Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/quvi-0.9.4/src/pbar/lpbar.h
Examining data/quvi-0.9.4/src/pbar/lpbar.c
Examining data/quvi-0.9.4/src/setup.c
Examining data/quvi-0.9.4/src/get/http.c
Examining data/quvi-0.9.4/src/get/lget.h
Examining data/quvi-0.9.4/src/get/lget.c
Examining data/quvi-0.9.4/src/builtin/dump.c
Examining data/quvi-0.9.4/src/builtin/info.c
Examining data/quvi-0.9.4/src/builtin/scan.c
Examining data/quvi-0.9.4/src/builtin/get.c
Examining data/quvi-0.9.4/src/input/linput.c
Examining data/quvi-0.9.4/src/input/linput.h
Examining data/quvi-0.9.4/src/opts.h
Examining data/quvi-0.9.4/src/cmd.h
Examining data/quvi-0.9.4/src/status.c
Examining data/quvi-0.9.4/src/opts/chk.c
Examining data/quvi-0.9.4/src/opts/err.c
Examining data/quvi-0.9.4/src/opts/lopts.h
Examining data/quvi-0.9.4/src/opts/lopts.c
Examining data/quvi-0.9.4/src/opts/print.c
Examining data/quvi-0.9.4/src/opts/config.c
Examining data/quvi-0.9.4/src/opts/get.c
Examining data/quvi-0.9.4/src/sig.c
Examining data/quvi-0.9.4/src/print/enum_print.c
Examining data/quvi-0.9.4/src/print/rfc2483_print.c
Examining data/quvi-0.9.4/src/print/xml_print.c
Examining data/quvi-0.9.4/src/print/json_print.c
Examining data/quvi-0.9.4/src/print/lprint.h
Examining data/quvi-0.9.4/src/setup.h
Examining data/quvi-0.9.4/src/util/slist.c
Examining data/quvi-0.9.4/src/util/support.c
Examining data/quvi-0.9.4/src/util/chk.c
Examining data/quvi-0.9.4/src/util/query.c
Examining data/quvi-0.9.4/src/util/file.c
Examining data/quvi-0.9.4/src/util/xchg.c
Examining data/quvi-0.9.4/src/util/verbosity.c
Examining data/quvi-0.9.4/src/util/strv.c
Examining data/quvi-0.9.4/src/util/input.c
Examining data/quvi-0.9.4/src/util/choose.c
Examining data/quvi-0.9.4/src/util/fpath.c
Examining data/quvi-0.9.4/src/util/metainfo.c
Examining data/quvi-0.9.4/src/util/regex.c
Examining data/quvi-0.9.4/src/util/quvi.c
Examining data/quvi-0.9.4/src/util/lutil.h
Examining data/quvi-0.9.4/src/util/strerr.c
Examining data/quvi-0.9.4/src/util/exec.c
Examining data/quvi-0.9.4/src/util/curl.c
Examining data/quvi-0.9.4/src/opts.c
Examining data/quvi-0.9.4/src/sig.h
Examining data/quvi-0.9.4/src/main.c
FINAL RESULTS:
data/quvi-0.9.4/src/input/linput.c:48:11: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&(r[n]), s, sn);
data/quvi-0.9.4/src/util/file.c:86:20: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
p->result.file = fopen(p->fpath, mode);
data/quvi-0.9.4/src/builtin/get.c:80:7: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
n = strlen(data);
data/quvi-0.9.4/src/builtin/get.c:173:45: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
g_print(_("subtitles (found):\n %s\n"), (strlen(s) ==0) ? _("none"):s);
data/quvi-0.9.4/src/builtin/get.c:270:11: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(s) >0)
data/quvi-0.9.4/src/input/linput.c:43:12: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
sn = strlen(s);
data/quvi-0.9.4/src/opts.c:343:20: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (s != NULL && strlen(s) >0)
data/quvi-0.9.4/src/opts/config.c:102:31: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
show_config = (v != NULL && strlen(v) >0) ? TRUE:FALSE;
data/quvi-0.9.4/src/status.c:46:7: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(m) >0)
data/quvi-0.9.4/src/status.c:56:31: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
l = sigwinch_term_spaceleft(strlen(s));
data/quvi-0.9.4/src/util/fpath.c:42:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (p->output_file != NULL && strlen(p->output_file) >0)
data/quvi-0.9.4/src/util/fpath.c:63:32: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (p->output_dir != NULL && strlen(p->output_dir) >0)
data/quvi-0.9.4/src/util/regex.c:108:11: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen((*op)->mode) ==0)
data/quvi-0.9.4/src/util/xchg.c:64:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (s != NULL && strlen(s) >0)
data/quvi-0.9.4/src/util/xchg.c:247:43: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
s = g_strdup( (noq[i].val ==NULL || strlen(s) ==0)
ANALYSIS SUMMARY:
Hits = 15
Lines analyzed = 8661 in approximately 0.21 seconds (41287 lines/second)
Physical Source Lines of Code (SLOC) = 5839
Hits@level = [0] 3 [1] 13 [2] 2 [3] 0 [4] 0 [5] 0
Hits@level+ = [0+] 18 [1+] 15 [2+] 2 [3+] 0 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 3.08272 [1+] 2.56893 [2+] 0.342524 [3+] 0 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.