Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/ocaml-graphics-5.1.0/src/unix/color.c Examining data/ocaml-graphics-5.1.0/src/unix/draw.c Examining data/ocaml-graphics-5.1.0/src/unix/dump_img.c Examining data/ocaml-graphics-5.1.0/src/unix/events.c Examining data/ocaml-graphics-5.1.0/src/unix/fill.c Examining data/ocaml-graphics-5.1.0/src/unix/image.c Examining data/ocaml-graphics-5.1.0/src/unix/image.h Examining data/ocaml-graphics-5.1.0/src/unix/libgraph.h Examining data/ocaml-graphics-5.1.0/src/unix/make_img.c Examining data/ocaml-graphics-5.1.0/src/unix/open.c Examining data/ocaml-graphics-5.1.0/src/unix/point_col.c Examining data/ocaml-graphics-5.1.0/src/unix/sound.c Examining data/ocaml-graphics-5.1.0/src/unix/subwindow.c Examining data/ocaml-graphics-5.1.0/src/unix/text.c Examining data/ocaml-graphics-5.1.0/src/win32/draw.c Examining data/ocaml-graphics-5.1.0/src/win32/events.c Examining data/ocaml-graphics-5.1.0/src/win32/libgraph.h Examining data/ocaml-graphics-5.1.0/src/win32/open.c FINAL RESULTS: data/ocaml-graphics-5.1.0/src/unix/open.c:380:3: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. sprintf(buffer, fmt, arg); data/ocaml-graphics-5.1.0/src/win32/open.c:366:3: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. sprintf(buffer, fmt, arg); data/ocaml-graphics-5.1.0/src/win32/events.c:51:5: [3] (misc) InitializeCriticalSection: Exceptions can be thrown in low-memory situations. Use InitializeCriticalSectionAndSpinCount instead. InitializeCriticalSection(&caml_gr_queue_mutex); data/ocaml-graphics-5.1.0/src/win32/events.c:63:3: [3] (misc) EnterCriticalSection: On some versions of Windows, exceptions can be thrown in low-memory situations. Use InitializeCriticalSectionAndSpinCount instead. EnterCriticalSection(&caml_gr_queue_mutex); data/ocaml-graphics-5.1.0/src/win32/events.c:134:3: [3] (misc) EnterCriticalSection: On some versions of Windows, exceptions can be thrown in low-memory situations. Use InitializeCriticalSectionAndSpinCount instead. EnterCriticalSection(&caml_gr_queue_mutex); data/ocaml-graphics-5.1.0/src/win32/events.c:163:5: [3] (misc) EnterCriticalSection: On some versions of Windows, exceptions can be thrown in low-memory situations. Use InitializeCriticalSectionAndSpinCount instead. EnterCriticalSection(&caml_gr_queue_mutex); data/ocaml-graphics-5.1.0/src/unix/events.c:122:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char keytxt[256]; data/ocaml-graphics-5.1.0/src/unix/open.c:53:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char display_name[256], geometry_spec[64]; data/ocaml-graphics-5.1.0/src/unix/open.c:235:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmp[256]; data/ocaml-graphics-5.1.0/src/unix/open.c:237:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tmp, "%lu", (unsigned long)win); data/ocaml-graphics-5.1.0/src/unix/open.c:372:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[1024]; data/ocaml-graphics-5.1.0/src/unix/open.c:391:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char errmsg[512]; data/ocaml-graphics-5.1.0/src/unix/text.c:61:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char str[1]; data/ocaml-graphics-5.1.0/src/win32/draw.c:351:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char str[1]; data/ocaml-graphics-5.1.0/src/win32/open.c:358:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[1024]; data/ocaml-graphics-5.1.0/src/win32/open.c:53:4: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(CurrentFont.lfFaceName, name, sizeof(CurrentFont.lfFaceName)); ANALYSIS SUMMARY: Hits = 16 Lines analyzed = 3024 in approximately 0.10 seconds (29310 lines/second) Physical Source Lines of Code (SLOC) = 2346 Hits@level = [0] 9 [1] 1 [2] 9 [3] 4 [4] 2 [5] 0 Hits@level+ = [0+] 25 [1+] 16 [2+] 15 [3+] 6 [4+] 2 [5+] 0 Hits/KSLOC@level+ = [0+] 10.6564 [1+] 6.82012 [2+] 6.39386 [3+] 2.55754 [4+] 0.852515 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.