Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/pytorch-vision-0.8.1/examples/cpp/hello_world/main.cpp Examining data/pytorch-vision-0.8.1/test/test_models.cpp Examining data/pytorch-vision-0.8.1/test/tracing/frcnn/test_frcnn_tracing.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/DeformConv.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/PSROIAlign.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/PSROIPool.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/ROIAlign.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/ROIPool.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/autocast.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/DeformConv_cpu.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/PSROIAlign_cpu.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/PSROIPool_cpu.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/ROIAlign_cpu.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/ROIPool_cpu.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/audio_sampler.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/audio_sampler.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/audio_stream.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/audio_stream.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/cc_stream.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/cc_stream.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/decoder.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/decoder.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/defs.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/memory_buffer.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/memory_buffer.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/seekable_buffer.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/seekable_buffer.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/stream.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/stream.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/subtitle_sampler.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/subtitle_sampler.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/subtitle_stream.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/subtitle_stream.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/sync_decoder.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/sync_decoder.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/sync_decoder_test.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/time_keeper.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/time_keeper.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/util.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/util.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/util_test.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/video_sampler.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/video_sampler.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/video_stream.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/video_stream.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/image.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/image.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/jpegcommon.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/jpegcommon.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/read_image_cpu.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/read_image_cpu.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/read_write_file_cpu.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/read_write_file_cpu.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/readjpeg_cpu.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/readjpeg_cpu.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/readpng_cpu.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/readpng_cpu.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/writejpeg_cpu.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/writejpeg_cpu.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/writepng_cpu.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/writepng_cpu.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/nms_cpu.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/video/Video.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/video/Video.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/video/register.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/video_reader/VideoReader.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/video_reader/VideoReader.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cpu/vision_cpu.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cuda/cuda_helpers.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/cuda/vision_cuda.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/empty_tensor_op.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/alexnet.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/alexnet.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/densenet.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/densenet.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/general.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/googlenet.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/googlenet.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/inception.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/inception.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/mnasnet.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/mnasnet.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/mobilenet.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/mobilenet.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/models.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/modelsimpl.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/resnet.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/resnet.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/shufflenetv2.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/shufflenetv2.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/squeezenet.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/squeezenet.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/vgg.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/models/vgg.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/nms.h Examining data/pytorch-vision-0.8.1/torchvision/csrc/vision.cpp Examining data/pytorch-vision-0.8.1/torchvision/csrc/vision.h FINAL RESULTS: data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/sync_decoder_test.cpp:86:8: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. std::srand(time(nullptr)); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/decoder.cpp:136:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[kLogBufferSize] = {0}; data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/memory_buffer.cpp:12:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, buffer_ + pos_, available); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/seekable_buffer.cpp:115:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, buffer_.data() + pos_, available); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/subtitle_sampler.cpp:37:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out->writableTail(), in->data(), len); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/sync_decoder_test.cpp:48:15: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE* f = fopen(item.name.c_str(), "rb"); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/sync_decoder_test.cpp:88:15: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE* f = fopen(item.name.c_str(), "rb"); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/sync_decoder_test.cpp:320:13: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE* f = fopen( data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/sync_decoder_test.cpp:347:13: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE* f = fopen("pytorch/vision/test/assets/videos/R6llTwEh07w.mp4", "rb"); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/sync_decoder_test.cpp:386:13: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE* f = fopen("pytorch/vision/test/assets/videos/R6llTwEh07w.mp4", "rb"); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/util.cpp:25:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dest + pos, &src, required); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/util.cpp:40:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&dest, src + pos, required); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/util.cpp:102:11: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(d + p, x.pict.data[i], x.pict.linesize[i]); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/util.cpp:114:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(d + p, x.text, s); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/util.cpp:126:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(d + p, x.ass, s); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/util.cpp:182:11: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(x.pict.data[i], y + p, x.pict.linesize[i]); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/util.cpp:195:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(x.text, y + p, s); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/util.cpp:209:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(x.ass, y + p, s); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/jpegcommon.h:16:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char jpegLastErrorMsg[JMSG_LENGTH_MAX]; /* error messages */ data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/read_write_file_cpu.cpp:47:19: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE* outfile = fopen(fileCStr, "wb"); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/readjpeg_cpu.cpp:30:3: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(myerr->jpegLastErrorMsg, "Image is incomplete or truncated"); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/writejpeg_cpu.cpp:99:8: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. std::memcpy(outPtr, jpegBuf, sizeof(uint8_t) * outTensor.numel()); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/writepng_cpu.cpp:61:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(p->buffer + p->size, data, length); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/image/writepng_cpu.cpp:170:8: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. std::memcpy(outPtr, buf_info.buffer, sizeof(uint8_t) * outTensor.numel()); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/video/Video.cpp:39:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(frameData, msg.payload->data(), sizeInBytes); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/video_reader/VideoReader.cpp:110:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(frameData + offset, msg.payload->data(), sizeInBytes); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/decoder.cpp:187:26: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). return seekableBuffer_.read(buf, size, params_.timeoutMs); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/memory_buffer.cpp:9:19: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). int MemoryBuffer::read(uint8_t* buf, int size) { data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/memory_buffer.cpp:60:25: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). return object.read(out, size); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/memory_buffer.h:14:7: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). int read(uint8_t* buf, int size); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/seekable_buffer.cpp:108:21: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). int SeekableBuffer::read(uint8_t* buf, int size, uint64_t timeoutMs) { data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/seekable_buffer.h:28:7: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). int read(uint8_t* buf, int size, uint64_t timeoutMs); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/sync_decoder_test.cpp:363:25: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). return object.read(out, size); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/sync_decoder_test.cpp:402:25: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). return object.read(out, size); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/util.cpp:58:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). s += strlen(y.text); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/util.cpp:62:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). s += strlen(y.ass); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/util.cpp:107:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). const size_t s = strlen(x.text); data/pytorch-vision-0.8.1/torchvision/csrc/cpu/decoder/util.cpp:119:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). const size_t s = strlen(x.ass); ANALYSIS SUMMARY: Hits = 38 Lines analyzed = 12412 in approximately 0.35 seconds (35264 lines/second) Physical Source Lines of Code (SLOC) = 9883 Hits@level = [0] 5 [1] 12 [2] 25 [3] 1 [4] 0 [5] 0 Hits@level+ = [0+] 43 [1+] 38 [2+] 26 [3+] 1 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 4.35091 [1+] 3.84499 [2+] 2.63078 [3+] 0.101184 [4+] 0 [5+] 0 Dot directories skipped = 3 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.