Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/r-cran-digest-0.6.27/src/pmurhash.c Examining data/r-cran-digest-0.6.27/src/digest2int.c Examining data/r-cran-digest-0.6.27/src/zlib.h Examining data/r-cran-digest-0.6.27/src/xxhash.c Examining data/r-cran-digest-0.6.27/src/md5.c Examining data/r-cran-digest-0.6.27/src/sha1.h Examining data/r-cran-digest-0.6.27/src/aes.c Examining data/r-cran-digest-0.6.27/src/blake3_portable.c Examining data/r-cran-digest-0.6.27/src/spooky_serialize.cpp Examining data/r-cran-digest-0.6.27/src/xxhash.h Examining data/r-cran-digest-0.6.27/src/sha256.h Examining data/r-cran-digest-0.6.27/src/init.c Examining data/r-cran-digest-0.6.27/src/crc32.c Examining data/r-cran-digest-0.6.27/src/crc32.h Examining data/r-cran-digest-0.6.27/src/blake3.h Examining data/r-cran-digest-0.6.27/src/sha1.c Examining data/r-cran-digest-0.6.27/src/digest.c Examining data/r-cran-digest-0.6.27/src/sha2.c Examining data/r-cran-digest-0.6.27/src/zutil.h Examining data/r-cran-digest-0.6.27/src/sha2.h Examining data/r-cran-digest-0.6.27/src/blake3_dispatch.c Examining data/r-cran-digest-0.6.27/src/zconf.h Examining data/r-cran-digest-0.6.27/src/blake3.c Examining data/r-cran-digest-0.6.27/src/blake3_impl.h Examining data/r-cran-digest-0.6.27/src/aes.h Examining data/r-cran-digest-0.6.27/src/SpookyV2.h Examining data/r-cran-digest-0.6.27/src/raes.c Examining data/r-cran-digest-0.6.27/src/SpookyV2.cpp Examining data/r-cran-digest-0.6.27/src/md5.h Examining data/r-cran-digest-0.6.27/src/sha256.c Examining data/r-cran-digest-0.6.27/src/pmurhash.h Examining data/r-cran-digest-0.6.27/inst/include/pmurhashAPI.h FINAL RESULTS: data/r-cran-digest-0.6.27/src/digest.c:207:9: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. sprintf(output, "%016" PRIx64, val); data/r-cran-digest-0.6.27/src/digest.c:432:9: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. sprintf(output, "%016" PRIx64, val); data/r-cran-digest-0.6.27/src/SpookyV2.cpp:42:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, message, length); data/r-cran-digest-0.6.27/src/SpookyV2.cpp:160:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&((uint8 *)m_data)[m_remainder], message, length); data/r-cran-digest-0.6.27/src/SpookyV2.cpp:194:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&(((uint8 *)m_data)[m_remainder]), message, prefix); data/r-cran-digest-0.6.27/src/SpookyV2.cpp:221:13: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(m_data, u.p8, sc_blockSize); data/r-cran-digest-0.6.27/src/SpookyV2.cpp:229:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(m_data, end, remainder); data/r-cran-digest-0.6.27/src/aes.c:776:17: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static unsigned char AES_enc_test[3][16] = data/r-cran-digest-0.6.27/src/aes.c:786:17: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static unsigned char AES_dec_test[3][16] = data/r-cran-digest-0.6.27/src/aes.c:800:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buf[16]; data/r-cran-digest-0.6.27/src/aes.c:801:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char key[32]; data/r-cran-digest-0.6.27/src/blake3.c:18:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(self->cv, key, BLAKE3_KEY_LEN); data/r-cran-digest-0.6.27/src/blake3.c:28:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(self->cv, key, BLAKE3_KEY_LEN); data/r-cran-digest-0.6.27/src/blake3.c:47:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dest, input, take); data/r-cran-digest-0.6.27/src/blake3.c:73:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ret.input_cv, input_cv, 32); data/r-cran-digest-0.6.27/src/blake3.c:74:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ret.block, block, BLAKE3_BLOCK_LEN); data/r-cran-digest-0.6.27/src/blake3.c:89:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(cv_words, self->input_cv, 32); data/r-cran-digest-0.6.27/src/blake3.c:92:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(cv, cv_words, 32); data/r-cran-digest-0.6.27/src/blake3.c:110:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out, wide_buf + offset_within_block, memcpy_len); data/r-cran-digest-0.6.27/src/blake3.c:244:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&out[parents_array_len * BLAKE3_OUT_LEN], data/r-cran-digest-0.6.27/src/blake3.c:319:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out, cv_array, 2 * BLAKE3_OUT_LEN); data/r-cran-digest-0.6.27/src/blake3.c:357:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(cv_array, out_array, num_cvs * BLAKE3_OUT_LEN); data/r-cran-digest-0.6.27/src/blake3.c:359:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out, cv_array, 2 * BLAKE3_OUT_LEN); data/r-cran-digest-0.6.27/src/blake3.c:364:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(self->key, key, BLAKE3_KEY_LEN); data/r-cran-digest-0.6.27/src/blake3.c:445:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&self->cv_stack[self->cv_stack_len * BLAKE3_OUT_LEN], new_cv, data/r-cran-digest-0.6.27/src/blake3.c:601:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(parent_block, &self->cv_stack[cvs_remaining * 32], 32); data/r-cran-digest-0.6.27/src/blake3_portable.c:146:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(cv, key, BLAKE3_KEY_LEN); data/r-cran-digest-0.6.27/src/blake3_portable.c:158:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out, cv, 32); data/r-cran-digest-0.6.27/src/digest.c:55:18: [2] (buffer) MultiByteToWideChar: Requires maximum length in CHARACTERS, not bytes (CWE-120). size_t len = MultiByteToWideChar(CP_UTF8, 0, txt, -1, NULL, 0); data/r-cran-digest-0.6.27/src/digest.c:64:5: [2] (buffer) MultiByteToWideChar: Requires maximum length in CHARACTERS, not bytes (CWE-120). MultiByteToWideChar(CP_UTF8, 0, txt, -1, buf, len); data/r-cran-digest-0.6.27/src/digest.c:67:11: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). out = fopen(txt, "rb"); data/r-cran-digest-0.6.27/src/digest.c:83:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char output[128+1], *outputp = output; /* 33 for md5, 41 for sha1, 65 for sha256, 128 for sha512; plus trailing NULL */ data/r-cran-digest-0.6.27/src/digest.c:118:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char md5sum[16]; data/r-cran-digest-0.6.27/src/digest.c:123:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(output, md5sum, 16); data/r-cran-digest-0.6.27/src/digest.c:127:17: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(output + j * 2, "%02x", md5sum[j]); data/r-cran-digest-0.6.27/src/digest.c:135:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char sha1sum[20]; data/r-cran-digest-0.6.27/src/digest.c:140:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(output, sha1sum, 20); data/r-cran-digest-0.6.27/src/digest.c:144:17: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf( output + j * 2, "%02x", sha1sum[j] ); data/r-cran-digest-0.6.27/src/digest.c:155:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(output, "%08x", (unsigned int) val); data/r-cran-digest-0.6.27/src/digest.c:162:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char sha256sum[32]; data/r-cran-digest-0.6.27/src/digest.c:167:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(output, sha256sum, 32); data/r-cran-digest-0.6.27/src/digest.c:171:17: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf( output + j * 2, "%02x", sha256sum[j] ); data/r-cran-digest-0.6.27/src/digest.c:186:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(output, sha512sum, output_length); data/r-cran-digest-0.6.27/src/digest.c:201:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(output, "%08x", val); data/r-cran-digest-0.6.27/src/digest.c:209:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(output, "%016llx", val); data/r-cran-digest-0.6.27/src/digest.c:215:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(output, "%08x", val); data/r-cran-digest-0.6.27/src/digest.c:226:13: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(output, val, BLAKE3_OUT_LEN); data/r-cran-digest-0.6.27/src/digest.c:229:17: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(output + i * 2, "%02x", val[i]); data/r-cran-digest-0.6.27/src/digest.c:238:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buf[BUF_SIZE]; data/r-cran-digest-0.6.27/src/digest.c:239:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char md5sum[16]; data/r-cran-digest-0.6.27/src/digest.c:255:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(output, md5sum, 16); data/r-cran-digest-0.6.27/src/digest.c:258:17: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(output + j * 2, "%02x", md5sum[j]); data/r-cran-digest-0.6.27/src/digest.c:265:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buf[BUF_SIZE]; data/r-cran-digest-0.6.27/src/digest.c:266:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char sha1sum[20]; data/r-cran-digest-0.6.27/src/digest.c:281:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(output, sha1sum, 20); data/r-cran-digest-0.6.27/src/digest.c:284:17: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf( output + j * 2, "%02x", sha1sum[j] ); data/r-cran-digest-0.6.27/src/digest.c:288:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buf[BUF_SIZE]; data/r-cran-digest-0.6.27/src/digest.c:303:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(output, "%08x", (unsigned int) val); data/r-cran-digest-0.6.27/src/digest.c:310:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buf[BUF_SIZE]; data/r-cran-digest-0.6.27/src/digest.c:311:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char sha256sum[32]; data/r-cran-digest-0.6.27/src/digest.c:326:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(output, sha256sum, 32); data/r-cran-digest-0.6.27/src/digest.c:329:17: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf( output + j * 2, "%02x", sha256sum[j] ); data/r-cran-digest-0.6.27/src/digest.c:338:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buf[BUF_SIZE]; data/r-cran-digest-0.6.27/src/digest.c:356:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(output, sha512sum, output_length); data/r-cran-digest-0.6.27/src/digest.c:371:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buf[BUF_SIZE]; data/r-cran-digest-0.6.27/src/digest.c:399:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(output, "%08x", val); data/r-cran-digest-0.6.27/src/digest.c:403:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buf[BUF_SIZE]; data/r-cran-digest-0.6.27/src/digest.c:434:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(output, "%016llx", val); data/r-cran-digest-0.6.27/src/digest.c:440:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buf[BUF_SIZE]; data/r-cran-digest-0.6.27/src/digest.c:460:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(output, "%08x", val); data/r-cran-digest-0.6.27/src/digest.c:465:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buf[BUF_SIZE]; data/r-cran-digest-0.6.27/src/digest.c:483:13: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(output, val, BLAKE3_OUT_LEN); data/r-cran-digest-0.6.27/src/digest.c:486:17: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(output + i * 2, "%02x", val[i]); data/r-cran-digest-0.6.27/src/digest.c:502:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(RAW(result), output, output_length); data/r-cran-digest-0.6.27/src/md5.c:178:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy( (void *) (ctx->buffer + left), data/r-cran-digest-0.6.27/src/md5.c:195:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy( (void *) (ctx->buffer + left), data/r-cran-digest-0.6.27/src/md5.c:269:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char output[33]; data/r-cran-digest-0.6.27/src/md5.c:271:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buf[1000]; data/r-cran-digest-0.6.27/src/md5.c:272:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char md5sum[16]; data/r-cran-digest-0.6.27/src/md5.c:288:17: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf( output + j * 2, "%02x", md5sum[j] ); data/r-cran-digest-0.6.27/src/md5.c:304:21: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if( ! ( f = fopen( argv[1], "rb" ) ) ) data/r-cran-digest-0.6.27/src/sha1.c:212:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy( (void *) (ctx->buffer + left), data/r-cran-digest-0.6.27/src/sha1.c:229:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy( (void *) (ctx->buffer + left), data/r-cran-digest-0.6.27/src/sha1.c:295:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char output[41]; data/r-cran-digest-0.6.27/src/sha1.c:297:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buf[1000]; data/r-cran-digest-0.6.27/src/sha1.c:298:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char sha1sum[20]; data/r-cran-digest-0.6.27/src/sha1.c:329:17: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf( output + j * 2, "%02x", sha1sum[j] ); data/r-cran-digest-0.6.27/src/sha1.c:345:21: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if( ! ( f = fopen( argv[1], "rb" ) ) ) data/r-cran-digest-0.6.27/src/sha2.c:178:29: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. #define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l)) data/r-cran-digest-0.6.27/src/sha2.c:182:29: [2] (buffer) bcopy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. #define MEMCPY_BCOPY(d,s,l) bcopy((s), (d), (l)) data/r-cran-digest-0.6.27/src/sha2.c:664:54: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char* SHA256_Data(const sha2_byte* data, size_t len, char digest[SHA256_DIGEST_STRING_LENGTH]) { data/r-cran-digest-0.6.27/src/sha2.c:996:54: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char* SHA512_Data(const sha2_byte* data, size_t len, char digest[SHA512_DIGEST_STRING_LENGTH]) { data/r-cran-digest-0.6.27/src/sha2.c:1072:54: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char* SHA384_Data(const sha2_byte* data, size_t len, char digest[SHA384_DIGEST_STRING_LENGTH]) { data/r-cran-digest-0.6.27/src/sha256.c:204:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy( (void *) (ctx->buffer + left), data/r-cran-digest-0.6.27/src/sha256.c:221:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy( (void *) (ctx->buffer + left), data/r-cran-digest-0.6.27/src/sha256.c:293:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char output[65]; data/r-cran-digest-0.6.27/src/sha256.c:295:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buf[1000]; data/r-cran-digest-0.6.27/src/sha256.c:296:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char sha256sum[32]; data/r-cran-digest-0.6.27/src/sha256.c:327:17: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf( output + j * 2, "%02x", sha256sum[j] ); data/r-cran-digest-0.6.27/src/sha256.c:343:21: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if( ! ( f = fopen( argv[1], "rb" ) ) ) data/r-cran-digest-0.6.27/src/xxhash.c:112:76: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. static void* XXH_memcpy(void* dest, const void* src, size_t size) { return memcpy(dest,src,size); } data/r-cran-digest-0.6.27/src/xxhash.c:434:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dstState, srcState, sizeof(*dstState)); data/r-cran-digest-0.6.27/src/xxhash.c:446:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(statePtr, &state, sizeof(state) - sizeof(state.reserved)); data/r-cran-digest-0.6.27/src/xxhash.c:568:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst, &hash, sizeof(*dst)); data/r-cran-digest-0.6.27/src/xxhash.c:895:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dstState, srcState, sizeof(*dstState)); data/r-cran-digest-0.6.27/src/xxhash.c:907:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(statePtr, &state, sizeof(state) - sizeof(state.reserved)); data/r-cran-digest-0.6.27/src/xxhash.c:1021:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst, &hash, sizeof(*dst)); data/r-cran-digest-0.6.27/src/xxhash.h:204:27: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. typedef struct { unsigned char digest[4]; } XXH32_canonical_t; data/r-cran-digest-0.6.27/src/xxhash.h:239:27: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. typedef struct { unsigned char digest[8]; } XXH64_canonical_t; data/r-cran-digest-0.6.27/src/zutil.h:41:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern const char * const z_errmsg[10]; /* indexed by 2-zlib_error */ data/r-cran-digest-0.6.27/src/blake3.c:381:50: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). blake3_hasher_update(&context_hasher, context, strlen(context)); data/r-cran-digest-0.6.27/src/digest.c:95:17: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). nChar = strlen(txt); data/r-cran-digest-0.6.27/src/md5.c:283:49: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). md5_update( &ctx, (uint8 *) msg[i], strlen( msg[i] ) ); data/r-cran-digest-0.6.27/src/sha1.c:313:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen( msg[i] ) ); data/r-cran-digest-0.6.27/src/sha2.c:90:32: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN data/r-cran-digest-0.6.27/src/sha256.c:311:32: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen( msg[i] ) ); ANALYSIS SUMMARY: Hits = 116 Lines analyzed = 9304 in approximately 0.30 seconds (31524 lines/second) Physical Source Lines of Code (SLOC) = 6375 Hits@level = [0] 49 [1] 6 [2] 108 [3] 0 [4] 2 [5] 0 Hits@level+ = [0+] 165 [1+] 116 [2+] 110 [3+] 2 [4+] 2 [5+] 0 Hits/KSLOC@level+ = [0+] 25.8824 [1+] 18.1961 [2+] 17.2549 [3+] 0.313725 [4+] 0.313725 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.