Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/libxcrypt-4.4.17/lib/alg-des-tables.c Examining data/libxcrypt-4.4.17/lib/alg-des.c Examining data/libxcrypt-4.4.17/lib/alg-des.h Examining data/libxcrypt-4.4.17/lib/alg-gost3411-2012-const.h Examining data/libxcrypt-4.4.17/lib/alg-gost3411-2012-core.c Examining data/libxcrypt-4.4.17/lib/alg-gost3411-2012-core.h Examining data/libxcrypt-4.4.17/lib/alg-gost3411-2012-hmac.c Examining data/libxcrypt-4.4.17/lib/alg-gost3411-2012-hmac.h Examining data/libxcrypt-4.4.17/lib/alg-gost3411-2012-precalc.h Examining data/libxcrypt-4.4.17/lib/alg-gost3411-2012-ref.h Examining data/libxcrypt-4.4.17/lib/alg-hmac-sha1.c Examining data/libxcrypt-4.4.17/lib/alg-hmac-sha1.h Examining data/libxcrypt-4.4.17/lib/alg-md4.c Examining data/libxcrypt-4.4.17/lib/alg-md4.h Examining data/libxcrypt-4.4.17/lib/alg-md5.c Examining data/libxcrypt-4.4.17/lib/alg-md5.h Examining data/libxcrypt-4.4.17/lib/alg-sha1.c Examining data/libxcrypt-4.4.17/lib/alg-sha1.h Examining data/libxcrypt-4.4.17/lib/alg-sha256.c Examining data/libxcrypt-4.4.17/lib/alg-sha256.h Examining data/libxcrypt-4.4.17/lib/alg-sha512.c Examining data/libxcrypt-4.4.17/lib/alg-sha512.h Examining data/libxcrypt-4.4.17/lib/alg-yescrypt-common.c Examining data/libxcrypt-4.4.17/lib/alg-yescrypt-opt.c Examining data/libxcrypt-4.4.17/lib/alg-yescrypt-platform.c Examining data/libxcrypt-4.4.17/lib/alg-yescrypt-sysendian.h Examining data/libxcrypt-4.4.17/lib/alg-yescrypt.h Examining data/libxcrypt-4.4.17/lib/byteorder.h Examining data/libxcrypt-4.4.17/lib/crypt-bcrypt.c Examining data/libxcrypt-4.4.17/lib/crypt-common.c Examining data/libxcrypt-4.4.17/lib/crypt-common.h Examining data/libxcrypt-4.4.17/lib/crypt-des-obsolete.c Examining data/libxcrypt-4.4.17/lib/crypt-des.c Examining data/libxcrypt-4.4.17/lib/crypt-gensalt-static.c Examining data/libxcrypt-4.4.17/lib/crypt-gensalt.c Examining data/libxcrypt-4.4.17/lib/crypt-gost-yescrypt.c Examining data/libxcrypt-4.4.17/lib/crypt-md5.c Examining data/libxcrypt-4.4.17/lib/crypt-nthash.c Examining data/libxcrypt-4.4.17/lib/crypt-obsolete.h Examining data/libxcrypt-4.4.17/lib/crypt-pbkdf1-sha1.c Examining data/libxcrypt-4.4.17/lib/crypt-port.h Examining data/libxcrypt-4.4.17/lib/crypt-scrypt.c Examining data/libxcrypt-4.4.17/lib/crypt-sha256.c Examining data/libxcrypt-4.4.17/lib/crypt-sha512.c Examining data/libxcrypt-4.4.17/lib/crypt-static.c Examining data/libxcrypt-4.4.17/lib/crypt-sunmd5.c Examining data/libxcrypt-4.4.17/lib/crypt-yescrypt.c Examining data/libxcrypt-4.4.17/lib/crypt.c Examining data/libxcrypt-4.4.17/lib/gen-des-tables.c Examining data/libxcrypt-4.4.17/lib/randombytes.c Examining data/libxcrypt-4.4.17/test/alg-des.c Examining data/libxcrypt-4.4.17/test/alg-gost3411-2012-hmac.c Examining data/libxcrypt-4.4.17/test/alg-gost3411-2012.c Examining data/libxcrypt-4.4.17/test/alg-hmac-sha1.c Examining data/libxcrypt-4.4.17/test/alg-md4.c Examining data/libxcrypt-4.4.17/test/alg-md5.c Examining data/libxcrypt-4.4.17/test/alg-pbkdf-hmac-sha256.c Examining data/libxcrypt-4.4.17/test/alg-sha1.c Examining data/libxcrypt-4.4.17/test/alg-sha256.c Examining data/libxcrypt-4.4.17/test/alg-sha512.c Examining data/libxcrypt-4.4.17/test/alg-yescrypt.c Examining data/libxcrypt-4.4.17/test/badsalt.c Examining data/libxcrypt-4.4.17/test/badsetting.c Examining data/libxcrypt-4.4.17/test/byteorder.c Examining data/libxcrypt-4.4.17/test/checksalt.c Examining data/libxcrypt-4.4.17/test/compile-strong-alias.c Examining data/libxcrypt-4.4.17/test/crypt-badargs.c Examining data/libxcrypt-4.4.17/test/crypt-gost-yescrypt.c Examining data/libxcrypt-4.4.17/test/des-cases.h Examining data/libxcrypt-4.4.17/test/des-obsolete.c Examining data/libxcrypt-4.4.17/test/des-obsolete_r.c Examining data/libxcrypt-4.4.17/test/fcrypt-enosys.c Examining data/libxcrypt-4.4.17/test/gensalt-extradata.c Examining data/libxcrypt-4.4.17/test/gensalt-nthash.c Examining data/libxcrypt-4.4.17/test/gensalt.c Examining data/libxcrypt-4.4.17/test/getrandom-fallbacks.c Examining data/libxcrypt-4.4.17/test/getrandom-interface.c Examining data/libxcrypt-4.4.17/test/ka-tester.c Examining data/libxcrypt-4.4.17/test/preferred-method.c Examining data/libxcrypt-4.4.17/test/short-outbuf.c Examining data/libxcrypt-4.4.17/test/special-char-salt.c FINAL RESULTS: data/libxcrypt-4.4.17/lib/crypt-static.c:28:1: [4] (crypto) crypt: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. crypt (const char *key, const char *setting) data/libxcrypt-4.4.17/lib/crypt-static.c:31:10: [4] (crypto) crypt_r: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. return crypt_r (key, setting, &nr_crypt_ctx); data/libxcrypt-4.4.17/lib/crypt-static.c:57:15: [4] (crypto) crypt: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. strong_alias (crypt, fcrypt); data/libxcrypt-4.4.17/lib/crypt-static.c:64:15: [4] (crypto) crypt: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. strong_alias (crypt, xcrypt); data/libxcrypt-4.4.17/lib/crypt.c:67:12: [4] (crypto) crypt: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. crypt_fn crypt; data/libxcrypt-4.4.17/lib/crypt.c:140:6: [4] (crypto) crypt: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. h->crypt (phrase, phr_size, setting, set_size, data/libxcrypt-4.4.17/lib/crypt.c:195:1: [4] (crypto) crypt_r: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. crypt_r (const char *phrase, const char *setting, struct crypt_data *data) data/libxcrypt-4.4.17/lib/crypt.c:210:15: [4] (crypto) crypt_r: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. strong_alias (crypt_r, xcrypt_r); data/libxcrypt-4.4.17/test/badsalt.c:357:12: [4] (crypto) crypt: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. retval = crypt (phrase, setting); data/libxcrypt-4.4.17/test/badsalt.c:361:12: [4] (crypto) crypt_r: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. retval = crypt_r (phrase, setting, cd); data/libxcrypt-4.4.17/test/checksalt.c:169:7: [4] (crypto) crypt_r: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. crypt_r (phr, gs_out, &cd); data/libxcrypt-4.4.17/test/checksalt.c:226:11: [4] (crypto) crypt_r: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. crypt_r (phr, gs_out, &cd); data/libxcrypt-4.4.17/test/crypt-badargs.c:147:15: [4] (crypto) crypt: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. char *got = crypt (phrase, setting); data/libxcrypt-4.4.17/test/crypt-badargs.c:157:15: [4] (crypto) crypt_r: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. char *got = crypt_r (phrase, setting, &data); data/libxcrypt-4.4.17/test/crypt-badargs.c:281:7: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat (page, settings[i]); data/libxcrypt-4.4.17/test/crypt-badargs.c:292:7: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat (page, settings[i]); data/libxcrypt-4.4.17/test/crypt-badargs.c:316:7: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat (page, settings[i]); data/libxcrypt-4.4.17/test/crypt-gost-yescrypt.c:92:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy (*a + *a_size, h); data/libxcrypt-4.4.17/test/gensalt-nthash.c:46:3: [4] (crypto) crypt_r: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. crypt_r ("top secret", output, &cd); data/libxcrypt-4.4.17/test/ka-tester.c:159:14: [4] (crypto) crypt: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. hash = crypt (t->input, t->salt); data/libxcrypt-4.4.17/test/ka-tester.c:195:14: [4] (crypto) crypt_r: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. hash = crypt_r (u.pass + 1, t->salt, &data); data/libxcrypt-4.4.17/test/preferred-method.c:89:7: [4] (crypto) crypt_r: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. crypt_r (PASSPHRASE, gs, &cd); data/libxcrypt-4.4.17/test/special-char-salt.c:864:7: [4] (crypto) crypt_r: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. crypt_r (phrase, testcases[i].setting, &cd); data/libxcrypt-4.4.17/lib/crypt-pbkdf1-sha1.c:235:33: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. rounds = (uint32_t) (count - (random % (count / 4))); data/libxcrypt-4.4.17/lib/alg-des.c:75:29: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const unsigned char key[MIN_SIZE(8)]) data/libxcrypt-4.4.17/lib/alg-des.h:59:41: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const unsigned char key[MIN_SIZE(8)]); data/libxcrypt-4.4.17/lib/alg-gost3411-2012-const.h:269:23: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const unsigned char Tau[64] = { data/libxcrypt-4.4.17/lib/alg-gost3411-2012-const.h:280:23: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const unsigned char Pi[256] = { data/libxcrypt-4.4.17/lib/alg-gost3411-2012-core.c:183:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&(CTX->hash), &(CTX->h), sizeof (uint512_u)); data/libxcrypt-4.4.17/lib/alg-gost3411-2012-core.c:196:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&CTX->buffer[CTX->bufsize], data, chunksize); data/libxcrypt-4.4.17/lib/alg-gost3411-2012-core.c:219:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&CTX->buffer, data, len); data/libxcrypt-4.4.17/lib/alg-gost3411-2012-core.c:232:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(digest, &(CTX->hash.QWORD[4]), 32); data/libxcrypt-4.4.17/lib/alg-gost3411-2012-core.c:234:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(digest, &(CTX->hash.QWORD[0]), 64); data/libxcrypt-4.4.17/lib/alg-gost3411-2012-core.h:31:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buffer[64]; data/libxcrypt-4.4.17/lib/alg-gost3411-2012-hmac.h:33:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char pad[GOSTR3411_2012_B]; /* ipad and opad */ data/libxcrypt-4.4.17/lib/alg-gost3411-2012-hmac.h:34:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char kstar[GOSTR3411_2012_B]; /* derived key */ data/libxcrypt-4.4.17/lib/alg-gost3411-2012-hmac.h:35:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char digest[GOSTR3411_2012_L]; data/libxcrypt-4.4.17/lib/alg-hmac-sha1.c:69:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char tk[HASH_LENGTH]; data/libxcrypt-4.4.17/lib/alg-md4.c:213:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ctx->buffer[used], data, size); data/libxcrypt-4.4.17/lib/alg-md4.c:217:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ctx->buffer[used], data, available); data/libxcrypt-4.4.17/lib/alg-md4.c:228:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buffer, data, size); data/libxcrypt-4.4.17/lib/alg-md5.c:234:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ctx->buffer[used], data, size); data/libxcrypt-4.4.17/lib/alg-md5.c:238:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ctx->buffer[used], data, available); data/libxcrypt-4.4.17/lib/alg-md5.c:249:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buffer, data, size); data/libxcrypt-4.4.17/lib/alg-sha1.c:113:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (&block, buffer, 64); data/libxcrypt-4.4.17/lib/alg-sha1.c:241:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (&ctx->buffer[j], buffer, (i = 64-j)); data/libxcrypt-4.4.17/lib/alg-sha1.c:248:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (&ctx->buffer[j], (const uint8_t *)buffer + i, size - i); data/libxcrypt-4.4.17/lib/alg-sha256.c:145:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(S, state, 32); data/libxcrypt-4.4.17/lib/alg-sha256.c:217:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ctx->buf[r], PAD, 56 - r); data/libxcrypt-4.4.17/lib/alg-sha256.c:220:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ctx->buf[r], PAD, 64 - r); data/libxcrypt-4.4.17/lib/alg-sha256.c:252:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->state, initial_state, sizeof(initial_state)); data/libxcrypt-4.4.17/lib/alg-sha256.c:278:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ctx->buf[r], src, len); data/libxcrypt-4.4.17/lib/alg-sha256.c:283:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ctx->buf[r], src, 64 - r); data/libxcrypt-4.4.17/lib/alg-sha256.c:296:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buf, src, len); data/libxcrypt-4.4.17/lib/alg-sha256.c:605:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&PShctx, &Phctx, sizeof(HMAC_SHA256_CTX)); data/libxcrypt-4.4.17/lib/alg-sha256.c:614:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&hctx, &PShctx, sizeof(HMAC_SHA256_CTX)); data/libxcrypt-4.4.17/lib/alg-sha256.c:620:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(U, T, 32); data/libxcrypt-4.4.17/lib/alg-sha256.c:624:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&hctx, &Phctx, sizeof(HMAC_SHA256_CTX)); data/libxcrypt-4.4.17/lib/alg-sha256.c:638:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&buf[i * 32], T, clen); data/libxcrypt-4.4.17/lib/alg-sha512.c:38:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy((void *)dst, (const void *)src, (size_t)len) data/libxcrypt-4.4.17/lib/alg-sha512.c:42:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy((void *)dst, (const void *)src, (size_t)len) data/libxcrypt-4.4.17/lib/alg-sha512.c:151:51: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. SHA512_Transform(uint64_t * state, const unsigned char block[SHA512_BLOCK_LENGTH]) data/libxcrypt-4.4.17/lib/alg-sha512.c:161:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(S, state, SHA512_DIGEST_LENGTH); data/libxcrypt-4.4.17/lib/alg-sha512.c:207:23: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const unsigned char PAD[SHA512_BLOCK_LENGTH] = { data/libxcrypt-4.4.17/lib/alg-sha512.c:230:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ctx->buf[r], PAD, 112 - r); data/libxcrypt-4.4.17/lib/alg-sha512.c:233:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ctx->buf[r], PAD, 128 - r); data/libxcrypt-4.4.17/lib/alg-sha512.c:288:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ctx->buf[r], src, len); data/libxcrypt-4.4.17/lib/alg-sha512.c:293:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ctx->buf[r], src, SHA512_BLOCK_LENGTH - r); data/libxcrypt-4.4.17/lib/alg-sha512.c:306:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buf, src, len); data/libxcrypt-4.4.17/lib/alg-sha512.c:314:23: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. SHA512_Final(unsigned char digest[MIN_SIZE(SHA512_DIGEST_LENGTH)], data/libxcrypt-4.4.17/lib/alg-sha512.c:334:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char digest[MIN_SIZE(SHA512_DIGEST_LENGTH)]) data/libxcrypt-4.4.17/lib/alg-yescrypt-common.c:268:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char f[32 + 4]; data/libxcrypt-4.4.17/lib/alg-yescrypt-common.c:329:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char saltbin[64], hashbin[32]; data/libxcrypt-4.4.17/lib/alg-yescrypt-common.c:460:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst, setting, prefixlen + saltstrlen); data/libxcrypt-4.4.17/lib/alg-yescrypt-common.c:501:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char saltbin[64], hashbin[32]; data/libxcrypt-4.4.17/lib/alg-yescrypt-opt.c:1354:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, dk, clen); data/libxcrypt-4.4.17/lib/alg-yescrypt.h:151:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char uc[32]; data/libxcrypt-4.4.17/lib/crypt-bcrypt.c:372:23: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const unsigned char BF_itoa64[64 + 1] = data/libxcrypt-4.4.17/lib/crypt-bcrypt.c:375:23: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const unsigned char BF_atoi64[0x60] = data/libxcrypt-4.4.17/lib/crypt-bcrypt.c:671:23: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const unsigned char flags_by_subtype[26] = data/libxcrypt-4.4.17/lib/crypt-bcrypt.c:711:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char re_output[BF_HASH_LENGTH]; data/libxcrypt-4.4.17/lib/crypt-bcrypt.c:712:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char st_output[BF_HASH_LENGTH + 2]; data/libxcrypt-4.4.17/lib/crypt-bcrypt.c:836:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (output, setting, BF_SETTING_LENGTH - 1); data/libxcrypt-4.4.17/lib/crypt-bcrypt.c:899:16: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const char *const test_hashes[2] = data/libxcrypt-4.4.17/lib/crypt-bcrypt.c:905:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char test_setting[BF_SETTING_LENGTH]; data/libxcrypt-4.4.17/lib/crypt-bcrypt.c:910:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (test_setting, test_setting_init, BF_SETTING_LENGTH); data/libxcrypt-4.4.17/lib/crypt-bcrypt.c:941:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (output, buffer->re_output, BF_HASH_LENGTH); data/libxcrypt-4.4.17/lib/crypt-bcrypt.c:968:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(aligned_rbytes, rbytes, 16); data/libxcrypt-4.4.17/lib/crypt-common.c:23:16: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const unsigned char ascii64[65] = data/libxcrypt-4.4.17/lib/crypt-common.c:40:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (dst, src, s_size); data/libxcrypt-4.4.17/lib/crypt-common.h:27:23: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern const unsigned char ascii64[65]; data/libxcrypt-4.4.17/lib/crypt-des-obsolete.c:81:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unpack_bits (char bytev[64], const unsigned char bitv[8]) data/libxcrypt-4.4.17/lib/crypt-des-obsolete.c:81:45: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unpack_bits (char bytev[64], const unsigned char bitv[8]) data/libxcrypt-4.4.17/lib/crypt-des-obsolete.c:93:21: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. pack_bits (unsigned char bitv[8], const char bytev[64]) data/libxcrypt-4.4.17/lib/crypt-des-obsolete.c:93:41: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. pack_bits (unsigned char bitv[8], const char bytev[64]) data/libxcrypt-4.4.17/lib/crypt-des-obsolete.c:117:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char bkey[8]; data/libxcrypt-4.4.17/lib/crypt-des-obsolete.c:143:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char bin[8], bout[8]; data/libxcrypt-4.4.17/lib/crypt-des.c:366:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (cp, setting, 9); data/libxcrypt-4.4.17/lib/crypt-gensalt-static.c:29:10: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char output[CRYPT_GENSALT_OUTPUT_SIZE]; data/libxcrypt-4.4.17/lib/crypt-md5.c:187:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (cp, md5_salt_prefix, sizeof (md5_salt_prefix) - 1); data/libxcrypt-4.4.17/lib/crypt-md5.c:190:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (cp, salt, salt_size); data/libxcrypt-4.4.17/lib/crypt-nthash.c:46:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char hash[MD4_HASHLEN]; data/libxcrypt-4.4.17/lib/crypt-sha256.c:75:34: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char block[32], size_t len) data/libxcrypt-4.4.17/lib/crypt-sha256.c:256:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (cp, sha256_salt_prefix, sizeof (sha256_salt_prefix) - 1); data/libxcrypt-4.4.17/lib/crypt-sha256.c:267:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (cp, salt, salt_size); data/libxcrypt-4.4.17/lib/crypt-sha512.c:75:41: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. sha512_process_recycled_bytes (unsigned char block[64], size_t len, data/libxcrypt-4.4.17/lib/crypt-sha512.c:260:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (cp, sha512_salt_prefix, sizeof (sha512_salt_prefix) - 1); data/libxcrypt-4.4.17/lib/crypt-sha512.c:271:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (cp, salt, salt_size); data/libxcrypt-4.4.17/lib/crypt-static.c:49:10: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char retval[3]; data/libxcrypt-4.4.17/lib/crypt-sunmd5.c:165:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char rn[16]; data/libxcrypt-4.4.17/lib/crypt-sunmd5.c:259:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (output, setting, saltlen); data/libxcrypt-4.4.17/lib/crypt.c:35:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char alignas (alignof (max_align_t)) alg_specific[ALG_SPECIFIC_SIZE]; data/libxcrypt-4.4.17/lib/crypt.c:253:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char internal_rbytes[UCHAR_MAX]; data/libxcrypt-4.4.17/lib/randombytes.c:132:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int fd = open ("/dev/urandom", O_RDONLY|O_CLOEXEC); data/libxcrypt-4.4.17/test/alg-des.c:17:25: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. v_print (const unsigned char v[8]) data/libxcrypt-4.4.17/test/alg-des.c:25:63: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const struct des_testcase *tc, const unsigned char got[8]) data/libxcrypt-4.4.17/test/alg-des.c:44:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char got[8]; data/libxcrypt-4.4.17/test/alg-gost3411-2012-hmac.c:34:37: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. printf("%02x", ((const unsigned char *)ptr)[i]); data/libxcrypt-4.4.17/test/alg-gost3411-2012.c:34:37: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. printf("%02x", ((const unsigned char *)ptr)[i]); data/libxcrypt-4.4.17/test/alg-gost3411-2012.c:47:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char dgt[32 * 2 + 1]; data/libxcrypt-4.4.17/test/alg-gost3411-2012.c:49:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(&dgt[i * 2], "%02x", digest[i]); data/libxcrypt-4.4.17/test/alg-gost3411-2012.c:85:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char dgt[64 * 2 + 1]; data/libxcrypt-4.4.17/test/alg-gost3411-2012.c:87:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(&dgt[i * 2], "%02x", digest[i]); data/libxcrypt-4.4.17/test/alg-hmac-sha1.c:50:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. (void)sprintf (&buf[i*2], "%02x", (unsigned char)data[i]); data/libxcrypt-4.4.17/test/alg-hmac-sha1.c:148:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char digest[HASH_LENGTH]; data/libxcrypt-4.4.17/test/alg-hmac-sha1.c:149:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char kbuf[BUFSIZ]; data/libxcrypt-4.4.17/test/alg-hmac-sha1.c:150:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char dbuf[BUFSIZ]; data/libxcrypt-4.4.17/test/alg-hmac-sha1.c:159:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (dbuf, "0x", 2); data/libxcrypt-4.4.17/test/alg-md4.c:11:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char result[16]; data/libxcrypt-4.4.17/test/alg-md4.c:47:29: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. report_failure(int n, const char *tag, data/libxcrypt-4.4.17/test/alg-md4.c:48:22: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char expected[16], uint8_t actual[16]) data/libxcrypt-4.4.17/test/alg-md5.c:11:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char result[16]; data/libxcrypt-4.4.17/test/alg-md5.c:54:29: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. report_failure(int n, const char *tag, data/libxcrypt-4.4.17/test/alg-md5.c:55:22: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char expected[16], uint8_t actual[16]) data/libxcrypt-4.4.17/test/alg-md5.c:109:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1000]; data/libxcrypt-4.4.17/test/alg-md5.c:115:16: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const char expected[64] = data/libxcrypt-4.4.17/test/alg-sha1.c:15:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *test_data[3] = data/libxcrypt-4.4.17/test/alg-sha1.c:22:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *test_results[3] = data/libxcrypt-4.4.17/test/alg-sha1.c:35:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf (output, "%02x", *digest); data/libxcrypt-4.4.17/test/alg-sha1.c:48:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char output[80]; data/libxcrypt-4.4.17/test/alg-sha1.c:83:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1000]; data/libxcrypt-4.4.17/test/alg-sha256.c:12:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char result[32]; data/libxcrypt-4.4.17/test/alg-sha256.c:63:29: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. report_failure(int n, const char *tag, data/libxcrypt-4.4.17/test/alg-sha256.c:64:22: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char expected[32], uint8_t actual[32]) data/libxcrypt-4.4.17/test/alg-sha256.c:115:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1000]; data/libxcrypt-4.4.17/test/alg-sha256.c:121:16: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const char expected[32] = data/libxcrypt-4.4.17/test/alg-sha512.c:11:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char result[64]; data/libxcrypt-4.4.17/test/alg-sha512.c:86:29: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. report_failure(int n, const char *tag, data/libxcrypt-4.4.17/test/alg-sha512.c:87:22: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char expected[64], const uint8_t actual[64]) data/libxcrypt-4.4.17/test/alg-sha512.c:142:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1000]; data/libxcrypt-4.4.17/test/alg-sha512.c:148:16: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const char expected[64] = data/libxcrypt-4.4.17/test/badsalt.c:392:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (p, t->setting, l_setting + 1); data/libxcrypt-4.4.17/test/badsalt.c:401:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char goodhash[CRYPT_OUTPUT_SIZE]; data/libxcrypt-4.4.17/test/badsalt.c:414:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (goodhash, result, l_hash + 1); data/libxcrypt-4.4.17/test/badsalt.c:417:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (p, goodhash, l_hash + 1); data/libxcrypt-4.4.17/test/badsalt.c:426:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (p, goodhash, t->plen); data/libxcrypt-4.4.17/test/badsalt.c:434:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (p, goodhash, t->plen); data/libxcrypt-4.4.17/test/badsalt.c:457:11: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (p, goodhash, plen - i); data/libxcrypt-4.4.17/test/badsetting.c:244:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char obuf[CRYPT_GENSALT_OUTPUT_SIZE]; data/libxcrypt-4.4.17/test/badsetting.c:277:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char s[2]; data/libxcrypt-4.4.17/test/badsetting.c:300:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char s[3]; data/libxcrypt-4.4.17/test/byteorder.c:26:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char bytes[4]; data/libxcrypt-4.4.17/test/byteorder.c:32:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char bytes[8]; data/libxcrypt-4.4.17/test/byteorder.c:52:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char x[4]; data/libxcrypt-4.4.17/test/byteorder.c:99:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char x[4]; data/libxcrypt-4.4.17/test/byteorder.c:150:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char x[8]; data/libxcrypt-4.4.17/test/byteorder.c:207:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char x[8]; data/libxcrypt-4.4.17/test/checksalt.c:129:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char gs_out[CRYPT_GENSALT_OUTPUT_SIZE] = ""; data/libxcrypt-4.4.17/test/checksalt.c:187:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char bigcrypt_prefix[CRYPT_GENSALT_OUTPUT_SIZE]; data/libxcrypt-4.4.17/test/checksalt.c:189:11: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (bigcrypt_prefix, testcases[i].prefix, 2); data/libxcrypt-4.4.17/test/crypt-badargs.c:207:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (page + pagesize - (sizeof phrase - 1), phrase, sizeof phrase - 1); data/libxcrypt-4.4.17/test/crypt-badargs.c:280:7: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy (page, "p1.'"); data/libxcrypt-4.4.17/test/crypt-badargs.c:282:7: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat (page, "'.crypt"); data/libxcrypt-4.4.17/test/crypt-badargs.c:284:7: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat (page, "_r"); data/libxcrypt-4.4.17/test/crypt-badargs.c:291:7: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy (page, "p2.'"); data/libxcrypt-4.4.17/test/crypt-badargs.c:293:7: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat (page, "'.crypt"); data/libxcrypt-4.4.17/test/crypt-badargs.c:295:7: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat (page, "_r"); data/libxcrypt-4.4.17/test/crypt-badargs.c:312:12: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. p1 = memcpy (page + pagesize - strlen (settings[i]), data/libxcrypt-4.4.17/test/crypt-badargs.c:315:7: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy (page, "ph.'"); data/libxcrypt-4.4.17/test/crypt-badargs.c:317:7: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat (page, ".crypt"); data/libxcrypt-4.4.17/test/crypt-badargs.c:319:7: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat (page, "_r"); data/libxcrypt-4.4.17/test/crypt-gost-yescrypt.c:60:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char output[CRYPT_OUTPUT_SIZE]; data/libxcrypt-4.4.17/test/crypt-gost-yescrypt.c:61:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char pass[CRYPT_MAX_PASSPHRASE_SIZE]; data/libxcrypt-4.4.17/test/crypt-gost-yescrypt.c:62:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char pref[CRYPT_GENSALT_OUTPUT_SIZE]; data/libxcrypt-4.4.17/test/crypt-gost-yescrypt.c:63:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char scratch[ALG_SPECIFIC_SIZE]; data/libxcrypt-4.4.17/test/des-cases.h:15:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char key[8]; data/libxcrypt-4.4.17/test/des-cases.h:16:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char plain[8]; data/libxcrypt-4.4.17/test/des-cases.h:17:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char answer[8]; data/libxcrypt-4.4.17/test/des-obsolete.c:23:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. expand (unsigned char ex[64], const unsigned char pk[8]) data/libxcrypt-4.4.17/test/des-obsolete.c:23:46: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. expand (unsigned char ex[64], const unsigned char pk[8]) data/libxcrypt-4.4.17/test/des-obsolete.c:39:26: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. ex_print (const unsigned char ex[64]) data/libxcrypt-4.4.17/test/des-obsolete.c:54:26: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. pk_print (const unsigned char pk[8]) data/libxcrypt-4.4.17/test/des-obsolete.c:62:63: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const struct des_testcase *tc, const unsigned char got[64]) data/libxcrypt-4.4.17/test/des-obsolete.c:79:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char key[64], plain[64], cipher[64], answer[64]; data/libxcrypt-4.4.17/test/des-obsolete.c:92:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (cipher, plain, 64); data/libxcrypt-4.4.17/test/des-obsolete.c:101:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (cipher, answer, 64); data/libxcrypt-4.4.17/test/des-obsolete.c:118:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char key[64], plain[64], cipher[64], answer[64]; data/libxcrypt-4.4.17/test/des-obsolete.c:143:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (cipher, plain, 64); data/libxcrypt-4.4.17/test/des-obsolete_r.c:23:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. expand (unsigned char ex[64], const unsigned char pk[8]) data/libxcrypt-4.4.17/test/des-obsolete_r.c:23:46: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. expand (unsigned char ex[64], const unsigned char pk[8]) data/libxcrypt-4.4.17/test/des-obsolete_r.c:39:26: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. ex_print (const unsigned char ex[64]) data/libxcrypt-4.4.17/test/des-obsolete_r.c:54:26: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. pk_print (const unsigned char pk[8]) data/libxcrypt-4.4.17/test/des-obsolete_r.c:62:63: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const struct des_testcase *tc, const unsigned char got[64]) data/libxcrypt-4.4.17/test/des-obsolete_r.c:79:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char key[64], plain[64], cipher[64], answer[64]; data/libxcrypt-4.4.17/test/des-obsolete_r.c:93:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (cipher, plain, 64); data/libxcrypt-4.4.17/test/des-obsolete_r.c:102:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (cipher, answer, 64); data/libxcrypt-4.4.17/test/des-obsolete_r.c:119:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char key[64], plain[64], cipher[64], answer[64]; data/libxcrypt-4.4.17/test/des-obsolete_r.c:145:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (cipher, plain, 64); data/libxcrypt-4.4.17/test/gensalt-extradata.c:89:24: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. do_crypt_gensalt(const char *prefix, data/libxcrypt-4.4.17/test/gensalt-extradata.c:90:24: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char rbytes[MIN_SIZE(N_RBYTES)], data/libxcrypt-4.4.17/test/gensalt-extradata.c:92:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char outbuf[MIN_SIZE(CRYPT_GENSALT_OUTPUT_SIZE)]) data/libxcrypt-4.4.17/test/gensalt-extradata.c:128:22: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. do_check_equal(const char *stst, const char *sref, data/libxcrypt-4.4.17/test/gensalt-extradata.c:128:40: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. do_check_equal(const char *stst, const char *sref, data/libxcrypt-4.4.17/test/gensalt-extradata.c:129:22: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *prefix, const char rbytes[N_RBYTES], data/libxcrypt-4.4.17/test/gensalt-extradata.c:129:42: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *prefix, const char rbytes[N_RBYTES], data/libxcrypt-4.4.17/test/gensalt-extradata.c:147:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char sref[6][CRYPT_GENSALT_OUTPUT_SIZE]; data/libxcrypt-4.4.17/test/gensalt-extradata.c:148:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char stst[CRYPT_GENSALT_OUTPUT_SIZE]; data/libxcrypt-4.4.17/test/gensalt-nthash.c:30:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char output[CRYPT_GENSALT_OUTPUT_SIZE]; data/libxcrypt-4.4.17/test/gensalt.c:407:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char output[CRYPT_GENSALT_OUTPUT_SIZE]; data/libxcrypt-4.4.17/test/gensalt.c:408:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char prev_output[CRYPT_GENSALT_OUTPUT_SIZE]; data/libxcrypt-4.4.17/test/getrandom-fallbacks.c:257:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[257]; data/libxcrypt-4.4.17/test/getrandom-fallbacks.c:258:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char expected[2] = { 0, 0 }; data/libxcrypt-4.4.17/test/getrandom-interface.c:77:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char prev[251]; data/libxcrypt-4.4.17/test/getrandom-interface.c:94:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (prev, page + pagesize - 251, 251); data/libxcrypt-4.4.17/test/ka-tester.c:180:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char pass[CRYPT_MAX_PASSPHRASE_SIZE + 1]; data/libxcrypt-4.4.17/test/preferred-method.c:40:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char gs[CRYPT_GENSALT_OUTPUT_SIZE]; data/libxcrypt-4.4.17/test/short-outbuf.c:43:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char result[5]; data/libxcrypt-4.4.17/test/short-outbuf.c:57:11: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy (result, "PASS"); data/libxcrypt-4.4.17/test/short-outbuf.c:61:11: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy (result, "FAIL"); data/libxcrypt-4.4.17/test/short-outbuf.c:72:11: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy (result, "PASS"); data/libxcrypt-4.4.17/test/short-outbuf.c:76:11: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy (result, "FAIL"); data/libxcrypt-4.4.17/lib/alg-yescrypt-common.c:426:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). saltstrlen = strlen((char *)saltstr); data/libxcrypt-4.4.17/lib/alg-yescrypt-common.c:489:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). passwd, strlen((char *)passwd), setting, NULL, buf, sizeof(buf)); data/libxcrypt-4.4.17/lib/alg-yescrypt-common.c:523:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen((char *)hashstart) != HASH_LEN) data/libxcrypt-4.4.17/lib/crypt-common.c:38:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). const size_t s_size = strlen ((const char *) src); data/libxcrypt-4.4.17/lib/crypt-gost-yescrypt.c:77:32: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memmove (output + 1, output, strlen ((const char *) output) + 1); data/libxcrypt-4.4.17/lib/crypt-gost-yescrypt.c:146:54: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!decode64 (intbuf->y, &ylen, (uint8_t *) hptr, strlen (hptr)) || data/libxcrypt-4.4.17/lib/crypt-nthash.c:65:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((out_size < strlen (magic) + MD4_HASHLEN * 2 + 1) || data/libxcrypt-4.4.17/lib/crypt-nthash.c:72:32: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strncmp (setting, magic, strlen (magic))) data/libxcrypt-4.4.17/lib/crypt-nthash.c:119:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (o_size < strlen (prefix) + 1) data/libxcrypt-4.4.17/lib/crypt-pbkdf1-sha1.c:99:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((out_size < (strlen (magic) + 2 + 10 + CRYPT_SHA1_SALT_LENGTH + data/libxcrypt-4.4.17/lib/crypt-pbkdf1-sha1.c:125:32: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strncmp (setting, magic, strlen (magic))) data/libxcrypt-4.4.17/lib/crypt-pbkdf1-sha1.c:131:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). setting += strlen (magic); data/libxcrypt-4.4.17/lib/crypt.c:124:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t phr_size = strlen (phrase); data/libxcrypt-4.4.17/lib/crypt.c:125:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t set_size = strlen (setting); data/libxcrypt-4.4.17/lib/randombytes.c:137:27: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ssize_t nread = read (fd, buf, buflen); data/libxcrypt-4.4.17/test/alg-gost3411-2012.c:45:36: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gost_hash256((const uint8_t *)t, strlen(t), digest, &ctx); data/libxcrypt-4.4.17/test/alg-gost3411-2012.c:54:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). printf(" t[%zu] = ", strlen(t)); data/libxcrypt-4.4.17/test/alg-gost3411-2012.c:55:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). dumphex(t, strlen(t)); data/libxcrypt-4.4.17/test/alg-gost3411-2012.c:59:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(match) / 2, match); data/libxcrypt-4.4.17/test/alg-gost3411-2012.c:72:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t len = strlen(t); data/libxcrypt-4.4.17/test/alg-gost3411-2012.c:92:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). printf(" t[%zu] = ", strlen(t)); data/libxcrypt-4.4.17/test/alg-gost3411-2012.c:93:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). dumphex(t, strlen(t)); data/libxcrypt-4.4.17/test/alg-gost3411-2012.c:97:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(match) / 2, match); data/libxcrypt-4.4.17/test/alg-hmac-sha1.c:62:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). nbytes = strlen (data); data/libxcrypt-4.4.17/test/alg-hmac-sha1.c:82:39: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char_to_bin (b, sizeof(b), v, strlen(v)); \ data/libxcrypt-4.4.17/test/alg-hmac-sha1.c:158:59: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (const uint8_t *)test->key, strlen(test->key), digest); data/libxcrypt-4.4.17/test/alg-md4.c:81:43: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). MD4_Update (&ctx, tests[cnt].input, strlen (tests[cnt].input)); data/libxcrypt-4.4.17/test/alg-md5.c:88:43: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). MD5_Update (&ctx, tests[cnt].input, strlen (tests[cnt].input)); data/libxcrypt-4.4.17/test/alg-pbkdf-hmac-sha256.c:205:32: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). HMAC_SHA256_Buf (t->key, strlen (t->key), data/libxcrypt-4.4.17/test/alg-pbkdf-hmac-sha256.c:206:36: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). t->message, strlen (t->message), data/libxcrypt-4.4.17/test/alg-pbkdf-hmac-sha256.c:214:38: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). HMAC_SHA256_Init(&ctx, t->key, strlen (t->key)); data/libxcrypt-4.4.17/test/alg-sha1.c:54:63: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sha1_process_bytes ((const uint8_t*)test_data[k], &ctx, strlen(test_data[k])); data/libxcrypt-4.4.17/test/alg-sha256.c:96:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). SHA256_Buf (tests[cnt].input, strlen (tests[cnt].input), sum); data/libxcrypt-4.4.17/test/alg-sha512.c:123:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). SHA512_Buf (tests[cnt].input, strlen (tests[cnt].input), sum); data/libxcrypt-4.4.17/test/alg-yescrypt.c:82:34: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). print_PBKDF2_SHA256_raw(passwd, strlen(passwd), salt, strlen(salt), c, data/libxcrypt-4.4.17/test/alg-yescrypt.c:82:56: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). print_PBKDF2_SHA256_raw(passwd, strlen(passwd), salt, strlen(salt), c, data/libxcrypt-4.4.17/test/alg-yescrypt.c:101:46: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (crypto_scrypt((const uint8_t *) passwd, strlen(passwd), data/libxcrypt-4.4.17/test/alg-yescrypt.c:102:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (const uint8_t *) salt, strlen(salt), N, r, p, dk, sizeof(dk))) { data/libxcrypt-4.4.17/test/alg-yescrypt.c:141:32: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (const uint8_t *) passwd, strlen(passwd), data/libxcrypt-4.4.17/test/alg-yescrypt.c:142:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (const uint8_t *) salt, strlen(salt), ¶ms, dk, dklen)) { data/libxcrypt-4.4.17/test/badsalt.c:250:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t l_setting = strlen (setting); data/libxcrypt-4.4.17/test/badsalt.c:384:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t l_setting = strlen (t->setting); data/libxcrypt-4.4.17/test/badsalt.c:411:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t l_hash = strlen (result); data/libxcrypt-4.4.17/test/checksalt.c:184:34: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (testcases[i].prefix && strlen (testcases[i].prefix) == 2) data/libxcrypt-4.4.17/test/checksalt.c:190:11: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (bigcrypt_prefix + 2, pad, gs_len - 2); data/libxcrypt-4.4.17/test/checksalt.c:211:11: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (gs_out + 2, pad, gs_len - 2); data/libxcrypt-4.4.17/test/crypt-badargs.c:286:7: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat (page, "n"); data/libxcrypt-4.4.17/test/crypt-badargs.c:288:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). page [strlen (page) - 1] = 'a'; data/libxcrypt-4.4.17/test/crypt-badargs.c:297:7: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat (page, "n"); data/libxcrypt-4.4.17/test/crypt-badargs.c:299:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). page [strlen (page) - 1] = 'a'; data/libxcrypt-4.4.17/test/crypt-badargs.c:312:38: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). p1 = memcpy (page + pagesize - strlen (settings[i]), data/libxcrypt-4.4.17/test/crypt-badargs.c:313:33: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). settings[i], strlen (settings[i])); data/libxcrypt-4.4.17/test/crypt-badargs.c:321:7: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat (page, "n"); data/libxcrypt-4.4.17/test/crypt-badargs.c:323:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). page [strlen (page) - 1] = 'a'; data/libxcrypt-4.4.17/test/crypt-gost-yescrypt.c:70:48: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). salt = crypt_gensalt ("$gy$", 0, pref, (int) strlen(pref) + 1); data/libxcrypt-4.4.17/test/crypt-gost-yescrypt.c:76:33: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). crypt_gost_yescrypt_rn (pass, strlen (pass), salt, strlen (salt), data/libxcrypt-4.4.17/test/crypt-gost-yescrypt.c:76:54: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). crypt_gost_yescrypt_rn (pass, strlen (pass), salt, strlen (salt), data/libxcrypt-4.4.17/test/crypt-gost-yescrypt.c:90:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t len = strlen(h); data/libxcrypt-4.4.17/test/gensalt.c:435:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t slen = strlen (salt); data/libxcrypt-4.4.17/test/gensalt.c:447:50: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). else if (strncmp (salt, tcase->prefix, strlen (tcase->prefix))) data/libxcrypt-4.4.17/test/ka-tester.c:191:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(u.pass + 1, t->input, CRYPT_MAX_PASSPHRASE_SIZE); data/libxcrypt-4.4.17/test/ka-tester.c:192:32: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). printf("[%zu]: %s %s\n", strlen(t->input), data/libxcrypt-4.4.17/test/preferred-method.c:45:28: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strncmp (gs, pm, strlen (pm))) data/libxcrypt-4.4.17/test/preferred-method.c:74:28: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strncmp (gs, pm, strlen (pm))) data/libxcrypt-4.4.17/test/preferred-method.c:104:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strncmp (cd.output, pm, strlen (pm))) data/libxcrypt-4.4.17/test/short-outbuf.c:70:51: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!strncmp (testcases[i].exp_ra, *outbuf, strlen(*outbuf))) ANALYSIS SUMMARY: Hits = 297 Lines analyzed = 24509 in approximately 1.14 seconds (21475 lines/second) Physical Source Lines of Code (SLOC) = 18899 Hits@level = [0] 268 [1] 66 [2] 207 [3] 1 [4] 23 [5] 0 Hits@level+ = [0+] 565 [1+] 297 [2+] 231 [3+] 24 [4+] 23 [5+] 0 Hits/KSLOC@level+ = [0+] 29.8958 [1+] 15.7151 [2+] 12.2229 [3+] 1.26991 [4+] 1.217 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.