.1.0/generic/itkHelpers.c
Examining data/itk4-4.1.0/generic/itkCmd.c
Examining data/itk4-4.1.0/generic/itkInt.h
Examining data/itk4-4.1.0/generic/itkIntDecls.h
Examining data/itk4-4.1.0/generic/itk.h
Examining data/itk4-4.1.0/generic/itkBase.c
Examining data/itk4-4.1.0/win/nmakehlp.c
Examining data/itk4-4.1.0/win/dllEntryPoint.c
FINAL RESULTS:
data/itk4-4.1.0/generic/itkArchBase.c:315:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(path, resultStr);
data/itk4-4.1.0/generic/itkArchBase.c:1771:9: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(lastval, v);
data/itk4-4.1.0/generic/itkArchBase.c:1916:17: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(archOpt->init, init);
data/itk4-4.1.0/generic/itkArchBase.c:1940:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(archComp->pathName, wname);
data/itk4-4.1.0/generic/itkArchBase.c:2010:9: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(name+1, switchName);
data/itk4-4.1.0/generic/itkArchBase.c:2026:13: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(archOpt->resName, resName);
data/itk4-4.1.0/generic/itkArchBase.c:2039:13: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(archOpt->resClass, resClass);
data/itk4-4.1.0/generic/itkArchBase.c:2067:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(archOpt->switchName, name);
data/itk4-4.1.0/generic/itkArchBase.c:2071:9: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(archOpt->resName, resName);
data/itk4-4.1.0/generic/itkArchBase.c:2078:9: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(archOpt->resClass, resClass);
data/itk4-4.1.0/generic/itkArchBase.c:2172:9: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(archOpt->init, ival);
data/itk4-4.1.0/generic/itkArchBase.c:2375:9: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(name+1, switchName);
data/itk4-4.1.0/generic/itkArchBase.c:2447:9: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(name+1, switchName);
data/itk4-4.1.0/generic/itkArchBase.c:2818:9: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(name+1, switchName);
data/itk4-4.1.0/generic/itkOption.c:506:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(opt->resName, resName);
data/itk4-4.1.0/generic/itkOption.c:509:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(opt->resClass, resClass);
data/itk4-4.1.0/generic/itkOption.c:512:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(opt->init, defVal);
data/itk4-4.1.0/win/nmakehlp.c:38:11: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#define snprintf _snprintf
data/itk4-4.1.0/win/nmakehlp.c:38:20: [4] (format) _snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#define snprintf _snprintf
data/itk4-4.1.0/win/nmakehlp.c:237:5: [4] (buffer) lstrcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120).
lstrcat(cmdline, option);
data/itk4-4.1.0/win/nmakehlp.c:371:5: [4] (buffer) lstrcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120).
lstrcat(cmdline, option);
data/itk4-4.1.0/win/nmakehlp.c:656:6: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
printf(szBuffer);
data/itk4-4.1.0/win/nmakehlp.c:245:10: [3] (shell) CreateProcess:
This causes a new process to execute and is difficult to use safely
(CWE-78). Specify the application path in the first argument, NOT as part
of the second, or embedded spaces could allow an attacker to force a
different program to run.
ok = CreateProcess(
data/itk4-4.1.0/win/nmakehlp.c:245:10: [3] (shell) CreateProcess:
This causes a new process to execute and is difficult to use safely
(CWE-78). Specify the application path in the first argument, NOT as part
of the second, or embedded spaces could allow an attacker to force a
different program to run.
ok = CreateProcess(
data/itk4-4.1.0/win/nmakehlp.c:373:10: [3] (shell) CreateProcess:
This causes a new process to execute and is difficult to use safely
(CWE-78). Specify the application path in the first argument, NOT as part
of the second, or embedded spaces could allow an attacker to force a
different program to run.
ok = CreateProcess(
data/itk4-4.1.0/win/nmakehlp.c:373:10: [3] (shell) CreateProcess:
This causes a new process to execute and is difficult to use safely
(CWE-78). Specify the application path in the first argument, NOT as part
of the second, or embedded spaces could allow an attacker to force a
different program to run.
ok = CreateProcess(
data/itk4-4.1.0/generic/itkArchBase.c:1330:17: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char msg[256];
data/itk4-4.1.0/generic/itkArchBase.c:1331:17: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(msg, "\n (while adding option \"%.100s\")", token);
data/itk4-4.1.0/generic/itkArchBase.c:1498:17: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char msg[256];
data/itk4-4.1.0/generic/itkArchBase.c:1499:17: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(msg, "\n (while removing option \"%.100s\")",
data/itk4-4.1.0/generic/itkArchBase.c:1618:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char msg[256];
data/itk4-4.1.0/generic/itkArchBase.c:1619:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(msg, "\n (error in configuration of public variable \"%.100s\")", Tcl_GetString(ivPtr->fullNamePtr));
data/itk4-4.1.0/generic/itkArchBase.c:1645:13: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char msg[256];
data/itk4-4.1.0/generic/itkArchBase.c:1646:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(msg, "\n (error in configuration of public variable \"%.100s\")", Tcl_GetString(ivPtr->fullNamePtr));
data/itk4-4.1.0/generic/itkArchBase.c:2717:37: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
info->switchName = (char *)optv[0];
data/itk4-4.1.0/generic/itkArchBase.c:2718:37: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
info->resName = (char *)optv[1];
data/itk4-4.1.0/generic/itkArchBase.c:2719:37: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
info->resClass = (char *)optv[2];
data/itk4-4.1.0/generic/itkArchBase.c:2720:37: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
info->init = (char *)optv[3];
data/itk4-4.1.0/generic/itkArchBase.c:2721:37: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
info->value = (char *)optv[4];
data/itk4-4.1.0/generic/itkArchBase.c:2856:35: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
genericOpt->switchName = (char *)optv[0];
data/itk4-4.1.0/generic/itkArchBase.c:2857:35: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
genericOpt->resName = (char *)optv[1];
data/itk4-4.1.0/generic/itkArchBase.c:2858:35: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
genericOpt->resClass = (char *)optv[2];
data/itk4-4.1.0/generic/itkArchBase.c:2859:35: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
genericOpt->init = (char *)optv[3];
data/itk4-4.1.0/generic/itkArchBase.c:2860:35: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
genericOpt->value = (char *)optv[4];
data/itk4-4.1.0/generic/itkUtil.c:98:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy((VOID*)newOrder, (VOID*)olist->list, (size_t)size);
data/itk4-4.1.0/win/nmakehlp.c:59:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[STATICBUFFERSIZE];
data/itk4-4.1.0/win/nmakehlp.c:74:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char msg[300];
data/itk4-4.1.0/win/nmakehlp.c:188:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char msg[300];
data/itk4-4.1.0/win/nmakehlp.c:191:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char cmdline[100];
data/itk4-4.1.0/win/nmakehlp.c:231:5: [2] (buffer) lstrcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using a function version that stops copying at the end
of the buffer. Risk is low because the source is a constant string.
lstrcpy(cmdline, "cl.exe -nologo -c -TC -Zs -X -Fp.\\_junk.pch ");
data/itk4-4.1.0/win/nmakehlp.c:243:5: [2] (buffer) lstrcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Risk is low because the source is a constant string.
lstrcat(cmdline, " .\\nul");
data/itk4-4.1.0/win/nmakehlp.c:322:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char msg[300];
data/itk4-4.1.0/win/nmakehlp.c:325:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char cmdline[100];
data/itk4-4.1.0/win/nmakehlp.c:365:5: [2] (buffer) lstrcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using a function version that stops copying at the end
of the buffer. Risk is low because the source is a constant string.
lstrcpy(cmdline, "link.exe -nologo ");
data/itk4-4.1.0/win/nmakehlp.c:486:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char szBuffer[100];
data/itk4-4.1.0/win/nmakehlp.c:488:16: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
FILE *fp = fopen(filename, "rt");
data/itk4-4.1.0/win/nmakehlp.c:519:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(szBuffer, p, q - p);
data/itk4-4.1.0/win/nmakehlp.c:594:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char szBuffer[1024], szCopy[1024];
data/itk4-4.1.0/win/nmakehlp.c:599:10: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fp = fopen(filename, "rt");
data/itk4-4.1.0/win/nmakehlp.c:606:7: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
sp = fopen(substitutions, "rt");
data/itk4-4.1.0/win/nmakehlp.c:653:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(szBuffer, szCopy, sizeof(szCopy));
data/itk4-4.1.0/win/nmakehlp.c:677:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char szCwd[MAX_PATH + 1];
data/itk4-4.1.0/win/nmakehlp.c:678:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char szTmp[MAX_PATH + 1];
data/itk4-4.1.0/generic/itkArchBase.c:314:38: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
path = (char*)ckalloc((unsigned)(strlen(resultStr)+1));
data/itk4-4.1.0/generic/itkArchBase.c:1770:45: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
lastval = (char*)ckalloc((unsigned)(strlen(v)+1));
data/itk4-4.1.0/generic/itkArchBase.c:1915:59: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
archOpt->init = (char*)ckalloc((unsigned)(strlen(init)+1));
data/itk4-4.1.0/generic/itkArchBase.c:1939:56: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
archComp->pathName = (char *) ckalloc((unsigned)(strlen(wname)+1));
data/itk4-4.1.0/generic/itkArchBase.c:2008:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
name = ckalloc((unsigned)(strlen(switchName)+2));
data/itk4-4.1.0/generic/itkArchBase.c:2025:58: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
archOpt->resName = (char*)ckalloc((unsigned)(strlen(resName)+1));
data/itk4-4.1.0/generic/itkArchBase.c:2038:59: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
archOpt->resClass = (char*)ckalloc((unsigned)(strlen(resClass)+1));
data/itk4-4.1.0/generic/itkArchBase.c:2066:53: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
archOpt->switchName = (char*)ckalloc((unsigned)(strlen(name)+1));
data/itk4-4.1.0/generic/itkArchBase.c:2070:54: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
archOpt->resName = (char*)ckalloc((unsigned)(strlen(resName)+1));
data/itk4-4.1.0/generic/itkArchBase.c:2077:55: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
archOpt->resClass = (char*)ckalloc((unsigned)(strlen(resClass)+1));
data/itk4-4.1.0/generic/itkArchBase.c:2171:51: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
archOpt->init = (char*)ckalloc((unsigned)(strlen(ival)+1));
data/itk4-4.1.0/generic/itkArchBase.c:2373:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
name = ckalloc((unsigned)(strlen(switchName)+2));
data/itk4-4.1.0/generic/itkArchBase.c:2445:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
name = ckalloc((unsigned)(strlen(switchName)+2));
data/itk4-4.1.0/generic/itkArchBase.c:2816:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
name = ckalloc((unsigned)(strlen(switchName)+2));
data/itk4-4.1.0/generic/itkArchetype.c:435:14: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
length = strlen(token);
data/itk4-4.1.0/generic/itkArchetype.c:751:14: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
length = strlen(token);
data/itk4-4.1.0/generic/itkArchetype.c:881:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(Tcl_GetString(objv[1])) == 0) {
data/itk4-4.1.0/generic/itkArchetype.c:1061:6: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(Tcl_GetString(objv[1])) == 0) {
data/itk4-4.1.0/generic/itkOption.c:505:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
opt->resName = (char*)ckalloc((unsigned)(strlen(resName)+1));
data/itk4-4.1.0/generic/itkOption.c:508:47: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
opt->resClass = (char*)ckalloc((unsigned)(strlen(resClass)+1));
data/itk4-4.1.0/generic/itkOption.c:511:43: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
opt->init = (char*)ckalloc((unsigned)(strlen(defVal)+1));
data/itk4-4.1.0/win/nmakehlp.c:504:8: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
p += strlen(match);
data/itk4-4.1.0/win/nmakehlp.c:650:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
op += strlen(p->key);
ANALYSIS SUMMARY:
Hits = 86
Lines analyzed = 7094 in approximately 0.30 seconds (23327 lines/second)
Physical Source Lines of Code (SLOC) = 3997
Hits@level = [0] 17 [1] 23 [2] 37 [3] 4 [4] 22 [5] 0
Hits@level+ = [0+] 103 [1+] 86 [2+] 63 [3+] 26 [4+] 22 [5+] 0
Hits/KSLOC@level+ = [0+] 25.7693 [1+] 21.5161 [2+] 15.7618 [3+] 6.50488 [4+] 5.50413 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.