Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h Examining data/php-gnupg-1.4.0/gnupg-1.4.0/gnupg.c Examining data/php-gnupg-1.4.0/gnupg-1.4.0/gnupg_keylistiterator.c Examining data/php-gnupg-1.4.0/gnupg-1.4.0/php_gnupg.h Examining data/php-gnupg-1.4.0/gnupg-1.4.0/php_gnupg_keylistiterator.h FINAL RESULTS: data/php-gnupg-1.4.0/gnupg-1.4.0/gnupg.c:402:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char uid[17]; data/php-gnupg-1.4.0/gnupg-1.4.0/gnupg.c:440:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char uid[17]; data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:51:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&PHPC_OBJ_GET_HANDLER_VAR_NAME(_name), \ data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:204:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(PHPC_STR_VAL(_name), _cstr, _len); \ data/php-gnupg-1.4.0/gnupg-1.4.0/gnupg.c:295:73: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). zend_declare_class_constant_long(gnupg_class_entry, (char*)const_name, strlen(const_name), value TSRMLS_CC); data/php-gnupg-1.4.0/gnupg-1.4.0/gnupg.c:426:28: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (write(fd, passphrase, strlen(passphrase)) == strlen(passphrase) && write(fd, "\n", 1) == 1) { data/php-gnupg-1.4.0/gnupg-1.4.0/gnupg.c:426:51: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (write(fd, passphrase, strlen(passphrase)) == strlen(passphrase) && write(fd, "\n", 1) == 1) { data/php-gnupg-1.4.0/gnupg-1.4.0/gnupg.c:463:28: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (write(fd, passphrase, strlen(passphrase)) == strlen(passphrase) && write(fd, "\n", 1) == 1) { data/php-gnupg-1.4.0/gnupg-1.4.0/gnupg.c:463:51: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (write(fd, passphrase, strlen(passphrase)) == strlen(passphrase) && write(fd, "\n", 1) == 1) { data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:177:47: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). #define PHPC_STR_LEN_FROM_VAL(_name) strlen(PHPC_STR_VAL(_name)) data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:197:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). PHPC_STR_LEN(_str) = strlen(*PHPC_STR_VAL(_strpv)) data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:374:34: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). zend_hash_add(_ht, _cstr_value, strlen(_cstr_value) + 1, _ptr, _ptr_size, NULL) data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:383:34: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). zend_hash_add(_ht, _cstr_value, strlen(_cstr_value) + 1, &_pzv, sizeof(_pzv), NULL) data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:393:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). zend_hash_update(_ht, _cstr_value, strlen(_cstr_value) + 1, _ptr, _ptr_size, NULL) data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:402:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). zend_hash_update(_ht, _cstr_value, strlen(_cstr_value) + 1, &_pzv, sizeof(_pzv), NULL) data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:412:34: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). zend_hash_del(_ht, _cstr_value, strlen(_cstr_value) + 1) data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:422:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). zend_hash_exists(_ht, _cstr_value, strlen(_cstr_value) + 1) data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:432:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). zend_hash_find(_ht, _cstr_value, strlen(_cstr_value) + 1, (void **) &_ppv) data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:964:42: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). zend_hash_str_add_ptr(_ht, _cstr_value, strlen(_cstr_value), _ptr) data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:970:38: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). zend_hash_str_add(_ht, _cstr_value, strlen(_cstr_value), _pzv) data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:980:45: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). zend_hash_str_update_ptr(_ht, _cstr_value, strlen(_cstr_value), _ptr) data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:986:41: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). zend_hash_str_update(_ht, _cstr_value, strlen(_cstr_value), _pzv) data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:993:38: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). zend_hash_str_del(_ht, _cstr_value, strlen(_cstr_value)) data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:1000:41: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). zend_hash_str_exists(_ht, _cstr_value, strlen(_cstr_value)) data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:1008:46: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). _ppv = zend_hash_str_find(_ht, _cstr_value, strlen(_cstr_value)) data/php-gnupg-1.4.0/gnupg-1.4.0/phpc/phpc.h:1017:50: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). _ptr = zend_hash_str_find_ptr(_ht, _cstr_value, strlen(_cstr_value)) ANALYSIS SUMMARY: Hits = 26 Lines analyzed = 3368 in approximately 0.08 seconds (40791 lines/second) Physical Source Lines of Code (SLOC) = 2511 Hits@level = [0] 0 [1] 22 [2] 4 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 26 [1+] 26 [2+] 4 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 10.3544 [1+] 10.3544 [2+] 1.59299 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.