Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/libminini-1.2.a+ds/minGlue-ffs.h
Examining data/libminini-1.2.a+ds/minGlue-mdd.h
Examining data/libminini-1.2.a+ds/minGlue-ccs.h
Examining data/libminini-1.2.a+ds/wxMinIni.h
Examining data/libminini-1.2.a+ds/minGlue-efsl.h
Examining data/libminini-1.2.a+ds/minGlue-FatFs.h
Examining data/libminini-1.2.a+ds/minGlue-stdio.h
Examining data/libminini-1.2.a+ds/minGlue.h
Examining data/libminini-1.2.a+ds/test2.cc
Examining data/libminini-1.2.a+ds/minIni.cc
Examining data/libminini-1.2.a+ds/minIni.h
Examining data/libminini-1.2.a+ds/test.c
FINAL RESULTS:
data/libminini-1.2.a+ds/minIni.cc:52:21: [5] (buffer) gets:
Does not check for buffer overflows (CWE-120, CWE-20). Use fgets() instead.
std::string minIni::gets(const std::string& Section, const std::string& Key, const std::string& DefValue) const
data/libminini-1.2.a+ds/minIni.h:87:17: [5] (buffer) gets:
Does not check for buffer overflows (CWE-120, CWE-20). Use fgets() instead.
std::string gets(const std::string& Section, const std::string& Key, const std::string& DefValue="") const;
data/libminini-1.2.a+ds/test2.cc:22:11: [5] (buffer) gets:
Does not check for buffer overflows (CWE-120, CWE-20). Use fgets() instead.
s = ini.gets( "first", "string" , "aap" );
data/libminini-1.2.a+ds/test2.cc:24:11: [5] (buffer) gets:
Does not check for buffer overflows (CWE-120, CWE-20). Use fgets() instead.
s = ini.gets( "second", "string" , "aap" );
data/libminini-1.2.a+ds/test2.cc:26:11: [5] (buffer) gets:
Does not check for buffer overflows (CWE-120, CWE-20). Use fgets() instead.
s = ini.gets( "first", "dummy" , "aap" );
data/libminini-1.2.a+ds/test2.cc:46:11: [5] (buffer) gets:
Does not check for buffer overflows (CWE-120, CWE-20). Use fgets() instead.
s = ini.gets("first", "alt", "aap");
data/libminini-1.2.a+ds/test2.cc:51:11: [5] (buffer) gets:
Does not check for buffer overflows (CWE-120, CWE-20). Use fgets() instead.
s = ini.gets("second", "alt", "aap");
data/libminini-1.2.a+ds/test2.cc:56:11: [5] (buffer) gets:
Does not check for buffer overflows (CWE-120, CWE-20). Use fgets() instead.
s = ini.gets("third", "alt", "aap" );
data/libminini-1.2.a+ds/wxMinIni.h:40:12: [5] (buffer) gets:
Does not check for buffer overflows (CWE-120, CWE-20). Use fgets() instead.
wxString gets(const wxString& Section, const wxString& Key, const wxString& DefValue=wxT("")) const
data/libminini-1.2.a+ds/minIni.cc:117:11: [4] (buffer) _tcscat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120).
#define _tcscat strcat
data/libminini-1.2.a+ds/minIni.cc:117:21: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
#define _tcscat strcat
data/libminini-1.2.a+ds/minIni.cc:120:11: [4] (buffer) _tcscpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using a function version that stops copying at the end
of the buffer.
#define _tcscpy strcpy
data/libminini-1.2.a+ds/minIni.cc:120:21: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
#define _tcscpy strcpy
data/libminini-1.2.a+ds/minIni.cc:129:11: [4] (buffer) _stprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
#define _stprintf sprintf
data/libminini-1.2.a+ds/minIni.cc:129:21: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
#define _stprintf sprintf
data/libminini-1.2.a+ds/minIni.cc:608:5: [4] (buffer) _tcscpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using a function version that stops copying at the end
of the buffer.
_tcscpy(p, INI_LINETERM); /* copy line terminator (typically "\n") */
data/libminini-1.2.a+ds/minIni.cc:624:3: [4] (buffer) _tcscpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using a function version that stops copying at the end
of the buffer.
_tcscpy(p, INI_LINETERM); /* copy line terminator (typically "\n") */
data/libminini-1.2.a+ds/minGlue-stdio.h:15:51: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
#define ini_openread(filename,file) ((*(file) = fopen((filename),"rb")) != NULL)
data/libminini-1.2.a+ds/minGlue-stdio.h:16:51: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
#define ini_openwrite(filename,file) ((*(file) = fopen((filename),"wb")) != NULL)
data/libminini-1.2.a+ds/minGlue-stdio.h:29:39: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
#define ini_ftoa(string,value) sprintf((string),"%f",(value))
data/libminini-1.2.a+ds/minGlue.h:15:51: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
#define ini_openread(filename,file) ((*(file) = fopen((filename),"rb")) != NULL)
data/libminini-1.2.a+ds/minGlue.h:16:51: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
#define ini_openwrite(filename,file) ((*(file) = fopen((filename),"wb")) != NULL)
data/libminini-1.2.a+ds/minGlue.h:29:39: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
#define ini_ftoa(string,value) sprintf((string),"%f",(value))
data/libminini-1.2.a+ds/minIni.cc:54:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[INI_BUFFERSIZE];
data/libminini-1.2.a+ds/minIni.cc:61:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[INI_BUFFERSIZE];
data/libminini-1.2.a+ds/minIni.cc:68:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[INI_BUFFERSIZE];
data/libminini-1.2.a+ds/minIni.cc:132:21: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
#define _tfopen fopen
data/libminini-1.2.a+ds/minIni.cc:292:3: [2] (buffer) TCHAR:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
TCHAR LocalBuffer[INI_BUFFERSIZE];
data/libminini-1.2.a+ds/minIni.cc:392:3: [2] (buffer) TCHAR:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
TCHAR LocalBuffer[64];
data/libminini-1.2.a+ds/minIni.cc:410:3: [2] (buffer) TCHAR:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
TCHAR LocalBuffer[64];
data/libminini-1.2.a+ds/minIni.cc:439:3: [2] (buffer) TCHAR:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
TCHAR LocalBuffer[2];
data/libminini-1.2.a+ds/minIni.cc:522:3: [2] (buffer) TCHAR:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
TCHAR LocalBuffer[INI_BUFFERSIZE];
data/libminini-1.2.a+ds/minIni.cc:683:3: [2] (buffer) TCHAR:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
TCHAR LocalBuffer[INI_BUFFERSIZE];
data/libminini-1.2.a+ds/minIni.cc:878:3: [2] (buffer) TCHAR:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
TCHAR LocalBuffer[32];
data/libminini-1.2.a+ds/minIni.cc:894:3: [2] (buffer) TCHAR:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
TCHAR LocalBuffer[64];
data/libminini-1.2.a+ds/test.c:24:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char str[100];
data/libminini-1.2.a+ds/test.c:27:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char section[50];
data/libminini-1.2.a+ds/wxMinIni.h:42:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[INI_BUFFERSIZE];
data/libminini-1.2.a+ds/wxMinIni.h:50:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[INI_BUFFERSIZE];
data/libminini-1.2.a+ds/wxMinIni.h:58:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[INI_BUFFERSIZE];
data/libminini-1.2.a+ds/minGlue-efsl.h:23:59: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define ini_write(buffer,file) (file_write((file), strlen(buffer), (char*)(buffer)) > 0)
data/libminini-1.2.a+ds/minGlue-mdd.h:21:62: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define ini_write(buffer,file) (FSfwrite((buffer), 1, strlen(buffer), (*file)) > 0)
data/libminini-1.2.a+ds/minIni.cc:122:11: [1] (buffer) _tcslen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define _tcslen strlen
data/libminini-1.2.a+ds/minIni.cc:122:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define _tcslen strlen
data/libminini-1.2.a+ds/minIni.cc:299:29: [1] (buffer) _tcslen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = (Section != NULL) ? _tcslen(Section) : 0;
data/libminini-1.2.a+ds/minIni.cc:324:30: [1] (buffer) _tcslen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = (Key != NULL) ? (int)_tcslen(Key) : 0;
data/libminini-1.2.a+ds/minIni.cc:379:10: [1] (buffer) _tcslen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return _tcslen(Buffer);
data/libminini-1.2.a+ds/minIni.cc:475:10: [1] (buffer) _tcslen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return _tcslen(Buffer);
data/libminini-1.2.a+ds/minIni.cc:501:10: [1] (buffer) _tcslen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return _tcslen(Buffer);
data/libminini-1.2.a+ds/minIni.cc:534:12: [1] (buffer) _tcslen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
lenSec = _tcslen(LocalBuffer) + 1;
data/libminini-1.2.a+ds/minIni.cc:547:16: [1] (buffer) _tcslen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
lenSec = _tcslen(LocalBuffer) + 1;
data/libminini-1.2.a+ds/minIni.cc:559:14: [1] (buffer) _tcslen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
lenKey = _tcslen(LocalBuffer + lenSec) + 1;
data/libminini-1.2.a+ds/minIni.cc:602:26: [1] (buffer) _tcslen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (Section != NULL && _tcslen(Section) > 0) {
data/libminini-1.2.a+ds/minIni.cc:630:13: [1] (buffer) _tcslen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
int len = _tcslen(string);
data/libminini-1.2.a+ds/minIni.cc:648:12: [1] (buffer) _tcslen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
pos += _tcslen(buffer + pos);
data/libminini-1.2.a+ds/minIni.cc:656:34: [1] (buffer) _tcslen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return (_tcscmp(buffer + pos - _tcslen(INI_LINETERM), INI_LINETERM) == 0);
data/libminini-1.2.a+ds/minIni.cc:728:29: [1] (buffer) _tcslen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = (Section != NULL) ? _tcslen(Section) : 0;
data/libminini-1.2.a+ds/minIni.cc:772:23: [1] (buffer) _tcslen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = (Key!=NULL) ? _tcslen(Key) : 0;
data/libminini-1.2.a+ds/minIni.cc:843:19: [1] (buffer) _tcslen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
for (i = 0, j = _tcslen(str) - 1; i < j; i++, j--) {
ANALYSIS SUMMARY:
Hits = 59
Lines analyzed = 1627 in approximately 0.09 seconds (17915 lines/second)
Physical Source Lines of Code (SLOC) = 1071
Hits@level = [0] 9 [1] 19 [2] 23 [3] 0 [4] 8 [5] 9
Hits@level+ = [0+] 68 [1+] 59 [2+] 40 [3+] 17 [4+] 17 [5+] 9
Hits/KSLOC@level+ = [0+] 63.4921 [1+] 55.0887 [2+] 37.3483 [3+] 15.873 [4+] 15.873 [5+] 8.40336
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.