Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/php_http.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_api.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_buffer.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_buffer.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_client.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_client.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_client_curl.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_client_curl.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_client_curl_event.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_client_curl_event.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_client_curl_user.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_client_curl_user.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_client_request.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_client_request.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_client_response.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_client_response.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_cookie.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_cookie.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_curl.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_curl.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_encoding.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_encoding.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_env.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_env.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_env_request.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_env_request.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_env_response.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_env_response.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_etag.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_etag.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_exception.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_exception.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_filter.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_filter.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_header.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_header.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_header_parser.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_header_parser.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_info.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_info.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message_body.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message_body.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message_parser.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message_parser.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_misc.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_misc.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_negotiate.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_negotiate.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_object.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_object.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_options.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_options.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_params.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_params.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_querystring.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_querystring.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_response_codes.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_utf8.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_version.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_version.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/php_http.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_api.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_buffer.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_buffer.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_client.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_client.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_client_curl.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_client_curl.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_client_curl_event.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_client_curl_event.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_client_curl_user.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_client_curl_user.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_client_request.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_client_request.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_client_response.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_client_response.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_cookie.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_cookie.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_curl.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_curl.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_encoding.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_encoding.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_encoding_brotli.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_encoding_brotli.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_encoding_zlib.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_encoding_zlib.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_env.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_env.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_env_request.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_env_request.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_env_response.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_env_response.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_etag.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_etag.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_exception.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_exception.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_filter.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_filter.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_header.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_header.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_header_parser.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_header_parser.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_info.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_info.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message_body.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message_body.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message_parser.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message_parser.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_misc.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_misc.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_negotiate.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_negotiate.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_object.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_object.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_options.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_options.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_params.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_params.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_querystring.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_querystring.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_response_codes.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_utf8.h
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_version.c
Examining data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_version.h
FINAL RESULTS:
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http.c:91:4: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf(stderr, ip?"%c":"\\x%02x", (int) (*data & 0xff));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_buffer.h:166:134: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
PHP_HTTP_BUFFER_API size_t php_http_buffer_appendf(php_http_buffer_t *buf, const char *format, ...) PHP_HTTP_BUFFER_ATTRIBUTE_FORMAT(printf, 2, 3);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_buffer.h:224:149: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
PHP_HTTP_BUFFER_API size_t php_http_buffer_insertf(php_http_buffer_t *buf, size_t offset, const char *format, ...) PHP_HTTP_BUFFER_ATTRIBUTE_FORMAT(printf, 3, 4);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_buffer.h:230:135: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
PHP_HTTP_BUFFER_API size_t php_http_buffer_prependf(php_http_buffer_t *buf, const char *format, ...) PHP_HTTP_BUFFER_ATTRIBUTE_FORMAT(printf, 2, 3);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:195:4: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat(path, old_url->path);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:200:4: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat(path, new_url->path);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http.c:98:4: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf(stderr, ip?"%c":"\\x%02x", (int) (*data & 0xff));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_buffer.h:161:134: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
PHP_HTTP_BUFFER_API size_t php_http_buffer_appendf(php_http_buffer_t *buf, const char *format, ...) PHP_HTTP_BUFFER_ATTRIBUTE_FORMAT(printf, 2, 3);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_buffer.h:219:149: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
PHP_HTTP_BUFFER_API size_t php_http_buffer_insertf(php_http_buffer_t *buf, size_t offset, const char *format, ...) PHP_HTTP_BUFFER_ATTRIBUTE_FORMAT(printf, 3, 4);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_buffer.h:225:135: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
PHP_HTTP_BUFFER_API size_t php_http_buffer_prependf(php_http_buffer_t *buf, const char *format, ...) PHP_HTTP_BUFFER_ATTRIBUTE_FORMAT(printf, 2, 3);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:204:4: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat(path, old_url->path);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:209:4: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat(path, new_url->path);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_client.c:320:14: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
if (h->ops->getopt) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_client.c:321:18: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
return h->ops->getopt(h, opt, arg, res_ptr);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_client.h:64:32: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
php_http_client_getopt_func_t getopt;
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_env.c:141:18: [3] (buffer) getenv:
Environment variables are untrustable input if they can be set by an
attacker. They can have any content and length, and the same variable can
be set more than once (CWE-807, CWE-20). Check environment variables
carefully before using them.
if (sapi_module.getenv) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_env.c:142:28: [3] (buffer) getenv:
Environment variables are untrustable input if they can be set by an
attacker. They can have any content and length, and the same variable can
be set more than once (CWE-807, CWE-20). Check environment variables
carefully before using them.
if ((!(env = sapi_module.getenv((char *) key, key_len TSRMLS_CC))) || (check && !*env)) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_client.c:325:14: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
if (h->ops->getopt) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_client.c:326:18: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
return h->ops->getopt(h, opt, arg, res_ptr);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_client.h:65:32: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
php_http_client_getopt_func_t getopt;
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_buffer.c:110:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buf->data + buf->used, append, append_len);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_buffer.c:138:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(copy, buf->data, buf->used);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_buffer.c:330:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buf->data + offset, insert, insert_len);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_buffer.c:361:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buf->data, prepend, prepend_len);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_buffer.h:59:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
if (r) memcpy((void *) r, p, s), r[s] = '\0';
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_client.c:1278:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&client_obj->debug.fci, &fci, sizeof(fci));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_client.c:1279:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&client_obj->debug.fcc, &fcc, sizeof(fcc));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_client.c:1335:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&php_http_client_object_handlers, zend_get_std_object_handlers(), sizeof(zend_object_handlers));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_client_curl.c:65:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char errorbuffer[0x100];
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_client_curl.c:664:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&err[err_count], st, sizeof(*st));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_cookie.c:290:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *enc_str[2];
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_cookie.c:1019:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&php_http_cookie_object_handlers, zend_get_std_object_handlers(), sizeof(zend_object_handlers));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_encoding.c:54:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(*decoded, encoded, encoded_len);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_encoding.c:97:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(*decoded + *decoded_len, n_ptr, chunk_len);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_encoding.c:1180:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&php_http_encoding_stream_object_handlers, zend_get_std_object_handlers(), sizeof(zend_object_handlers));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_env_response.h:51:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char boundary[32];
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_etag.c:57:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char digest[128] = {0};
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_etag.c:61:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char buf[4];
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_etag.h:31:15: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const char hexdigits[17] = "0123456789abcdef";
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_filter.c:62:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(__data, data, length); \
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_header_parser.c:212:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&parser->_val.str[parser->_val.len], ptr, len); \
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_header_parser.c:323:6: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char s[1] = {c};
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_header_parser.c:464:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&php_http_header_parser_object_handlers, zend_get_std_object_handlers(), sizeof(zend_object_handlers));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message.c:169:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(key, key_str, key_len);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message.c:2068:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&php_http_message_object_handlers, zend_get_std_object_handlers(), sizeof(zend_object_handlers));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message_body.c:920:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&php_http_message_body_object_handlers, zend_get_std_object_handlers(), sizeof(zend_object_handlers));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message_parser.c:149:7: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char s[1] = {c};
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message_parser.c:673:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&php_http_message_parser_object_handlers, zend_get_std_object_handlers(), sizeof(zend_object_handlers));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_params.c:33:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(opts, &def_opts, sizeof(def_opts));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_params.c:79:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&str[1], Z_STRVAL_P(zv), Z_STRLEN_P(zv));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:34:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hostname[1024] = {0};
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:598:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[1]; /* last member */
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:628:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(cpy_ptr + sizeof(*cpy), url_ptr + sizeof(*url), end - url_ptr - sizeof(*url));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:916:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(state->url.host, idn, idnlen + 1);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:946:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(state->url.host, idn, idnlen + 1);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:1057:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[16], *addr = estrndup(ptr + 1, addrlen - 2);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_utf8.h:22:23: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const unsigned char utf8_mblen[256] = {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http.c:240:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char us[U_MAX_VERSION_STRING_LENGTH] = {0};
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_buffer.c:121:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buf->data + buf->used, append, append_len);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_buffer.c:153:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(copy, buf->data, buf->used);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_buffer.c:364:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buf->data + offset, insert, insert_len);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_buffer.c:397:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buf->data, prepend, prepend_len);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_buffer.h:53:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
if (r) memcpy((void *) r, p, s), r[s] = '\0';
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_client.c:1305:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&client_obj->debug.fci, &fci, sizeof(fci));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_client.c:1306:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&client_obj->debug.fcc, &fcc, sizeof(fcc));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_client.c:1362:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&php_http_client_object_handlers, zend_get_std_object_handlers(), sizeof(zend_object_handlers));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_client_curl.c:65:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char errorbuffer[0x100];
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_client_curl.c:734:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&err[err_count], st, sizeof(*st));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_cookie.c:1025:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&php_http_cookie_object_handlers, zend_get_std_object_handlers(), sizeof(zend_object_handlers));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_encoding.c:52:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(*decoded, encoded, encoded_len);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_encoding.c:95:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(*decoded + *decoded_len, n_ptr, chunk_len);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_encoding.c:695:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&php_http_encoding_stream_object_handlers, zend_get_std_object_handlers(), sizeof(zend_object_handlers));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_env_response.h:51:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char boundary[32];
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_etag.c:56:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char digest[128] = {0};
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_etag.c:61:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&e_ctx, e->ctx, 4);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_etag.h:27:15: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const char hexdigits[17] = "0123456789abcdef";
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_filter.c:62:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(__data, data, length); \
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_header_parser.c:189:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&parser->_val.str[parser->_val.len], ptr, len); \
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_header_parser.c:299:6: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char s[1] = {c};
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_header_parser.c:440:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&php_http_header_parser_object_handlers, zend_get_std_object_handlers(), sizeof(zend_object_handlers));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message.c:155:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(key, key_str, key_len);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message.c:2067:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&php_http_message_object_handlers, zend_get_std_object_handlers(), sizeof(zend_object_handlers));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message_body.c:937:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&php_http_message_body_object_handlers, zend_get_std_object_handlers(), sizeof(zend_object_handlers));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message_parser.c:121:7: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char s[1] = {c};
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message_parser.c:656:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&php_http_message_parser_object_handlers, zend_get_std_object_handlers(), sizeof(zend_object_handlers));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_misc.h:226:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(arrkey, key, sizeof(*key));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_params.c:33:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(opts, &def_opts, sizeof(def_opts));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:43:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hostname[1024] = {0};
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:619:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[1]; /* last member */
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:649:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(cpy_ptr + sizeof(*cpy), url_ptr + sizeof(*url), end - url_ptr - sizeof(*url));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:761:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&state->buffer[state->offset], ptr, consumed);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:943:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(state->url.host, idn, idnlen + 1);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:977:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(state->url.host, idn, idnlen + 1);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:993:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ebuf[64] = {0}, *error = NULL;
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:1060:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ahost_str[256];
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:1067:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(state->url.host, ahost_str, ahost_len);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:1133:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ahost_str[256] = {0};
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:1147:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(state->url.host, ahost_str, ahost_len + 1);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:1263:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[16], *addr = estrndup(ptr + 1, addrlen - 2);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_utf8.h:16:23: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const unsigned char utf8_mblen[256] = {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_buffer.h:164:72: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define php_http_buffer_appendl(b, a) php_http_buffer_append((b), (a), strlen(a))
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_buffer.h:222:75: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define php_http_buffer_insertl(b, i, o) php_http_buffer_insert((b), (i), strlen(i), (o))
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_buffer.h:228:74: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define php_http_buffer_prependl(b, p) php_http_buffer_prepend((b), (p), strlen(p))
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_env.h:71:82: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define php_http_env_got_server_var(v) (NULL != php_http_env_get_server_var((v), strlen(v), 1 TSRMLS_CC))
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_env_response.c:166:59: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
set_option(options, ZEND_STRL("etag"), IS_STRING, etag, strlen(etag) TSRMLS_CC);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_etag.c:39:47: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (mode && (eho = php_hash_fetch_ops(mode, strlen(mode)))) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_etag.c:83:42: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ((eho = php_hash_fetch_ops(e->mode, strlen(e->mode)))) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_etag.c:113:42: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ((eho = php_hash_fetch_ops(e->mode, strlen(e->mode)))) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_header_parser.c:251:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t valid_len = strlen(parser->_val.str);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_info.c:104:22: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
end = pre_header + strlen(pre_header);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message.c:553:45: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
php_http_message_object_prophandler_func_t read;
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message.c:557:147: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
static ZEND_RESULT_CODE php_http_message_object_add_prophandler(const char *prop_str, size_t prop_len, php_http_message_object_prophandler_func_t read, php_http_message_object_prophandler_func_t write) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message.c:558:46: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
php_http_message_object_prophandler_t h = { read, write };
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message.c:924:13: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
handler->read(obj, return_value TSRMLS_CC);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message.c:975:58: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define ASSOC_STRING(name, val) ASSOC_STRINGL(name, val, strlen(val))
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message_body.c:195:7: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if (read) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message_body.c:196:30: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if (-1 == cb(cb_arg, buf, read)) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message_body.c:201:7: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if (read < MIN(forlen, sizeof(buf))) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message_body.c:205:29: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if (forlen && !(forlen -= read)) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message_body.c:288:44: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
safe_name = php_addslashes(estrdup(name), strlen(name), NULL, 1 TSRMLS_CC);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message_body.c:310:44: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
safe_name = php_addslashes(estrdup(name), strlen(name), NULL, 1 TSRMLS_CC);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_message_body.c:312:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
php_basename(path_dup, strlen(path_dup), NULL, 0, &bname, &bname_len TSRMLS_CC);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_misc.c:25:2: [1] (obsolete) usleep:
This C routine is considered obsolete (as opposed to the shell command by
the same name). The interaction of this function with SIGALRM and other
timer functions such as sleep(), alarm(), setitimer(), and nanosleep() is
unspecified (CWE-676). Use nanosleep(2) or setitimer(2) instead.
usleep(PHP_HTTP_USEC(s));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_misc.c:68:43: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
found = zend_memnstr(haystack, needle, strlen(needle), haystack+strlen(haystack));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_misc.c:68:68: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
found = zend_memnstr(haystack, needle, strlen(needle), haystack+strlen(haystack));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_misc.c:70:42: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
found = php_stristr(haystack, needle, strlen(haystack), strlen(needle));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_misc.c:70:60: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
found = php_stristr(haystack, needle, strlen(haystack), strlen(needle));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_misc.c:76:20: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
&& (!*(found + strlen(needle)) || !PHP_HTTP_IS_CTYPE(alnum, *(found + strlen(needle))))
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_misc.c:76:75: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
&& (!*(found + strlen(needle)) || !PHP_HTTP_IS_CTYPE(alnum, *(found + strlen(needle))))
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_querystring.c:285:11: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
zval equal, *entry = NULL;
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_querystring.c:291:52: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
} else if ((FAILURE == is_identical_function(&equal, *qarray_entry, *params_entry TSRMLS_CC)) || !Z_BVAL(equal)) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_querystring.c:291:111: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
} else if ((FAILURE == is_identical_function(&equal, *qarray_entry, *params_entry TSRMLS_CC)) || !Z_BVAL(equal)) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:43:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t hlen = strlen(hostname);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:95:42: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
php_http_buffer_append(&buf, host_str, strlen(host_str) + 1);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:115:63: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
php_http_buffer_append(&buf, SG(request_info).request_uri, strlen(SG(request_info).request_uri) + 1);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:122:63: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
php_http_buffer_append(&buf, SG(request_info).query_string, strlen(SG(request_info).query_string) + 1);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:150:61: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
url_append(&buf, php_http_buffer_append(&buf, new_url->n, strlen(new_url->n) + 1)); \
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:153:61: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
url_append(&buf, php_http_buffer_append(&buf, old_url->n, strlen(old_url->n) + 1)); \
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:192:26: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t old_path_len = strlen(old_url->path), new_path_len = strlen(new_url->path);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:192:64: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t old_path_len = strlen(old_url->path), new_path_len = strlen(new_url->path);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:198:5: [1] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused). Risk is low because the
source is a constant character.
strcat(path, "/");
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:206:56: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
url_append(&buf, php_http_buffer_append(&buf, path, strlen(path) + 1));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:220:57: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
url_append(&buf, php_http_buffer_append(&buf, path, strlen(path) + 1));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:268:38: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
char *ptr, *end = url(buf)->path + strlen(url(buf)->path) + 1;
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:624:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
end += strlen(end) + 1;
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:851:30: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t offset = 0, u8_len = strlen(u8);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:915:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t idnlen = strlen(idn);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:945:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t idnlen = strlen(idn);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:1038:16: [1] (buffer) wcslen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
PHP_HTTP_DUFF(wcslen(ahost_str), *host_ptr++ = *ahost_ptr++);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-2.6.0/src/php_http_url.c:1064:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
state->offset += strlen(state->url.host);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_buffer.h:158:72: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define php_http_buffer_appendl(b, a) php_http_buffer_append((b), (a), strlen(a))
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_buffer.h:217:75: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define php_http_buffer_insertl(b, i, o) php_http_buffer_insert((b), (i), strlen(i), (o))
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_buffer.h:223:74: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define php_http_buffer_prependl(b, p) php_http_buffer_prepend((b), (p), strlen(p))
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_env.c:615:44: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
RETURN_STR(php_http_cs2zs(header_value, strlen(header_value)));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_env.h:75:48: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return NULL != php_http_env_get_server_var(v, strlen(v), 1);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_env_response.c:159:59: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
set_option(options, ZEND_STRL("etag"), IS_STRING, etag, strlen(etag));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_etag.c:39:47: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (mode && (eho = php_hash_fetch_ops(mode, strlen(mode)))) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_etag.c:74:42: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ((eho = php_hash_fetch_ops(e->mode, strlen(e->mode)))) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_etag.c:104:42: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ((eho = php_hash_fetch_ops(e->mode, strlen(e->mode)))) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_header_parser.c:228:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t valid_len = strlen(parser->_val.str);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_info.c:105:22: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
end = pre_header + strlen(pre_header);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message.c:527:45: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
php_http_message_object_prophandler_func_t read;
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message.c:531:147: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
static ZEND_RESULT_CODE php_http_message_object_add_prophandler(const char *prop_str, size_t prop_len, php_http_message_object_prophandler_func_t read, php_http_message_object_prophandler_func_t write) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message.c:532:46: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
php_http_message_object_prophandler_t h = { read, write };
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message.c:913:26: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if (handler && handler->read) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message.c:917:13: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
handler->read(obj, return_value);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message.c:1885:49: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ZVAL_STR(zboundary, php_http_cs2zs(boundary, strlen(boundary)));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message_body.c:182:7: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if (read) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message_body.c:183:30: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if (-1 == cb(cb_arg, buf, read)) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message_body.c:188:7: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if (read < MIN(forlen, sizeof(buf))) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message_body.c:192:29: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if (forlen && !(forlen -= read)) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message_body.c:265:62: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_string *safe_name, *zstr_name = zend_string_init(name, strlen(name), 0);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message_body.c:290:20: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t path_len = strlen(path);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message_body.c:292:74: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
zend_string *base_name, *safe_name, *zstr_name = zend_string_init(name, strlen(name), 0);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_message_body.c:857:36: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
RETURN_STR(php_http_cs2zs(etag, strlen(etag)));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_misc.c:25:2: [1] (obsolete) usleep:
This C routine is considered obsolete (as opposed to the shell command by
the same name). The interaction of this function with SIGALRM and other
timer functions such as sleep(), alarm(), setitimer(), and nanosleep() is
unspecified (CWE-676). Use nanosleep(2) or setitimer(2) instead.
usleep(PHP_HTTP_USEC(s));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_misc.c:68:43: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
found = zend_memnstr(haystack, needle, strlen(needle), haystack+strlen(haystack));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_misc.c:68:68: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
found = zend_memnstr(haystack, needle, strlen(needle), haystack+strlen(haystack));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_misc.c:70:42: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
found = php_stristr(haystack, needle, strlen(haystack), strlen(needle));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_misc.c:70:60: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
found = php_stristr(haystack, needle, strlen(haystack), strlen(needle));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_misc.c:76:28: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
&& EXPECTED(!*(found + strlen(needle)) || !PHP_HTTP_IS_CTYPE(alnum, *(found + strlen(needle))))
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_misc.c:76:83: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
&& EXPECTED(!*(found + strlen(needle)) || !PHP_HTTP_IS_CTYPE(alnum, *(found + strlen(needle))))
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_params.c:324:36: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ZVAL_STR(zv, php_http_cs2zs(ptr, strlen(ptr)));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_querystring.c:292:11: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
zval equal, tmp, *entry = NULL;
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_querystring.c:301:52: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
} else if ((FAILURE == is_identical_function(&equal, qarray_entry, params_entry)) || Z_TYPE(equal) != IS_TRUE) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_querystring.c:301:98: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
} else if ((FAILURE == is_identical_function(&equal, qarray_entry, params_entry)) || Z_TYPE(equal) != IS_TRUE) {
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:52:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t hlen = strlen(hostname);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:104:42: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
php_http_buffer_append(&buf, host_str, strlen(host_str) + 1);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:124:63: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
php_http_buffer_append(&buf, SG(request_info).request_uri, strlen(SG(request_info).request_uri) + 1);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:131:63: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
php_http_buffer_append(&buf, SG(request_info).query_string, strlen(SG(request_info).query_string) + 1);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:159:61: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
url_append(&buf, php_http_buffer_append(&buf, new_url->n, strlen(new_url->n) + 1)); \
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:162:61: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
url_append(&buf, php_http_buffer_append(&buf, old_url->n, strlen(old_url->n) + 1)); \
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:201:26: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t old_path_len = strlen(old_url->path), new_path_len = strlen(new_url->path);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:201:64: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t old_path_len = strlen(old_url->path), new_path_len = strlen(new_url->path);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:207:5: [1] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused). Risk is low because the
source is a constant character.
strcat(path, "/");
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:215:56: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
url_append(&buf, php_http_buffer_append(&buf, path, strlen(path) + 1));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:229:57: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
url_append(&buf, php_http_buffer_append(&buf, path, strlen(path) + 1));
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:277:38: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
char *ptr, *end = url(buf)->path + strlen(url(buf)->path) + 1;
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:645:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
end += strlen(end) + 1;
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:880:30: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t offset = 0, u8_len = strlen(u8);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:942:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t idnlen = strlen(idn);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:976:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t idnlen = strlen(idn);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:1145:22: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t ahost_len = strlen(ahost_str);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:1189:14: [1] (buffer) wcslen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ahost_len = wcslen(ahost_str);
data/php-pecl-http-3.2.3+2.6.0/pecl_http-3.2.3/src/php_http_url.c:1270:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
state->offset += strlen(state->url.host);
ANALYSIS SUMMARY:
Hits = 205
Lines analyzed = 50417 in approximately 1.15 seconds (43653 lines/second)
Physical Source Lines of Code (SLOC) = 38478
Hits@level = [0] 89 [1] 105 [2] 80 [3] 8 [4] 12 [5] 0
Hits@level+ = [0+] 294 [1+] 205 [2+] 100 [3+] 20 [4+] 12 [5+] 0
Hits/KSLOC@level+ = [0+] 7.64073 [1+] 5.32772 [2+] 2.59889 [3+] 0.519778 [4+] 0.311867 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.