Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/libfile-mmagic-xs-perl-0.09008/src/MMagicST.c
Examining data/libfile-mmagic-xs-perl-0.09008/src/MMagicST.h
Examining data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.h
Examining data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c
FINAL RESULTS:
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:361:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy( buf, str );
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:364:5: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
vsnprintf(buf, sizeof(buf), str, ap);
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1200:13: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(*mime_type, EMPTY_MAGIC_TYPE);
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1208:9: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(*mime_type, FIFO_MAGIC_TYPE);
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1210:9: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(*mime_type, CHAR_MAGIC_TYPE);
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1212:9: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(*mime_type, DIR_MAGIC_TYPE);
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1214:9: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(*mime_type, BLOCK_MAGIC_TYPE);
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1219:9: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(*mime_type, BROKEN_SYMLINK_MAGIC_TYPE);
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1221:9: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(*mime_type, SOCKET_MAGIC_TYPE);
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1299:17: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(*mime_type, types[p->type]);
data/libfile-mmagic-xs-perl-0.09008/src/MMagicST.c:150:15: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
FILE *f = fopen("/tmp/col", "w");
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:127:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char charptr[RECORDSIZE];
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:129:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char name[NAMSIZ];
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:130:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char mode[8];
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:131:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char uid[8];
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:132:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char gid[8];
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:133:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char size[12];
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:134:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char mtime[12];
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:135:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char chksum[8];
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:137:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char linkname[NAMSIZ];
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:138:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char magic[8];
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:139:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char uname[TUNMLEN];
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:140:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char gname[TGNMLEN];
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:141:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char devmajor[8];
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:142:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char devminor[8];
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:358:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[MAXMIMESTRING];
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:438:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(p, s + offset, sizeof(union VALUETYPE));
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:460:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(p, s + offset, sizeof(union VALUETYPE));
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1257:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char nbuf[HOWMANY + 1]; /* one extra for terminating '\0' */
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1276:13: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(*mime_type, "application/x-troff");
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1283:9: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(*mime_type, "text/plain");
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1292:27: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
s = (unsigned char *) memcpy(nbuf, buf, small_nbytes);
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1301:21: [2] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused). Risk is low because the
source is a constant string.
strcat(*mime_type, " (with escape sequences)");
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1311:9: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(*mime_type, "application/x-tar");
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1316:5: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(*mime_type, "text/plain");
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1449:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ext[BUFSIZ];
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1524:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(d, s, sizeof(fmmagic));
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1528:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(d->next, s->next, sizeof(struct _fmmagic));
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.h:61:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char s[MAXstring];
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.h:62:18: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char hs[2]; /* 2 bytes of a fixed-endian "short" */
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.h:63:18: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char hl[4]; /* 2 bytes of a fixed-endian "long" */
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.h:69:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char desc[MAXDESC]; /* description */
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:367:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(buf) + 1 > MAXMIMESTRING - strlen(*dst)) {
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:367:43: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(buf) + 1 > MAXMIMESTRING - strlen(*dst)) {
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:375:5: [1] (buffer) strncat:
Easily used incorrectly (e.g., incorrectly computing the correct maximum
size to add) [MS-banned] (CWE-120). Consider strcat_s, strlcat, snprintf,
or automatically resizing strings.
strncat(*dst, buf, strlen(buf));
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:375:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strncat(*dst, buf, strlen(buf));
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1106:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(m->desc, l, sizeof(m->desc) - 1);
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1148:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
line[strlen(line) - 1] = '\0';
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1457:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(ext, dot + 1, BUFSIZ);
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1461:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(*mime_type, temp_mimetype, MAXMIMESTRING);
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.c:1645:29: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
rc = fmm_ascmagic(data, strlen(data), &type);
data/libfile-mmagic-xs-perl-0.09008/src/perl-mmagic-xs.h:90:23: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
newSVpv(type, strlen(type)) : \
ANALYSIS SUMMARY:
Hits = 52
Lines analyzed = 2427 in approximately 0.08 seconds (31419 lines/second)
Physical Source Lines of Code (SLOC) = 1858
Hits@level = [0] 1 [1] 10 [2] 32 [3] 0 [4] 10 [5] 0
Hits@level+ = [0+] 53 [1+] 52 [2+] 42 [3+] 10 [4+] 10 [5+] 0
Hits/KSLOC@level+ = [0+] 28.5253 [1+] 27.9871 [2+] 22.605 [3+] 5.38213 [4+] 5.38213 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.