Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/ruby-yajl-1.4.1/ext/yajl/yajl_ext.c
Examining data/ruby-yajl-1.4.1/ext/yajl/api/yajl_gen.h
Examining data/ruby-yajl-1.4.1/ext/yajl/api/yajl_parse.h
Examining data/ruby-yajl-1.4.1/ext/yajl/api/yajl_common.h
Examining data/ruby-yajl-1.4.1/ext/yajl/api/yajl_version.h
Examining data/ruby-yajl-1.4.1/ext/yajl/yajl_bytestack.h
Examining data/ruby-yajl-1.4.1/ext/yajl/yajl_ext.h
Examining data/ruby-yajl-1.4.1/ext/yajl/yajl_parser.c
Examining data/ruby-yajl-1.4.1/ext/yajl/yajl_lex.h
Examining data/ruby-yajl-1.4.1/ext/yajl/yajl.c
Examining data/ruby-yajl-1.4.1/ext/yajl/yajl_encode.h
Examining data/ruby-yajl-1.4.1/ext/yajl/yajl_lex.c
Examining data/ruby-yajl-1.4.1/ext/yajl/yajl_alloc.h
Examining data/ruby-yajl-1.4.1/ext/yajl/yajl_encode.c
Examining data/ruby-yajl-1.4.1/ext/yajl/yajl_gen.c
Examining data/ruby-yajl-1.4.1/ext/yajl/yajl_buf.c
Examining data/ruby-yajl-1.4.1/ext/yajl/yajl_parser.h
Examining data/ruby-yajl-1.4.1/ext/yajl/yajl_alloc.c
Examining data/ruby-yajl-1.4.1/ext/yajl/yajl_version.c
Examining data/ruby-yajl-1.4.1/ext/yajl/yajl_buf.h
FINAL RESULTS:
data/ruby-yajl-1.4.1/ext/yajl/yajl_parser.c:78:9: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat((char *) str, errorType);
data/ruby-yajl-1.4.1/ext/yajl/yajl_parser.c:82:13: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat((char *) str, errorText);
data/ruby-yajl-1.4.1/ext/yajl/yajl_parser.c:118:13: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat((char *) newStr, (char *) str);
data/ruby-yajl-1.4.1/ext/yajl/yajl_parser.c:119:13: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat((char *) newStr, text);
data/ruby-yajl-1.4.1/ext/yajl/yajl_parser.c:120:13: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat((char *) newStr, arrow);
data/ruby-yajl-1.4.1/ext/yajl/yajl.c:88:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy((void *) &(hand->alloc), (void *) afs, sizeof(yajl_alloc_funcs));
data/ruby-yajl-1.4.1/ext/yajl/yajl_buf.c:92:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buf->data + buf->used, data, len);
data/ruby-yajl-1.4.1/ext/yajl/yajl_encode.c:64:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hexBuf[7];
data/ruby-yajl-1.4.1/ext/yajl/yajl_encode.c:65:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char entityBuffer[7];
data/ruby-yajl-1.4.1/ext/yajl/yajl_encode.c:183:13: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char utf8Buf[5];
data/ruby-yajl-1.4.1/ext/yajl/yajl_ext.c:305:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buf, numberVal, numberLen);
data/ruby-yajl-1.4.1/ext/yajl/yajl_ext.c:859:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buf, event.buf, event.len);
data/ruby-yajl-1.4.1/ext/yajl/yajl_ext.c:1028:17: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(indentString, RSTRING_PTR(indent), RSTRING_LEN(indent));
data/ruby-yajl-1.4.1/ext/yajl/yajl_gen.c:98:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy((void *) &(g->alloc), (void *) afs, sizeof(yajl_alloc_funcs));
data/ruby-yajl-1.4.1/ext/yajl/yajl_gen.c:204:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char i[32];
data/ruby-yajl-1.4.1/ext/yajl/yajl_gen.c:206:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(i, "%ld", number);
data/ruby-yajl-1.4.1/ext/yajl/yajl_gen.c:222:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char i[32];
data/ruby-yajl-1.4.1/ext/yajl/yajl_gen.c:226:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(i, "%.20g", number);
data/ruby-yajl-1.4.1/ext/yajl/yajl_lex.c:157:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const char charLookupTable[256] =
data/ruby-yajl-1.4.1/ext/yajl/yajl_parser.c:55:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char text[72];
data/ruby-yajl-1.4.1/ext/yajl/yajl_parser.c:79:9: [2] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused). Risk is low because the
source is a constant string.
strcat((char *) str, " error");
data/ruby-yajl-1.4.1/ext/yajl/yajl_parser.c:81:13: [2] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused). Risk is low because the
source is a constant string.
strcat((char *) str, ": ");
data/ruby-yajl-1.4.1/ext/yajl/yajl_encode.c:127:47: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
print(ctx, escaped, (unsigned int)strlen(escaped));
data/ruby-yajl-1.4.1/ext/yajl/yajl_encode.c:230:59: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
yajl_buf_append(buf, unescaped, (unsigned int)strlen(unescaped));
data/ruby-yajl-1.4.1/ext/yajl/yajl_gen.c:158:40: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
(unsigned int)strlen(g->indentString)); \
data/ruby-yajl-1.4.1/ext/yajl/yajl_gen.c:207:39: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
g->print(g->ctx, i, (unsigned int)strlen(i));
data/ruby-yajl-1.4.1/ext/yajl/yajl_gen.c:227:39: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
g->print(g->ctx, i, (unsigned int)strlen(i));
data/ruby-yajl-1.4.1/ext/yajl/yajl_gen.c:260:30: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
g->print(g->ctx, "null", strlen("null"));
data/ruby-yajl-1.4.1/ext/yajl/yajl_gen.c:272:41: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
g->print(g->ctx, val, (unsigned int)strlen(val));
data/ruby-yajl-1.4.1/ext/yajl/yajl_parser.c:70:22: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
memneeded += strlen(errorType);
data/ruby-yajl-1.4.1/ext/yajl/yajl_parser.c:71:22: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
memneeded += strlen(" error");
data/ruby-yajl-1.4.1/ext/yajl/yajl_parser.c:73:26: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
memneeded += strlen(": ");
data/ruby-yajl-1.4.1/ext/yajl/yajl_parser.c:74:26: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
memneeded += strlen(errorText);
data/ruby-yajl-1.4.1/ext/yajl/yajl_parser.c:84:9: [1] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused). Risk is low because the
source is a constant character.
strcat((char *) str, "\n");
data/ruby-yajl-1.4.1/ext/yajl/yajl_parser.c:114:58: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
YA_MALLOC(&(hand->alloc), (unsigned int)(strlen((char *) str) +
data/ruby-yajl-1.4.1/ext/yajl/yajl_parser.c:115:58: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen((char *) text) +
data/ruby-yajl-1.4.1/ext/yajl/yajl_parser.c:116:58: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen(arrow) + 1));
ANALYSIS SUMMARY:
Hits = 37
Lines analyzed = 4612 in approximately 0.15 seconds (30455 lines/second)
Physical Source Lines of Code (SLOC) = 2878
Hits@level = [0] 4 [1] 15 [2] 17 [3] 0 [4] 5 [5] 0
Hits@level+ = [0+] 41 [1+] 37 [2+] 22 [3+] 5 [4+] 5 [5+] 0
Hits/KSLOC@level+ = [0+] 14.246 [1+] 12.8562 [2+] 7.6442 [3+] 1.73732 [4+] 1.73732 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.