Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/osmo-0.4.4/src/vcf.c Examining data/osmo-0.4.4/src/calendar_notes.c Examining data/osmo-0.4.4/src/i18n.h Examining data/osmo-0.4.4/src/backup.h Examining data/osmo-0.4.4/src/calendar_jumpto.h Examining data/osmo-0.4.4/src/calendar_calc.c Examining data/osmo-0.4.4/src/utils_date_time.c Examining data/osmo-0.4.4/src/calendar.c Examining data/osmo-0.4.4/src/preferences_gui.c Examining data/osmo-0.4.4/src/calendar_fullyear.h Examining data/osmo-0.4.4/src/notes_items.c Examining data/osmo-0.4.4/src/tasks_preferences_gui.c Examining data/osmo-0.4.4/src/tasks_items.c Examining data/osmo-0.4.4/src/about.h Examining data/osmo-0.4.4/src/utils_date.h Examining data/osmo-0.4.4/src/notes_preferences_gui.h Examining data/osmo-0.4.4/src/tasks_utils.c Examining data/osmo-0.4.4/src/about.c Examining data/osmo-0.4.4/src/gui.h Examining data/osmo-0.4.4/src/notes.c Examining data/osmo-0.4.4/src/utils.c Examining data/osmo-0.4.4/src/calendar_ical.h Examining data/osmo-0.4.4/src/contacts.c Examining data/osmo-0.4.4/src/contacts_items.c Examining data/osmo-0.4.4/src/calendar_ical.c Examining data/osmo-0.4.4/src/calendar_fullyear.c Examining data/osmo-0.4.4/src/contacts_export.c Examining data/osmo-0.4.4/src/calendar_preferences_gui.h Examining data/osmo-0.4.4/src/calendar_utils.h Examining data/osmo-0.4.4/src/utils_time.h Examining data/osmo-0.4.4/src/contacts.h Examining data/osmo-0.4.4/src/stock_icons.h Examining data/osmo-0.4.4/src/utils.h Examining data/osmo-0.4.4/src/tasks_export.c Examining data/osmo-0.4.4/src/notes_preferences_gui.c Examining data/osmo-0.4.4/src/calendar_calc.h Examining data/osmo-0.4.4/src/contacts_import_csv.h Examining data/osmo-0.4.4/src/calendar_timeline.c Examining data/osmo-0.4.4/src/contacts_export.h Examining data/osmo-0.4.4/src/tasks_preferences_gui.h Examining data/osmo-0.4.4/src/utils_date_time.h Examining data/osmo-0.4.4/src/calendar.h Examining data/osmo-0.4.4/src/contacts_import.h Examining data/osmo-0.4.4/src/tasks.h Examining data/osmo-0.4.4/src/tasks.c Examining data/osmo-0.4.4/src/tasks_print.c Examining data/osmo-0.4.4/src/utils_gui.c Examining data/osmo-0.4.4/src/contacts_import_csv.c Examining data/osmo-0.4.4/src/tasks_print.h Examining data/osmo-0.4.4/src/options_prefs.h Examining data/osmo-0.4.4/src/contacts_items.h Examining data/osmo-0.4.4/src/check_events.c Examining data/osmo-0.4.4/src/contacts_birthdays.c Examining data/osmo-0.4.4/src/calendar_print.c Examining data/osmo-0.4.4/src/calendar_jumpto.c Examining data/osmo-0.4.4/src/tasks_export.h Examining data/osmo-0.4.4/src/gtksourceiter.h Examining data/osmo-0.4.4/src/gtksourceiter.c Examining data/osmo-0.4.4/src/contacts_import.c Examining data/osmo-0.4.4/src/gui.c Examining data/osmo-0.4.4/src/contacts_preferences_gui.h Examining data/osmo-0.4.4/src/notes_items.h Examining data/osmo-0.4.4/src/calendar_print.h Examining data/osmo-0.4.4/src/calendar_widget.c Examining data/osmo-0.4.4/src/options_prefs.c Examining data/osmo-0.4.4/src/contacts_preferences_gui.c Examining data/osmo-0.4.4/src/calendar_timeline.h Examining data/osmo-0.4.4/src/main.c Examining data/osmo-0.4.4/src/utils_gui.h Examining data/osmo-0.4.4/src/backup.c Examining data/osmo-0.4.4/src/calendar_widget.h Examining data/osmo-0.4.4/src/vcf.h Examining data/osmo-0.4.4/src/check_events.h Examining data/osmo-0.4.4/src/preferences_gui.h Examining data/osmo-0.4.4/src/notes.h Examining data/osmo-0.4.4/src/utils_date.c Examining data/osmo-0.4.4/src/stock_icons.c Examining data/osmo-0.4.4/src/calendar_preferences_gui.c Examining data/osmo-0.4.4/src/contacts_birthdays.h Examining data/osmo-0.4.4/src/calendar_notes.h Examining data/osmo-0.4.4/src/calendar_utils.c Examining data/osmo-0.4.4/src/tasks_utils.h Examining data/osmo-0.4.4/src/tasks_items.h Examining data/osmo-0.4.4/src/utils_time.c FINAL RESULTS: data/osmo-0.4.4/src/contacts_export.c:587:5: [4] (format) vfprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. vfprintf(filehandle, format, arguments); data/osmo-0.4.4/src/utils.c:1013:5: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat (url_path, qURL); data/osmo-0.4.4/src/vcf.c:227:13: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(buffer, replacement); data/osmo-0.4.4/src/vcf.c:236:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(string, buffer); data/osmo-0.4.4/src/vcf.c:282:13: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(component_buffer, components[i]); data/osmo-0.4.4/src/vcf.c:284:13: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(buffer, component_buffer); data/osmo-0.4.4/src/vcf.c:338:13: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(buffer, content); data/osmo-0.4.4/src/main.c:378:50: [3] (buffer) g_get_home_dir: This function is synonymous with 'getenv("HOME")';it returns untrustable input if the environment can beset by an attacker. It can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. g_snprintf (dirname, PATH_MAX, "%s%c%s", g_get_home_dir(), G_DIR_SEPARATOR, CONFIG_DIR); data/osmo-0.4.4/src/main.c:382:50: [3] (buffer) g_get_home_dir: This function is synonymous with 'getenv("HOME")';it returns untrustable input if the environment can beset by an attacker. It can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. g_snprintf (dirname, PATH_MAX, "%s%c%s", g_get_home_dir(), G_DIR_SEPARATOR, OLD_CONFIG_DIRNAME); data/osmo-0.4.4/src/backup.c:77:10: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fd = open(filename, O_RDONLY); data/osmo-0.4.4/src/calendar_calc.c:637:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmpbuf[BUFFER_SIZE]; data/osmo-0.4.4/src/calendar_ical.c:207:18: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). ics_stream = fopen (filename, "r"); data/osmo-0.4.4/src/calendar_ical.c:610:40: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). disabled = atoi((gchar *) key); data/osmo-0.4.4/src/calendar_ical.c:617:41: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). desc_flag = atoi((gchar *) key); data/osmo-0.4.4/src/calendar_ical.c:624:41: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). mark_flag = atoi((gchar *) key); data/osmo-0.4.4/src/calendar_ical.c:638:71: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). ICAL_COLUMN_FULL_DATE, atoi((gchar *) key), -1); data/osmo-0.4.4/src/calendar_jumpto.c:77:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmpbuf[BUFFER_SIZE]; data/osmo-0.4.4/src/calendar_jumpto.c:89:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). a = atoi(gtk_entry_get_text(GTK_ENTRY(appGUI->cal->day_entry))); data/osmo-0.4.4/src/calendar_jumpto.c:108:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmpbuf[BUFFER_SIZE]; data/osmo-0.4.4/src/calendar_jumpto.c:120:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). a = atoi(gtk_entry_get_text(GTK_ENTRY(appGUI->cal->month_entry))); data/osmo-0.4.4/src/calendar_jumpto.c:143:22: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). appGUI->cal->jday = atoi (gtk_entry_get_text (GTK_ENTRY (appGUI->cal->day_entry))); data/osmo-0.4.4/src/calendar_jumpto.c:144:24: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). appGUI->cal->jmonth = atoi (gtk_entry_get_text (GTK_ENTRY (appGUI->cal->month_entry))); data/osmo-0.4.4/src/calendar_jumpto.c:145:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). appGUI->cal->jyear = atoi (gtk_entry_get_text (GTK_ENTRY (appGUI->cal->year_entry))); data/osmo-0.4.4/src/calendar_utils.c:80:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmpbuf[BUFFER_SIZE]; data/osmo-0.4.4/src/calendar_utils.c:112:22: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). *first = atoi(token); data/osmo-0.4.4/src/calendar_utils.c:114:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). *second = atoi(token); data/osmo-0.4.4/src/calendar_utils.c:116:22: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). *third = atoi(token); data/osmo-0.4.4/src/calendar_utils.c:154:27: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). day = atoi(token); data/osmo-0.4.4/src/calendar_utils.c:158:28: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). year = atoi(token); data/osmo-0.4.4/src/calendar_widget.c:129:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char *default_abbreviated_dayname[7]; data/osmo-0.4.4/src/calendar_widget.c:130:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char *default_monthname[12]; data/osmo-0.4.4/src/calendar_widget.c:306:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[255]; data/osmo-0.4.4/src/calendar_widget.c:1456:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[255]; data/osmo-0.4.4/src/calendar_widget.c:1549:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[255]; data/osmo-0.4.4/src/calendar_widget.c:1631:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[32]; data/osmo-0.4.4/src/calendar_widget.c:1943:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&text_color, &calendar->pf_day_color, sizeof(GdkRGBA)); data/osmo-0.4.4/src/calendar_widget.c:1945:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&text_color, &calendar->pf_day_color, sizeof(GdkRGBA)); data/osmo-0.4.4/src/calendar_widget.c:1960:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&text_color, &calendar->day_color, sizeof(GdkRGBA)); data/osmo-0.4.4/src/calendar_widget.c:1965:17: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&text_color, &calendar->weekend_color, sizeof(GdkRGBA)); data/osmo-0.4.4/src/contacts_export.c:174:25: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(tmpbuf, " "); data/osmo-0.4.4/src/contacts_export.c:217:17: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(tmpbuf, " "); data/osmo-0.4.4/src/gui.c:1487:17: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fdSTDERRn = open("/dev/null", O_WRONLY); data/osmo-0.4.4/src/main.c:159:49: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). g_sprintf (appGUI->version, "%02d%02d%02d", atoi(VERSION_MAJOR), atoi(VERSION_MINOR), atoi(VERSION_MICRO)); data/osmo-0.4.4/src/main.c:159:70: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). g_sprintf (appGUI->version, "%02d%02d%02d", atoi(VERSION_MAJOR), atoi(VERSION_MINOR), atoi(VERSION_MICRO)); data/osmo-0.4.4/src/main.c:159:91: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). g_sprintf (appGUI->version, "%02d%02d%02d", atoi(VERSION_MAJOR), atoi(VERSION_MINOR), atoi(VERSION_MICRO)); data/osmo-0.4.4/src/main.c:242:19: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fhandle = open(prefs_get_runtime_filename (RUN_FLAG_FILE, appGUI), O_RDWR); data/osmo-0.4.4/src/options_prefs.c:917:17: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). source_fd = open(source, O_RDONLY); data/osmo-0.4.4/src/options_prefs.c:922:17: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). target_fd = open(target, O_WRONLY | O_CREAT | O_EXCL, perm); data/osmo-0.4.4/src/tasks_items.c:1334:21: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). tasks_version = atoi (prop); data/osmo-0.4.4/src/tasks_items.c:1356:25: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). calendar_state = atoi (calendar_prop); data/osmo-0.4.4/src/tasks_items.c:1361:22: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). tasks_state = atoi (tasks_prop); data/osmo-0.4.4/src/utils.c:532:22: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). *iname = atoi ((gchar *) key); data/osmo-0.4.4/src/utils.c:548:30: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). *uname = (guint) atoi ((gchar *) key); data/osmo-0.4.4/src/about.c:426:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if(strlen(credits[i].tag) > 2) { data/osmo-0.4.4/src/backup.c:78:11: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). len = read(fd, buff, sizeof (buff)); data/osmo-0.4.4/src/backup.c:81:15: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). len = read(fd, buff, sizeof (buff)); data/osmo-0.4.4/src/backup.c:303:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). p1len = strlen(bpass1); data/osmo-0.4.4/src/backup.c:305:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). p2len = strlen(bpass2); data/osmo-0.4.4/src/backup.c:448:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). passlen = strlen(password); data/osmo-0.4.4/src/calendar_ical.c:596:29: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (item_name, (gchar *) key, BUFFER_SIZE-1); data/osmo-0.4.4/src/calendar_ical.c:603:29: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (item_filename, (gchar *) key, BUFFER_SIZE-1); data/osmo-0.4.4/src/calendar_ical.c:1390:42: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (get_export_items(appGUI) == 0 || strlen(filename) == 0) { data/osmo-0.4.4/src/calendar_jumpto.c:39:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). n = strlen(str); data/osmo-0.4.4/src/calendar_preferences_gui.c:265:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen (gtk_entry_get_text (GTK_ENTRY (appGUI->opt->date_header_format_entry)))) data/osmo-0.4.4/src/calendar_preferences_gui.c:626:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen (gtk_entry_get_text (entry))) data/osmo-0.4.4/src/calendar_preferences_gui.c:688:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen (gtk_entry_get_text (GTK_ENTRY (appGUI->opt->color_edit_name_entry)))) data/osmo-0.4.4/src/calendar_preferences_gui.c:776:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!strlen (category_name)) return; data/osmo-0.4.4/src/calendar_preferences_gui.c:829:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen (gtk_entry_get_text (entry))) data/osmo-0.4.4/src/calendar_preferences_gui.c:1092:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen (gtk_entry_get_text (GTK_ENTRY (appGUI->opt->calendar_ical_files_name_entry))) && data/osmo-0.4.4/src/calendar_preferences_gui.c:1093:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen (gtk_entry_get_text (GTK_ENTRY (appGUI->opt->calendar_ical_files_filename_entry)))) data/osmo-0.4.4/src/calendar_preferences_gui.c:1207:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen (gtk_entry_get_text (GTK_ENTRY (appGUI->opt->ical_edit_name_entry))) && data/osmo-0.4.4/src/calendar_preferences_gui.c:1208:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen (gtk_entry_get_text (GTK_ENTRY (appGUI->opt->ical_edit_filename_entry)))) data/osmo-0.4.4/src/calendar_preferences_gui.c:1225:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen (gtk_entry_get_text (GTK_ENTRY (appGUI->opt->ical_edit_name_entry)))) data/osmo-0.4.4/src/check_events.c:413:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (item->desc != NULL && strlen(item->desc)) { data/osmo-0.4.4/src/check_events.c:439:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (item->desc != NULL && strlen(item->desc)) { data/osmo-0.4.4/src/check_events.c:477:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (item->desc != NULL && strlen(item->desc)) { data/osmo-0.4.4/src/check_events.c:504:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(item->alarm_command)) { data/osmo-0.4.4/src/check_events.c:508:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(config.global_notification_command)) { data/osmo-0.4.4/src/contacts.c:283:34: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (text == NULL || !strlen(text)) { data/osmo-0.4.4/src/contacts.c:398:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if(strlen(gtk_entry_get_text (GTK_ENTRY(appGUI->cnt->contacts_find_entry)))) { data/osmo-0.4.4/src/contacts.c:702:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(gtk_entry_get_text(GTK_ENTRY(appGUI->cnt->contacts_find_entry)))) { data/osmo-0.4.4/src/contacts.c:1140:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(text)) n++; data/osmo-0.4.4/src/contacts.c:1144:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(text)) n++; data/osmo-0.4.4/src/contacts.c:1148:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(text)) n++; data/osmo-0.4.4/src/contacts_birthdays.c:91:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen (gtk_entry_get_text (GTK_ENTRY (appGUI->cnt->contacts_find_entry)))) { data/osmo-0.4.4/src/contacts_export.c:63:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). } else if (strlen(text) && k) { data/osmo-0.4.4/src/contacts_export.c:99:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(gtk_entry_get_text (GTK_ENTRY(appGUI->cnt->output_file_entry)))) { data/osmo-0.4.4/src/contacts_export.c:171:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). for (a = b = 0; a < strlen(appGUI->cnt->contact_fields_tags_name[i * 2]); a++) { data/osmo-0.4.4/src/contacts_export.c:214:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). for (a = b = 0; a < strlen(value); a++) { data/osmo-0.4.4/src/contacts_export.c:301:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(value); data/osmo-0.4.4/src/contacts_import.c:170:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!strlen(text)) { data/osmo-0.4.4/src/contacts_import.c:459:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). p = strlen(field_str); data/osmo-0.4.4/src/contacts_import_csv.c:77:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gsize len = strlen(line_buffer); data/osmo-0.4.4/src/contacts_import_csv.c:95:52: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gchar *value = substring_fragment(line_buffer, strlen(line_buffer), FIELD_SEPARATOR, field); data/osmo-0.4.4/src/contacts_import_csv.c:98:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gsize len = strlen(value); data/osmo-0.4.4/src/contacts_items.c:141:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(text)) { data/osmo-0.4.4/src/contacts_items.c:248:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if(strlen(gtk_entry_get_text(GTK_ENTRY(appGUI->cnt->contact_entries[COLUMN_FIRST_NAME]))) || data/osmo-0.4.4/src/contacts_items.c:249:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(gtk_entry_get_text(GTK_ENTRY(appGUI->cnt->contact_entries[COLUMN_LAST_NAME])))) { data/osmo-0.4.4/src/contacts_items.c:274:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if(strlen(text) && i != COLUMN_HOME_PHONE_4 && i != COLUMN_WORK_PHONE_4 && data/osmo-0.4.4/src/contacts_items.c:381:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if(strlen(text) && i != COLUMN_HOME_PHONE_4 && i != COLUMN_WORK_PHONE_4 && data/osmo-0.4.4/src/contacts_items.c:527:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!strlen(text)) break; data/osmo-0.4.4/src/contacts_items.c:1290:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(item)) { data/osmo-0.4.4/src/contacts_preferences_gui.c:279:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!strlen (category_name)) return; data/osmo-0.4.4/src/contacts_preferences_gui.c:319:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen (gtk_entry_get_text (widget))) data/osmo-0.4.4/src/gtksourceiter.c:93:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). needle_len = strlen (needle); data/osmo-0.4.4/src/gtksourceiter.c:149:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). needle_len = strlen (needle); data/osmo-0.4.4/src/gtksourceiter.c:197:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len_s1 = strlen (normalized_s1); data/osmo-0.4.4/src/gtksourceiter.c:198:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len_s2 = strlen (normalized_s2); data/osmo-0.4.4/src/gtksourceiter.c:320:49: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (g_utf8_caselessnmatch (line_text, *lines, strlen (line_text), data/osmo-0.4.4/src/gtksourceiter.c:321:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen (*lines))) data/osmo-0.4.4/src/gtksourceiter.c:418:49: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (g_utf8_caselessnmatch (line_text, *lines, strlen (line_text), data/osmo-0.4.4/src/gtksourceiter.c:419:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen (*lines))) data/osmo-0.4.4/src/gtksourceiter.c:480:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). guint delimiter_len = strlen (delimiter); data/osmo-0.4.4/src/gtksourceiter.c:488:4: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (new_string, string, len); data/osmo-0.4.4/src/gui.c:629:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(gtk_entry_get_text(GTK_ENTRY(appGUI->tsk->tasks_find_entry)))) { data/osmo-0.4.4/src/gui.c:728:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(gtk_entry_get_text(GTK_ENTRY(appGUI->cnt->contacts_find_entry)))) { data/osmo-0.4.4/src/gui.c:869:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(gtk_entry_get_text(GTK_ENTRY(appGUI->nte->notes_find_entry)))) { data/osmo-0.4.4/src/notes.c:176:70: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (gchar *) text, strlen((gchar *) text), NULL); data/osmo-0.4.4/src/notes.c:520:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). bytes = strlen (text); data/osmo-0.4.4/src/notes.c:598:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(txtinfo_selection)) { data/osmo-0.4.4/src/notes.c:693:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(find_text)) { data/osmo-0.4.4/src/notes.c:1227:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if(strlen(gtk_entry_get_text (GTK_ENTRY(appGUI->nte->notes_find_entry)))) { data/osmo-0.4.4/src/notes.c:1249:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(gtk_entry_get_text(GTK_ENTRY(appGUI->nte->notes_find_entry)))) { data/osmo-0.4.4/src/notes_items.c:49:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gint a = strlen(gtk_entry_get_text(GTK_ENTRY(appGUI->nte->note_name_entry))); data/osmo-0.4.4/src/notes_items.c:54:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). b = strlen(gtk_entry_get_text(GTK_ENTRY(appGUI->nte->password_entry))); data/osmo-0.4.4/src/notes_items.c:59:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). c = strlen(gtk_entry_get_text(GTK_ENTRY(appGUI->nte->spassword_entry))); data/osmo-0.4.4/src/notes_preferences_gui.c:272:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!strlen (category_name)) return; data/osmo-0.4.4/src/notes_preferences_gui.c:302:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen (gtk_entry_get_text (entry))) data/osmo-0.4.4/src/options_prefs.c:928:11: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). len = read(source_fd, buff, sizeof (buff)); data/osmo-0.4.4/src/options_prefs.c:931:15: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). len = read(source_fd, buff, sizeof (buff)); data/osmo-0.4.4/src/preferences_gui.c:404:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen (gtk_entry_get_text (entry))) data/osmo-0.4.4/src/preferences_gui.c:522:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen (gtk_entry_get_text (GTK_ENTRY (appGUI->opt->entry_web_browser)))) data/osmo-0.4.4/src/preferences_gui.c:525:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen (gtk_entry_get_text (GTK_ENTRY (appGUI->opt->entry_email_client)))) data/osmo-0.4.4/src/preferences_gui.c:528:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen (gtk_entry_get_text (GTK_ENTRY (appGUI->opt->entry_sound_player)))) data/osmo-0.4.4/src/tasks_items.c:532:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen (gtk_entry_get_text (GTK_ENTRY (editable)))) { data/osmo-0.4.4/src/tasks_preferences_gui.c:268:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!strlen (category_name)) return; data/osmo-0.4.4/src/tasks_preferences_gui.c:380:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen (gtk_entry_get_text (widget))) data/osmo-0.4.4/src/utils.c:519:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). g_return_if_fail (strlen (buffer) > 0); data/osmo-0.4.4/src/utils.c:749:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). for (i = n = d = 0; i < strlen (link); i++) { data/osmo-0.4.4/src/utils.c:1004:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). tsize = strlen(config.web_browser); data/osmo-0.4.4/src/utils.c:1011:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (tsize + strlen(qURL) < PATH_MAX) { data/osmo-0.4.4/src/utils.c:1012:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). tsize += strlen(qURL) + 1 /* space */; data/osmo-0.4.4/src/utils.c:1014:5: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat (url_path, " "); data/osmo-0.4.4/src/utils.c:1018:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). tsize += strlen(qURL) + 1 /* space */; data/osmo-0.4.4/src/utils_gui.c:538:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). g_snprintf(color_str, strlen(color_str) + 1, ". c %s", color); data/osmo-0.4.4/src/utils_gui.c:652:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). for (i=0; i < strlen(cmd); i++) { data/osmo-0.4.4/src/vcf.c:217:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). replacement_size = strlen(replacement); data/osmo-0.4.4/src/vcf.c:218:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). buffer_size = strlen(string); data/osmo-0.4.4/src/vcf.c:257:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). buffer_size = strlen(property) + 1; /* property */ data/osmo-0.4.4/src/vcf.c:262:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). buffer_size += (strlen(components[i]) * MAX_ESCAPE_SIZE); /* escaped value */ data/osmo-0.4.4/src/vcf.c:274:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gint len = strlen(buffer); data/osmo-0.4.4/src/vcf.c:280:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gint len = strlen(components[i]); data/osmo-0.4.4/src/vcf.c:326:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gsize len = strlen(content); data/osmo-0.4.4/src/vcf.c:330:13: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(buffer, content, len); ANALYSIS SUMMARY: Hits = 154 Lines analyzed = 43094 in approximately 1.09 seconds (39712 lines/second) Physical Source Lines of Code (SLOC) = 31679 Hits@level = [0] 13 [1] 101 [2] 44 [3] 2 [4] 7 [5] 0 Hits@level+ = [0+] 167 [1+] 154 [2+] 53 [3+] 9 [4+] 7 [5+] 0 Hits/KSLOC@level+ = [0+] 5.27163 [1+] 4.86126 [2+] 1.67303 [3+] 0.2841 [4+] 0.220967 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.