Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp.c
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_basic_properties.c
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_basic_properties.h
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_channel.c
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_channel.h
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_connection.c
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_connection.h
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_connection_resource.c
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_connection_resource.h
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_decimal.c
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_decimal.h
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_envelope.c
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_envelope.h
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_exchange.c
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_exchange.h
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_methods_handling.c
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_methods_handling.h
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_queue.c
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_queue.h
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_timestamp.c
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_timestamp.h
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_type.c
Examining data/php-amqp-1.10.2/amqp-1.10.2/amqp_type.h
Examining data/php-amqp-1.10.2/amqp-1.10.2/php5_support.h
Examining data/php-amqp-1.10.2/amqp-1.10.2/php7_support.h
Examining data/php-amqp-1.10.2/amqp-1.10.2/php_amqp.h
FINAL RESULTS:
data/php-amqp-1.10.2/amqp-1.10.2/amqp_basic_properties.c:458:18: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
int length = snprintf(timestamp_str, sizeof(timestamp_str), ZEND_ULONG_FMT, entry->value.value.u64);
data/php-amqp-1.10.2/amqp-1.10.2/amqp_basic_properties.c:454:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char timestamp_str[20];
data/php-amqp-1.10.2/amqp-1.10.2/amqp_channel.c:1464:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&amqp_channel_object_handlers, zend_get_std_object_handlers(), sizeof(zend_object_handlers));
data/php-amqp-1.10.2/amqp-1.10.2/amqp_connection.c:1643:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&amqp_connection_object_handlers, zend_get_std_object_handlers(), sizeof(zend_object_handlers));
data/php-amqp-1.10.2/amqp-1.10.2/amqp_timestamp.c:122:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char min[21], max[21];
data/php-amqp-1.10.2/amqp-1.10.2/amqp_type.c:141:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char str[32];
data/php-amqp-1.10.2/amqp-1.10.2/amqp_type.c:143:15: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
key_len = sprintf(str, "%lu", index);
data/php-amqp-1.10.2/amqp-1.10.2/amqp_type.c:187:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char type[16];
data/php-amqp-1.10.2/amqp-1.10.2/amqp_type.c:210:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char type[16];
data/php-amqp-1.10.2/amqp-1.10.2/amqp_type.c:279:6: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(type, "object");
data/php-amqp-1.10.2/amqp-1.10.2/amqp_type.c:282:6: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(type, "resource");
data/php-amqp-1.10.2/amqp-1.10.2/amqp_type.c:285:6: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(type, "unknown");
data/php-amqp-1.10.2/amqp-1.10.2/php_amqp.h:267:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char verify_connection_error_tmp[255]; \
data/php-amqp-1.10.2/amqp-1.10.2/php_amqp.h:281:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char verify_channel_error_tmp[255]; \
data/php-amqp-1.10.2/amqp-1.10.2/amqp_connection.c:353:127: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_update_property_stringl(this_ce, getThis(), ZEND_STRL("login"), INI_STR("amqp.login"), (PHP5to7_param_str_len_type_t) (strlen(INI_STR("amqp.login")) > 128 ? 128 : strlen(INI_STR("amqp.login"))) TSRMLS_CC);
data/php-amqp-1.10.2/amqp-1.10.2/amqp_connection.c:353:171: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_update_property_stringl(this_ce, getThis(), ZEND_STRL("login"), INI_STR("amqp.login"), (PHP5to7_param_str_len_type_t) (strlen(INI_STR("amqp.login")) > 128 ? 128 : strlen(INI_STR("amqp.login"))) TSRMLS_CC);
data/php-amqp-1.10.2/amqp-1.10.2/amqp_connection.c:371:133: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_update_property_stringl(this_ce, getThis(), ZEND_STRL("password"), INI_STR("amqp.password"), (PHP5to7_param_str_len_type_t) (strlen(INI_STR("amqp.password")) > 128 ? 128 : strlen(INI_STR("amqp.password"))) TSRMLS_CC);
data/php-amqp-1.10.2/amqp-1.10.2/amqp_connection.c:371:180: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_update_property_stringl(this_ce, getThis(), ZEND_STRL("password"), INI_STR("amqp.password"), (PHP5to7_param_str_len_type_t) (strlen(INI_STR("amqp.password")) > 128 ? 128 : strlen(INI_STR("amqp.password"))) TSRMLS_CC);
data/php-amqp-1.10.2/amqp-1.10.2/amqp_connection.c:389:125: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_update_property_stringl(this_ce, getThis(), ZEND_STRL("host"), INI_STR("amqp.host"), (PHP5to7_param_str_len_type_t) (strlen(INI_STR("amqp.host")) > 128 ? 128 : strlen(INI_STR("amqp.host"))) TSRMLS_CC);
data/php-amqp-1.10.2/amqp-1.10.2/amqp_connection.c:389:168: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_update_property_stringl(this_ce, getThis(), ZEND_STRL("host"), INI_STR("amqp.host"), (PHP5to7_param_str_len_type_t) (strlen(INI_STR("amqp.host")) > 128 ? 128 : strlen(INI_STR("amqp.host"))) TSRMLS_CC);
data/php-amqp-1.10.2/amqp-1.10.2/amqp_connection.c:407:127: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_update_property_stringl(this_ce, getThis(), ZEND_STRL("vhost"), INI_STR("amqp.vhost"), (PHP5to7_param_str_len_type_t) (strlen(INI_STR("amqp.vhost")) > 128 ? 128 : strlen(INI_STR("amqp.vhost"))) TSRMLS_CC);
data/php-amqp-1.10.2/amqp-1.10.2/amqp_connection.c:407:171: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_update_property_stringl(this_ce, getThis(), ZEND_STRL("vhost"), INI_STR("amqp.vhost"), (PHP5to7_param_str_len_type_t) (strlen(INI_STR("amqp.vhost")) > 128 ? 128 : strlen(INI_STR("amqp.vhost"))) TSRMLS_CC);
ANALYSIS SUMMARY:
Hits = 22
Lines analyzed = 9344 in approximately 0.24 seconds (38189 lines/second)
Physical Source Lines of Code (SLOC) = 5851
Hits@level = [0] 4 [1] 8 [2] 13 [3] 0 [4] 1 [5] 0
Hits@level+ = [0+] 26 [1+] 22 [2+] 14 [3+] 1 [4+] 1 [5+] 0
Hits/KSLOC@level+ = [0+] 4.44368 [1+] 3.76004 [2+] 2.39275 [3+] 0.170911 [4+] 0.170911 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.