Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/libltc-1.3.1/src/decoder.c Examining data/libltc-1.3.1/src/decoder.h Examining data/libltc-1.3.1/src/encoder.c Examining data/libltc-1.3.1/src/encoder.h Examining data/libltc-1.3.1/src/ltc.c Examining data/libltc-1.3.1/src/ltc.h Examining data/libltc-1.3.1/src/timecode.c Examining data/libltc-1.3.1/tests/example_encode.c Examining data/libltc-1.3.1/tests/ltcdecode.c Examining data/libltc-1.3.1/tests/ltcencode.c FINAL RESULTS: data/libltc-1.3.1/src/timecode.c:124:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(timezone, smpte_time_zones[i].timezone); data/libltc-1.3.1/src/timecode.c:128:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(stime->timezone, timezone); data/libltc-1.3.1/tests/example_encode.c:67:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(st.timezone, timezone); data/libltc-1.3.1/tests/ltcencode.c:52:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(st.timezone, timezone); data/libltc-1.3.1/src/decoder.c:183:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy( &d->queue[d->queue_write_off].ltc, data/libltc-1.3.1/src/decoder.c:237:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy( &d->queue[d->queue_write_off].ltc, data/libltc-1.3.1/src/ltc.c:104:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(frame, &d->queue[d->queue_read_off], sizeof(LTCFrameExt)); data/libltc-1.3.1/src/ltc.c:312:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(f, &e->f, sizeof(LTCFrame)); data/libltc-1.3.1/src/ltc.c:316:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&e->f, f, sizeof(LTCFrame)); data/libltc-1.3.1/src/ltc.c:343:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, e->buf, len * sizeof(ltcsnd_sample_t) ); data/libltc-1.3.1/src/ltc.h:313:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char timezone[6]; ///< the timezone 6bytes: "+HHMM" textual representation data/libltc-1.3.1/src/timecode.c:36:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char timezone[6]; data/libltc-1.3.1/src/timecode.c:120:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char timezone[6] = "+0000"; data/libltc-1.3.1/src/timecode.c:177:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(stime->timezone,"+0000"); data/libltc-1.3.1/src/timecode.c:281:19: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char dpm[12] = {31,28,31,30,31,30,31,31,30,31,30,31}; data/libltc-1.3.1/src/timecode.c:382:17: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char dpm[12] = {31,28,31,30,31,30,31,31,30,31,30,31}; data/libltc-1.3.1/tests/example_encode.c:66:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char timezone[6] = "+0100"; data/libltc-1.3.1/tests/example_encode.c:105:9: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file = fopen(filename, "wb"); data/libltc-1.3.1/tests/ltcdecode.c:65:6: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). f = fopen(filename, "r"); data/libltc-1.3.1/tests/ltcencode.c:50:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char timezone[6] = "+0100"; data/libltc-1.3.1/tests/ltcencode.c:88:9: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file = fopen(filename, "wb"); ANALYSIS SUMMARY: Hits = 21 Lines analyzed = 2628 in approximately 0.12 seconds (21708 lines/second) Physical Source Lines of Code (SLOC) = 1395 Hits@level = [0] 41 [1] 0 [2] 17 [3] 0 [4] 4 [5] 0 Hits@level+ = [0+] 62 [1+] 21 [2+] 21 [3+] 4 [4+] 4 [5+] 0 Hits/KSLOC@level+ = [0+] 44.4444 [1+] 15.0538 [2+] 15.0538 [3+] 2.86738 [4+] 2.86738 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.