Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/r-cran-utf8-1.1.4/src/utf8_valid.c
Examining data/r-cran-utf8-1.1.4/src/string.c
Examining data/r-cran-utf8-1.1.4/src/util.c
Examining data/r-cran-utf8-1.1.4/src/bytes.c
Examining data/r-cran-utf8-1.1.4/src/utf8_encode.c
Examining data/r-cran-utf8-1.1.4/src/utf8_normalize.c
Examining data/r-cran-utf8-1.1.4/src/rutf8.h
Examining data/r-cran-utf8-1.1.4/src/render.c
Examining data/r-cran-utf8-1.1.4/src/utf8_format.c
Examining data/r-cran-utf8-1.1.4/src/context.c
Examining data/r-cran-utf8-1.1.4/src/utf8lite/tests/testutil.h
Examining data/r-cran-utf8-1.1.4/src/utf8lite/tests/testutil.c
Examining data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_textmap.c
Examining data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_unicode.c
Examining data/r-cran-utf8-1.1.4/src/utf8lite/tests/wcwidth9/wcwidth9.h
Examining data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_text.c
Examining data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_render.c
Examining data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_graphscan.c
Examining data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_charwidth.c
Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/graphscan.c
Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/private/charwidth.h
Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/private/compose.h
Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/private/array.h
Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/private/combining.h
Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/private/graphbreak.h
Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/private/decompose.h
Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/private/casefold.h
Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/char.c
Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/utf8lite.h
Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c
Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/error.c
Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/graph.c
Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/escape.c
Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/encode.c
Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/textiter.c
Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/array.c
Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/textmap.c
Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/textassign.c
Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/normalize.c
Examining data/r-cran-utf8-1.1.4/src/utf8lite/src/text.c
Examining data/r-cran-utf8-1.1.4/src/utf8lite/util/table-graphbreak.c
Examining data/r-cran-utf8-1.1.4/src/init.c
Examining data/r-cran-utf8-1.1.4/src/as_utf8.c
Examining data/r-cran-utf8-1.1.4/src/render_table.c
Examining data/r-cran-utf8-1.1.4/src/utf8_width.c
Examining data/r-cran-utf8-1.1.4/src/text.c
FINAL RESULTS:
data/r-cran-utf8-1.1.4/src/utf8lite/src/error.c:39:3: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
vsnprintf(msg->string, sizeof(msg->string), fmt, ap);
data/r-cran-utf8-1.1.4/src/utf8lite/src/error.c:57:3: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
vsnprintf(msg->string + n, nmax - n, fmt, ap);
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:300:16: [4] (format) sprintf:
Potential format string problem (CWE-134). Make format string constant.
r->length += sprintf(&r->string[r->length],
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:547:8: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
len = vsnprintf(NULL, 0, format, ap);
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:559:2: [4] (format) vsprintf:
Potential format string problem (CWE-134). Make format string constant.
vsprintf(buffer, format, ap2);
data/r-cran-utf8-1.1.4/src/utf8lite/src/utf8lite.h:77:26: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
__attribute__ ((format (printf, 2, 3)));
data/r-cran-utf8-1.1.4/src/utf8lite/src/utf8lite.h:91:26: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
__attribute__ ((format (printf, 2, 3)));
data/r-cran-utf8-1.1.4/src/utf8lite/src/utf8lite.h:993:26: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
__attribute__ ((format (printf, 2, 3)));
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_unicode.c:200:14: [4] (buffer) fscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function. If the scanf format is influenceable by an
attacker, it's exploitable.
ck_assert(fscanf(file, "%"SCNx32, &code));
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_text.c:622:2: [3] (random) srand:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
srand((unsigned)_i);
data/r-cran-utf8-1.1.4/src/bytes.c:363:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ch, buf[5];
data/r-cran-utf8-1.1.4/src/bytes.c:391:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buf, "\\x%02x", (unsigned)byte);
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:183:22: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
const char *open, const char *close)
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:188:6: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (open) {
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:189:26: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((open_len = strlen(open)) >= INT_MAX) {
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:200:18: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
r->style_open = open;
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:236:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(end, r->newline, r->newline_length + 1); // include '\0'
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:260:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(end, r->tab, r->tab_length + 1); // include '\0'
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:292:16: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
r->length += sprintf(&r->string[r->length],
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:297:16: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
r->length += sprintf(&r->string[r->length],
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:324:18: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
r->length += sprintf(&r->string[r->length],
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:359:18: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
r->length += sprintf(&r->string[r->length],
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:368:17: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
r->length += sprintf(&r->string[r->length],
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:620:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(r->string + r->length, bytes, size);
data/r-cran-utf8-1.1.4/src/utf8lite/src/text.c:35:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(text->ptr, other->ptr, size);
data/r-cran-utf8-1.1.4/src/utf8lite/src/utf8lite.h:56:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char string[UTF8LITE_MESSAGE_MAX + 1]; /**< NUL-terminated message */
data/r-cran-utf8-1.1.4/src/utf8lite/src/utf8lite.h:913:22: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
const char *open, const char *close);
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_graphscan.c:125:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char comment[4096];
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_graphscan.c:168:9: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file = fopen(GRAPH_BREAK_TEST, "r");
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_graphscan.c:170:10: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file = fopen("../"GRAPH_BREAK_TEST, "r");
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_render.c:471:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[32];
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_render.c:694:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[32];
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_render.c:730:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[32];
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_text.c:632:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buffer + size, types[id].string, len);
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_textmap.c:43:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(val->ptr, map.text.ptr, size);
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_textmap.c:92:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char str[256];
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_textmap.c:107:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(str, "\\u%04X", i);
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_textmap.c:135:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf((char *)str, "\\u%04X", i);
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_textmap.c:209:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf((char *)str, "\\u%04x", ws[i]);
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_textmap.c:233:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char str[256];
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_textmap.c:253:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(str, "\\u%04X", i);
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_textmap.c:278:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf((char *)str, "\\u%04X", i);
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_textmap.c:316:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf((char *)str, "\\u%04x", ws[i]);
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_unicode.c:30:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char comment[1024];
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_unicode.c:114:9: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file = fopen(NORMALIZATION_TEST, "r");
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_unicode.c:116:10: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file = fopen("../"NORMALIZATION_TEST, "r");
data/r-cran-utf8-1.1.4/src/utf8lite/tests/testutil.c:84:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ptr, str, size + 1);
data/r-cran-utf8-1.1.4/src/util.c:57:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ans + 2, CHAR(elt), n);
data/r-cran-utf8-1.1.4/src/util.c:122:9: [2] (buffer) MultiByteToWideChar:
Requires maximum length in CHARACTERS, not bytes (CWE-120).
wlen = MultiByteToWideChar(cp, 0, raw, n, NULL, 0);
data/r-cran-utf8-1.1.4/src/util.c:124:2: [2] (buffer) MultiByteToWideChar:
Requires maximum length in CHARACTERS, not bytes (CWE-120).
MultiByteToWideChar(cp, 0, raw, n, wstr, wlen);
data/r-cran-utf8-1.1.4/src/as_utf8.c:86:11: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size = strlen((const char *)str);
data/r-cran-utf8-1.1.4/src/render_table.c:294:23: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
s.names_len = (int)strlen(s.names);
data/r-cran-utf8-1.1.4/src/render_table.c:297:26: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
s.rownames_len = (int)strlen(s.rownames);
data/r-cran-utf8-1.1.4/src/string.c:60:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size = strlen((const char *)ptr);
data/r-cran-utf8-1.1.4/src/utf8_format.c:62:14: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
nellipsis = strlen(ellipsis);
data/r-cran-utf8-1.1.4/src/utf8_normalize.c:102:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size = strlen((const char *)ptr);
data/r-cran-utf8-1.1.4/src/utf8_valid.c:64:11: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size = strlen((const char *)str);
data/r-cran-utf8-1.1.4/src/utf8lite/src/error.c:53:7: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
n = strlen(msg->string);
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:109:23: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
r->tab_length = (int)strlen(r->tab);
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:112:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
r->newline_length = (int)strlen(r->newline);
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:153:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ((len = strlen(tab)) >= INT_MAX) {
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:170:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ((len = strlen(newline)) >= INT_MAX) {
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:189:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ((open_len = strlen(open)) >= INT_MAX) {
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:195:20: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ((close_len = strlen(close)) >= INT_MAX) {
data/r-cran-utf8-1.1.4/src/utf8lite/src/render.c:528:8: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen(str);
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_graphscan.c:184:15: [1] (buffer) fgetc:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
while ((ch = fgetc(file)) != EOF) {
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_graphscan.c:190:10: [1] (buffer) fgetc:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
ch = fgetc(file);
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_graphscan.c:221:9: [1] (buffer) fgetc:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
ch = fgetc(file);
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_text.c:41:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t n = strlen(str);
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_text.c:51:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t n = strlen(str);
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_text.c:631:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen(types[id].string);
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_text.c:655:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen(types[id].string);
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_text.c:673:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen(types[id].string);
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_unicode.c:135:15: [1] (buffer) fgetc:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
while ((ch = fgetc(file)) != EOF) {
data/r-cran-utf8-1.1.4/src/utf8lite/tests/check_unicode.c:141:10: [1] (buffer) fgetc:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
ch = fgetc(file);
data/r-cran-utf8-1.1.4/src/utf8lite/tests/testutil.c:80:16: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t size = strlen(str);
ANALYSIS SUMMARY:
Hits = 76
Lines analyzed = 26549 in approximately 1.47 seconds (18027 lines/second)
Physical Source Lines of Code (SLOC) = 21818
Hits@level = [0] 26 [1] 26 [2] 40 [3] 1 [4] 9 [5] 0
Hits@level+ = [0+] 102 [1+] 76 [2+] 50 [3+] 10 [4+] 9 [5+] 0
Hits/KSLOC@level+ = [0+] 4.67504 [1+] 3.48336 [2+] 2.29169 [3+] 0.458337 [4+] 0.412503 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.