Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/php-pinba-1.1.1/php_pinba.h
Examining data/php-pinba-1.1.1/pinba-pb-c.c
Examining data/php-pinba-1.1.1/pinba.pb-c.h
Examining data/php-pinba-1.1.1/protobuf-c-private.h
Examining data/php-pinba-1.1.1/protobuf-c.c
Examining data/php-pinba-1.1.1/protobuf-c.h
Examining data/php-pinba-1.1.1/pinba.c
FINAL RESULTS:
data/php-pinba-1.1.1/protobuf-c.c:1400:35: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# define UNPACK_ERROR(args) do { printf args;printf("\n"); }while(0)
data/php-pinba-1.1.1/php_pinba.h:65:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char host_name[128];
data/php-pinba-1.1.1/php_pinba.h:66:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char schema[17];
data/php-pinba-1.1.1/pinba.c:373:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buf + wrote_len, tags[i]->name, tags[i]->name_len);
data/php-pinba-1.1.1/pinba.c:376:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buf + wrote_len, "=>", 2);
data/php-pinba-1.1.1/pinba.c:379:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buf + wrote_len, tags[i]->value, tags[i]->value_len);
data/php-pinba-1.1.1/pinba.c:382:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buf + wrote_len, ",", 1);
data/php-pinba-1.1.1/pinba.c:521:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&collector->sockaddr, ai_ptr->ai_addr, ai_ptr->ai_addrlen);
data/php-pinba-1.1.1/pinba.c:572:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hostname[256], *tag_value;
data/php-pinba-1.1.1/pinba.c:898:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char _pad[256]; \
data/php-pinba-1.1.1/pinba.c:1863:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(PINBA_G(host_name), hostname, hostname_len);
data/php-pinba-1.1.1/pinba.c:1866:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(PINBA_G(host_name), hostname, sizeof(PINBA_G(host_name)) - 1);
data/php-pinba-1.1.1/pinba.c:1885:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(PINBA_G(schema), schema, schema_len);
data/php-pinba-1.1.1/pinba.c:1888:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(PINBA_G(schema), schema, sizeof(PINBA_G(schema)) - 1);
data/php-pinba-1.1.1/pinba.c:2623:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&pinba_client_handlers, zend_get_std_object_handlers(), sizeof(zend_object_handlers));
data/php-pinba-1.1.1/protobuf-c.c:170:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (new_data, simp->data, simp->len);
data/php-pinba-1.1.1/protobuf-c.c:178:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (simp->data + simp->len, data, len);
data/php-pinba-1.1.1/protobuf-c.c:606:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (out, &value, 4);
data/php-pinba-1.1.1/protobuf-c.c:626:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (out, &value, 8);
data/php-pinba-1.1.1/protobuf-c.c:667:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (out + rv, str, len);
data/php-pinba-1.1.1/protobuf-c.c:677:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (out + rv, bd->data, len);
data/php-pinba-1.1.1/protobuf-c.c:830:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (out, in, N * 4);
data/php-pinba-1.1.1/protobuf-c.c:842:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (out, in, N * 8);
data/php-pinba-1.1.1/protobuf-c.c:987:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (out + rv, field->data, field->len);
data/php-pinba-1.1.1/protobuf-c.c:1624:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (&t, data, 4);
data/php-pinba-1.1.1/protobuf-c.c:1662:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (&t, data, 8);
data/php-pinba-1.1.1/protobuf-c.c:1754:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (*pstr, data + pref_len, len - pref_len);
data/php-pinba-1.1.1/protobuf-c.c:1771:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (bd->data, data + pref_len, len - pref_len);
data/php-pinba-1.1.1/protobuf-c.c:1984:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (array, at, count * siz);
data/php-pinba-1.1.1/protobuf-c.c:2003:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (ufield->data, scanned_member->data, ufield->len);
data/php-pinba-1.1.1/protobuf-c.c:2050:11: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (field, dv, 4);
data/php-pinba-1.1.1/protobuf-c.c:2059:11: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (field, dv, 8);
data/php-pinba-1.1.1/protobuf-c.c:2063:11: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (field, dv, sizeof (protobuf_c_boolean));
data/php-pinba-1.1.1/protobuf-c.c:2067:11: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (field, dv, sizeof (ProtobufCBinaryData));
data/php-pinba-1.1.1/pinba.c:720:59: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
word_id = php_pinba_dict_find_or_add(&dict, tag_value, strlen(tag_value));
data/php-pinba-1.1.1/protobuf-c.c:338:28: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t len = str ? strlen (str) : 0;
data/php-pinba-1.1.1/protobuf-c.c:439:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t len = strlen (((char**) array)[i]);
data/php-pinba-1.1.1/protobuf-c.c:665:20: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t len = strlen (str);
data/php-pinba-1.1.1/protobuf-c.c:1085:31: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t sublen = str ? strlen (str) : 0;
ANALYSIS SUMMARY:
Hits = 39
Lines analyzed = 6467 in approximately 0.15 seconds (44075 lines/second)
Physical Source Lines of Code (SLOC) = 5144
Hits@level = [0] 3 [1] 5 [2] 33 [3] 0 [4] 1 [5] 0
Hits@level+ = [0+] 42 [1+] 39 [2+] 34 [3+] 1 [4+] 1 [5+] 0
Hits/KSLOC@level+ = [0+] 8.16485 [1+] 7.58165 [2+] 6.60964 [3+] 0.194401 [4+] 0.194401 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.