Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/jaaa-0.9.2/source/audio.cc
Examining data/jaaa-0.9.2/source/rngen.h
Examining data/jaaa-0.9.2/source/jaaa.cc
Examining data/jaaa-0.9.2/source/audio.h
Examining data/jaaa-0.9.2/source/mainwin.cc
Examining data/jaaa-0.9.2/source/rngen.cc
Examining data/jaaa-0.9.2/source/styles.h
Examining data/jaaa-0.9.2/source/mainwin.h
Examining data/jaaa-0.9.2/source/styles.cc
Examining data/jaaa-0.9.2/source/messages.h
FINAL RESULTS:
data/jaaa-0.9.2/source/mainwin.cc:908:9: [4] (format) sprintf:
Potential format string problem (CWE-134). Make format string constant.
sprintf (s, _fform, f / _funit);
data/jaaa-0.9.2/source/mainwin.cc:1064:5: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf (s, " %5s (%+2.0lf)", _notes [n], 100.0f * f);
data/jaaa-0.9.2/source/mainwin.cc:1174:9: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf (s, "%s-%s [%s]", PROGNAME, VERSION, Z->_jname);
data/jaaa-0.9.2/source/audio.cc:179:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char s [16];
data/jaaa-0.9.2/source/audio.cc:203:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(s, "out_%d", i + 1);
data/jaaa-0.9.2/source/audio.cc:208:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(s, "in_%d", i + 1);
data/jaaa-0.9.2/source/audio.cc:262:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (_data + _dind, p, sizeof(jack_default_audio_sample_t) * n);
data/jaaa-0.9.2/source/audio.cc:269:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (_data + _dind, p, sizeof(jack_default_audio_sample_t) * m);
data/jaaa-0.9.2/source/audio.cc:281:17: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
if (b & 1) memcpy (p, _outs, sizeof(jack_default_audio_sample_t) * nframes);
data/jaaa-0.9.2/source/jaaa.cc:32:13: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
#define CP (char *)
data/jaaa-0.9.2/source/mainwin.cc:822:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char s [16];
data/jaaa-0.9.2/source/mainwin.cc:834:25: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
if (_p_val < 1e3) sprintf (s, "%5.3f", _p_val);
data/jaaa-0.9.2/source/mainwin.cc:835:32: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
else if (_p_val < 1e6) sprintf (s, "%5.3fk", _p_val / 1e3);
data/jaaa-0.9.2/source/mainwin.cc:836:32: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
else sprintf (s, "%5.3fM", _p_val / 1e6);
data/jaaa-0.9.2/source/mainwin.cc:841:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (s, "%1.0f dB", _p_val);
data/jaaa-0.9.2/source/mainwin.cc:847:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (s, "%2.1f dB", _p_val);
data/jaaa-0.9.2/source/mainwin.cc:859:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char s [16];
data/jaaa-0.9.2/source/mainwin.cc:926:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char s [16];
data/jaaa-0.9.2/source/mainwin.cc:951:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (s, "%1.0f", a);
data/jaaa-0.9.2/source/mainwin.cc:1070:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char s [64];
data/jaaa-0.9.2/source/mainwin.cc:1080:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (s, "BW = %4.2lf Hz = %5.2lf dBHz, VA = %d, Ptot = %5.2lf",
data/jaaa-0.9.2/source/mainwin.cc:1093:10: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (s, "Mk1 = %8.1lf Hz, %7.2lf dB/Hz", Z->_mk1f, v1);
data/jaaa-0.9.2/source/mainwin.cc:1098:14: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
k = sprintf (s, "Mk1 = %8.1lf Hz, %7.2lf dB", Z->_mk1f, v1);
data/jaaa-0.9.2/source/mainwin.cc:1109:11: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (s, "Mk2 = %8.1lf Hz, %7.2lf dB/Hz", Z->_mk2f, v2);
data/jaaa-0.9.2/source/mainwin.cc:1114:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (s, "Del = %8.1lf Hz, %7.2lf dB", Z->_mk2f - Z->_mk1f, v2 - v1);
data/jaaa-0.9.2/source/mainwin.cc:1118:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (s, "Del = %8.1lf Hz, %7.2lf dB/Hz", Z->_mk2f - Z->_mk1f, v2 - v1);
data/jaaa-0.9.2/source/mainwin.cc:1126:15: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
k = sprintf (s, "Mk2 = %8.1lf Hz, %7.2lf dB", Z->_mk2f, v2);
data/jaaa-0.9.2/source/mainwin.cc:1132:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (s, "Del = %8.1lf Hz, %7.2lf dBHz", Z->_mk2f - Z->_mk1f, v2 - v1);
data/jaaa-0.9.2/source/mainwin.cc:1136:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (s, "Del = %8.1lf Hz, %7.2lf dB, (%5.3lf)", Z->_mk2f - Z->_mk1f, v2 - v1, Z->_mk2f / Z->_mk1f);
data/jaaa-0.9.2/source/mainwin.cc:1168:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char s [256];
data/jaaa-0.9.2/source/mainwin.cc:1195:6: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (_ipbuf + INP_MAX, _ipbuf, k * sizeof (float));
data/jaaa-0.9.2/source/mainwin.cc:1198:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (_fftbuf, _ipbuf + k - _fftlen, _fftlen * sizeof (float));
data/jaaa-0.9.2/source/mainwin.h:203:18: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const static char *_formats [9];
data/jaaa-0.9.2/source/mainwin.h:204:18: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const static char *_notes [12];
data/jaaa-0.9.2/source/rngen.cc:50:10: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fd = open ("/dev/urandom", O_RDONLY);
data/jaaa-0.9.2/source/rngen.cc:54:13: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
k = read (fd, p, n);
ANALYSIS SUMMARY:
Hits = 36
Lines analyzed = 2827 in approximately 0.09 seconds (31317 lines/second)
Physical Source Lines of Code (SLOC) = 2210
Hits@level = [0] 27 [1] 1 [2] 32 [3] 0 [4] 3 [5] 0
Hits@level+ = [0+] 63 [1+] 36 [2+] 35 [3+] 3 [4+] 3 [5+] 0
Hits/KSLOC@level+ = [0+] 28.5068 [1+] 16.2896 [2+] 15.8371 [3+] 1.35747 [4+] 1.35747 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.