stdin

Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/libvorbisidec-1.2.1+git20180316/asm_arm.h
Examining data/libvorbisidec-1.2.1+git20180316/backends.h
Examining data/libvorbisidec-1.2.1+git20180316/block.c
Examining data/libvorbisidec-1.2.1+git20180316/block.h
Examining data/libvorbisidec-1.2.1+git20180316/codebook.c
Examining data/libvorbisidec-1.2.1+git20180316/codebook.h
Examining data/libvorbisidec-1.2.1+git20180316/codec_internal.h
Examining data/libvorbisidec-1.2.1+git20180316/config_types.h
Examining data/libvorbisidec-1.2.1+git20180316/floor0.c
Examining data/libvorbisidec-1.2.1+git20180316/floor1.c
Examining data/libvorbisidec-1.2.1+git20180316/info.c
Examining data/libvorbisidec-1.2.1+git20180316/iseeking_example.c
Examining data/libvorbisidec-1.2.1+git20180316/ivorbiscodec.h
Examining data/libvorbisidec-1.2.1+git20180316/ivorbisfile.h
Examining data/libvorbisidec-1.2.1+git20180316/ivorbisfile_example.c
Examining data/libvorbisidec-1.2.1+git20180316/lsp_lookup.h
Examining data/libvorbisidec-1.2.1+git20180316/mapping0.c
Examining data/libvorbisidec-1.2.1+git20180316/mdct.c
Examining data/libvorbisidec-1.2.1+git20180316/mdct.h
Examining data/libvorbisidec-1.2.1+git20180316/mdct_lookup.h
Examining data/libvorbisidec-1.2.1+git20180316/misc.h
Examining data/libvorbisidec-1.2.1+git20180316/os.h
Examining data/libvorbisidec-1.2.1+git20180316/registry.c
Examining data/libvorbisidec-1.2.1+git20180316/registry.h
Examining data/libvorbisidec-1.2.1+git20180316/res012.c
Examining data/libvorbisidec-1.2.1+git20180316/sharedbook.c
Examining data/libvorbisidec-1.2.1+git20180316/synthesis.c
Examining data/libvorbisidec-1.2.1+git20180316/vorbisfile.c
Examining data/libvorbisidec-1.2.1+git20180316/window.c
Examining data/libvorbisidec-1.2.1+git20180316/window.h
Examining data/libvorbisidec-1.2.1+git20180316/window_lookup.h

FINAL RESULTS:

data/libvorbisidec-1.2.1+git20180316/info.c:62:3:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
  strcpy(fulltag, tag);
data/libvorbisidec-1.2.1+git20180316/info.c:81:3:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
  strcpy(fulltag,tag);
data/libvorbisidec-1.2.1+git20180316/floor0.c:120:23:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
static const unsigned char MLOOP_1[64]={
data/libvorbisidec-1.2.1+git20180316/floor0.c:127:23:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
static const unsigned char MLOOP_2[64]={
data/libvorbisidec-1.2.1+git20180316/floor0.c:134:23:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
static const unsigned char MLOOP_3[8]={0,1,2,2,3,3,3,3};
data/libvorbisidec-1.2.1+git20180316/info.c:308:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char buffer[6];
data/libvorbisidec-1.2.1+git20180316/info.c:344:7:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
      char buffer[6];
data/libvorbisidec-1.2.1+git20180316/iseeking_example.c:37:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char buffer[4096];
data/libvorbisidec-1.2.1+git20180316/iseeking_example.c:69:12:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	  FILE *f=fopen("a.m","w");
data/libvorbisidec-1.2.1+git20180316/iseeking_example.c:72:6:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	  f=fopen("b.m","w");
data/libvorbisidec-1.2.1+git20180316/ivorbisfile_example.c:32:1:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
char pcmout[4096]; /* take 4k out of the data segment, not the stack */
data/libvorbisidec-1.2.1+git20180316/mdct.c:249:17:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
static unsigned char bitrev[16]={0,8,4,12,2,10,6,14,1,9,5,13,3,11,7,15};
data/libvorbisidec-1.2.1+git20180316/vorbisfile.c:888:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(buffer,initial,ibytes);
data/libvorbisidec-1.2.1+git20180316/vorbisfile.c:914:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(vf->serialnos+2,serialno_list,serialno_list_size*sizeof(*vf->serialnos));
data/libvorbisidec-1.2.1+git20180316/vorbisfile.c:1003:13:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
  FILE *f = fopen(path,"rb");
data/libvorbisidec-1.2.1+git20180316/codebook.c:186:25:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
  lok = oggpack_look(b, read);
data/libvorbisidec-1.2.1+git20180316/codebook.c:188:18:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
  while(lok<0 && read>1)
data/libvorbisidec-1.2.1+git20180316/codebook.c:189:29:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
    lok = oggpack_look(b, --read);
data/libvorbisidec-1.2.1+git20180316/codebook.c:207:35:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
    if(book->dec_codelengths[lo]<=read){
data/libvorbisidec-1.2.1+git20180316/info.c:59:16:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  int taglen = strlen(tag)+1; /* +1 for the = we append */
data/libvorbisidec-1.2.1+git20180316/info.c:63:3:  [1] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused). Risk is low because the
  source is a constant character.
  strcat(fulltag, "=");
data/libvorbisidec-1.2.1+git20180316/info.c:79:16:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  int taglen = strlen(tag)+1; /* +1 for the = we append */
data/libvorbisidec-1.2.1+git20180316/info.c:82:3:  [1] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused). Risk is low because the
  source is a constant character.
  strcat(fulltag, "=");

ANALYSIS SUMMARY:

Hits = 23
Lines analyzed = 10572 in approximately 0.44 seconds (24236 lines/second)
Physical Source Lines of Code (SLOC) = 7783
Hits@level = [0]  43 [1]   8 [2]  13 [3]   0 [4]   2 [5]   0
Hits@level+ = [0+]  66 [1+]  23 [2+]  15 [3+]   2 [4+]   2 [5+]   0
Hits/KSLOC@level+ = [0+] 8.48002 [1+] 2.95516 [2+] 1.92728 [3+] 0.25697 [4+] 0.25697 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.