Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/sng-1.1.0/main.c Examining data/sng-1.1.0/sngc.c Examining data/sng-1.1.0/sng.h Examining data/sng-1.1.0/sngd.c FINAL RESULTS: data/sng-1.1.0/main.c:38:2: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(buf, "%s:EOF: ", file); data/sng-1.1.0/main.c:40:2: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(buf, "%s:%d: ", file, linenum); data/sng-1.1.0/main.c:43:5: [4] (format) vsprintf: Potential format string problem (CWE-134). Make format string constant. vsprintf(buf + strlen(buf), fmt, ap); data/sng-1.1.0/main.c:81:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(r, s); data/sng-1.1.0/sngc.c:1488:6: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(width_s, token_buffer); data/sng-1.1.0/sngc.c:1495:6: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(height_s, token_buffer); data/sng-1.1.0/sngd.c:239:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(buf, "sng: in %s, ", current_file); data/sng-1.1.0/sngd.c:242:5: [4] (format) vsprintf: Potential format string problem (CWE-134). Make format string constant. vsprintf(buf + strlen(buf), fmt, ap); data/sng-1.1.0/main.c:31:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[BUFSIZ]; data/sng-1.1.0/main.c:103:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[BUFSIZ], namebuf[BUFSIZ]; data/sng-1.1.0/main.c:107:12: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fp = fopen(RGBTXT, "r")) == NULL) data/sng-1.1.0/main.c:137:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(newcolor, &sc, sizeof(color_item)); data/sng-1.1.0/main.c:217:6: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char outfile[BUFSIZ]; data/sng-1.1.0/main.c:231:3: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(outfile, ".png"); data/sng-1.1.0/main.c:238:3: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(outfile, ".sng"); data/sng-1.1.0/main.c:250:18: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fpin = fopen(argv[i], "r")) == NULL) data/sng-1.1.0/main.c:258:19: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fpout = fopen(outfile, "w")) == NULL) data/sng-1.1.0/sngc.c:153:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char token_buffer[16384]; data/sng-1.1.0/sngc.c:526:6: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(*pbytes + *pnbytes, token_buffer, seglen); data/sng-1.1.0/sngc.c:884:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name[PNG_KEYWORD_MAX_LENGTH+1]; data/sng-1.1.0/sngc.c:1098:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char keyword[PNG_KEYWORD_MAX_LENGTH+1]; data/sng-1.1.0/sngc.c:1178:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char keyword[PNG_KEYWORD_MAX_LENGTH+1]; data/sng-1.1.0/sngc.c:1179:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char text[PNG_STRING_MAX_LENGTH+1]; data/sng-1.1.0/sngc.c:1207:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char keyword[PNG_KEYWORD_MAX_LENGTH+1]; data/sng-1.1.0/sngc.c:1208:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char text[PNG_STRING_MAX_LENGTH+1]; data/sng-1.1.0/sngc.c:1236:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char language[PNG_KEYWORD_MAX_LENGTH+1]; data/sng-1.1.0/sngc.c:1237:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char keyword[PNG_KEYWORD_MAX_LENGTH+1]; data/sng-1.1.0/sngc.c:1238:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char transkey[PNG_STRING_MAX_LENGTH+1]; data/sng-1.1.0/sngc.c:1239:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char text[PNG_STRING_MAX_LENGTH+1]; data/sng-1.1.0/sngc.c:1358:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name[PNG_KEYWORD_MAX_LENGTH+1]; data/sng-1.1.0/sngc.c:1359:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char unit[PNG_STRING_MAX_LENGTH+1]; data/sng-1.1.0/sngc.c:1360:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char strbuf[PNG_STRING_MAX_LENGTH+1]; data/sng-1.1.0/sngc.c:1361:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *params[MAX_PARAMS]; data/sng-1.1.0/sngc.c:1465:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char unit[PNG_STRING_MAX_LENGTH+1]; data/sng-1.1.0/sngc.c:1470:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char width_s[BUFSIZ], height_s[BUFSIZ]; data/sng-1.1.0/sngc.c:1549:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[PNG_STRING_MAX_LENGTH]; data/sng-1.1.0/sngc.c:1565:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(chunkdata, buf, 8); data/sng-1.1.0/sngc.c:1572:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(chunkdata + 8, buf, 3); data/sng-1.1.0/sngc.c:1580:6: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(chunkdata + 11, data, datalen); data/sng-1.1.0/sngc.c:1751:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[BUFSIZ]; data/sng-1.1.0/sngd.c:76:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char vbuf[PNG_STRING_MAX_LENGTH*4+1]; data/sng-1.1.0/sngd.c:115:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. (void) sprintf(tp, "\\x%02x", (unsigned char) *buf++); data/sng-1.1.0/sngd.c:162:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char cbuf[2]; data/sng-1.1.0/sngd.c:227:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char *dope[1]; data/sng-1.1.0/sngd.c:236:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[BUFSIZ]; data/sng-1.1.0/main.c:43:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). vsprintf(buf + strlen(buf), fmt, ap); data/sng-1.1.0/main.c:46:5: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(buf, "\n"); data/sng-1.1.0/main.c:79:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char *r = xalloc(strlen(s) + 1); data/sng-1.1.0/main.c:202:14: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). int c = getchar(); data/sng-1.1.0/main.c:216:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int sng2png, dot = strlen(argv[i]) - 4; data/sng-1.1.0/main.c:229:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(outfile, argv[i], dot); data/sng-1.1.0/main.c:236:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(outfile, argv[i], dot); data/sng-1.1.0/sngc.c:229:6: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). w = fgetc(yyin); data/sng-1.1.0/sngc.c:240:7: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). w = fgetc(yyin); data/sng-1.1.0/sngc.c:265:10: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). c = fgetc(yyin); data/sng-1.1.0/sngc.c:302:10: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). c = fgetc(yyin); data/sng-1.1.0/sngc.c:438:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int len = strlen(token_buffer); data/sng-1.1.0/sngc.c:442:2: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(stash, token_buffer, PNG_STRING_MAX_LENGTH); data/sng-1.1.0/sngc.c:454:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int len = strlen(token_buffer); data/sng-1.1.0/sngc.c:459:2: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(stash, token_buffer, PNG_KEYWORD_MAX_LENGTH); data/sng-1.1.0/sngc.c:523:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int seglen = strlen(token_buffer); data/sng-1.1.0/sngc.c:560:17: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). while ((c = fgetc(yyin))) data/sng-1.1.0/sngc.c:573:18: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). while ((c = fgetc(yyin))) data/sng-1.1.0/sngc.c:1586:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). chunk.size = 11 + strlen((char *)chunkdata + 11); data/sng-1.1.0/sngc.c:1729:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(name) != 4) data/sng-1.1.0/sngd.c:116:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). tp += strlen(tp); data/sng-1.1.0/sngd.c:242:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). vsprintf(buf + strlen(buf), fmt, ap); data/sng-1.1.0/sngd.c:245:5: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(buf, "\n"); ANALYSIS SUMMARY: Hits = 68 Lines analyzed = 3444 in approximately 0.11 seconds (30890 lines/second) Physical Source Lines of Code (SLOC) = 2725 Hits@level = [0] 143 [1] 23 [2] 37 [3] 0 [4] 8 [5] 0 Hits@level+ = [0+] 211 [1+] 68 [2+] 45 [3+] 8 [4+] 8 [5+] 0 Hits/KSLOC@level+ = [0+] 77.4312 [1+] 24.9541 [2+] 16.5138 [3+] 2.93578 [4+] 2.93578 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.