Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/speakup-3.1.6.dfsg.1/src/buffers.c Examining data/speakup-3.1.6.dfsg.1/src/devsynth.c Examining data/speakup-3.1.6.dfsg.1/src/fakekey.c Examining data/speakup-3.1.6.dfsg.1/src/i18n.c Examining data/speakup-3.1.6.dfsg.1/src/i18n.h Examining data/speakup-3.1.6.dfsg.1/src/keyhelp.c Examining data/speakup-3.1.6.dfsg.1/src/kobjects.c Examining data/speakup-3.1.6.dfsg.1/src/main.c Examining data/speakup-3.1.6.dfsg.1/src/selection.c Examining data/speakup-3.1.6.dfsg.1/src/serialio.c Examining data/speakup-3.1.6.dfsg.1/src/serialio.h Examining data/speakup-3.1.6.dfsg.1/src/speakup.h Examining data/speakup-3.1.6.dfsg.1/src/speakup_acnt.h Examining data/speakup-3.1.6.dfsg.1/src/speakup_acntpc.c Examining data/speakup-3.1.6.dfsg.1/src/speakup_acntsa.c Examining data/speakup-3.1.6.dfsg.1/src/speakup_apollo.c Examining data/speakup-3.1.6.dfsg.1/src/speakup_audptr.c Examining data/speakup-3.1.6.dfsg.1/src/speakup_bns.c Examining data/speakup-3.1.6.dfsg.1/src/speakup_decext.c Examining data/speakup-3.1.6.dfsg.1/src/speakup_dectlk.c Examining data/speakup-3.1.6.dfsg.1/src/speakup_dtlk.c Examining data/speakup-3.1.6.dfsg.1/src/speakup_dtlk.h Examining data/speakup-3.1.6.dfsg.1/src/speakup_dummy.c Examining data/speakup-3.1.6.dfsg.1/src/speakup_keypc.c Examining data/speakup-3.1.6.dfsg.1/src/speakup_ltlk.c Examining data/speakup-3.1.6.dfsg.1/src/speakup_soft.c Examining data/speakup-3.1.6.dfsg.1/src/speakup_spkout.c Examining data/speakup-3.1.6.dfsg.1/src/speakup_txprt.c Examining data/speakup-3.1.6.dfsg.1/src/speakupmap.h Examining data/speakup-3.1.6.dfsg.1/src/spk_priv.h Examining data/speakup-3.1.6.dfsg.1/src/spk_priv_keyinfo.h Examining data/speakup-3.1.6.dfsg.1/src/spk_types.h Examining data/speakup-3.1.6.dfsg.1/src/synth.c Examining data/speakup-3.1.6.dfsg.1/src/thread.c Examining data/speakup-3.1.6.dfsg.1/src/varhandlers.c FINAL RESULTS: data/speakup-3.1.6.dfsg.1/src/kobjects.c:369:8: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. rv = sprintf(buf, "%s\n", "none"); data/speakup-3.1.6.dfsg.1/src/kobjects.c:371:8: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. rv = sprintf(buf, "%s\n", synth->name); data/speakup-3.1.6.dfsg.1/src/kobjects.c:437:8: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. cp += sprintf(cp, "Speakup version %s\n", SPEAKUP_VERSION); data/speakup-3.1.6.dfsg.1/src/kobjects.c:439:9: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. cp += sprintf(cp, "%s synthesizer driver version %s\n", data/speakup-3.1.6.dfsg.1/src/kobjects.c:576:8: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. rv = sprintf(buf, "Bad parameter %s, type %i\n", data/speakup-3.1.6.dfsg.1/src/main.c:1793:3: [4] (format) snprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. snprintf(info, sizeof(info), msg_get(MSG_WINDOW_LINE), data/speakup-3.1.6.dfsg.1/src/main.c:1803:3: [4] (format) snprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. snprintf(info, sizeof(info), msg_get(MSG_WINDOW_BOUNDARY), data/speakup-3.1.6.dfsg.1/src/speakup_soft.c:164:14: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. cp = cp + sprintf(cp, var->u.n.synth_fmt, var->u.n.value); data/speakup-3.1.6.dfsg.1/src/synth.c:226:6: [4] (format) vsnprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. r = vsnprintf(buf, sizeof(buf), fmt, args); data/speakup-3.1.6.dfsg.1/src/varhandlers.c:239:7: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. l = sprintf(cp, var_data->u.n.synth_fmt, (int)val); data/speakup-3.1.6.dfsg.1/src/varhandlers.c:241:7: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. l = sprintf(cp, var_data->u.n.synth_fmt, var_data->u.n.out_str[val]); data/speakup-3.1.6.dfsg.1/src/varhandlers.c:261:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy((char *)var->p_val, var_data->u.s.default_val); data/speakup-3.1.6.dfsg.1/src/varhandlers.c:263:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy((char *)var->p_val, page); data/speakup-3.1.6.dfsg.1/src/i18n.c:11:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char *speakup_msgs[MSG_LAST_INDEX]; data/speakup-3.1.6.dfsg.1/src/i18n.c:12:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char *speakup_default_msgs [MSG_LAST_INDEX] = { data/speakup-3.1.6.dfsg.1/src/i18n.c:549:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(newstr, text, length); data/speakup-3.1.6.dfsg.1/src/i18n.c:605:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(speakup_msgs, speakup_default_msgs, sizeof(speakup_default_msgs)); data/speakup-3.1.6.dfsg.1/src/kobjects.c:88:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[80]; data/speakup-3.1.6.dfsg.1/src/kobjects.c:113:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char keyword[MAX_DESC_LEN + 1]; data/speakup-3.1.6.dfsg.1/src/kobjects.c:237:8: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. cp += sprintf(cp, "%d, %d, %d,\n", KEY_MAP_VER, num_keys, nstates); data/speakup-3.1.6.dfsg.1/src/kobjects.c:244:10: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. cp += sprintf(cp, "%d,", (int)ch); data/speakup-3.1.6.dfsg.1/src/kobjects.c:248:8: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. cp += sprintf(cp, "0, %d\n", KEY_MAP_VER); data/speakup-3.1.6.dfsg.1/src/kobjects.c:272:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(in_buff, buf, count + 1); data/speakup-3.1.6.dfsg.1/src/kobjects.c:382:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char new_synth_name[10]; data/speakup-3.1.6.dfsg.1/src/kobjects.c:492:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char punc_buf[100]; data/speakup-3.1.6.dfsg.1/src/kobjects.c:553:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. rv = sprintf(buf, "%i\n", var->u.n.value); data/speakup-3.1.6.dfsg.1/src/kobjects.c:555:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. rv = sprintf(buf, "0\n"); data/speakup-3.1.6.dfsg.1/src/kobjects.c:565:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. cp1 += sprintf(cp1, "\\""x%02x", ch); data/speakup-3.1.6.dfsg.1/src/kobjects.c:572:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. rv = sprintf(buf, "\"\"\n"); data/speakup-3.1.6.dfsg.1/src/kobjects.c:705:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[160]; data/speakup-3.1.6.dfsg.1/src/main.c:77:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf[256]; data/speakup-3.1.6.dfsg.1/src/main.c:84:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char str_caps_start[MAXVARLEN+1] = "\0", str_caps_stop[MAXVARLEN+1] = "\0"; data/speakup-3.1.6.dfsg.1/src/main.c:132:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *characters[256]; data/speakup-3.1.6.dfsg.1/src/main.c:134:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *default_chars[256] = { data/speakup-3.1.6.dfsg.1/src/main.c:812:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char *sentbufend[2]; data/speakup-3.1.6.dfsg.1/src/main.c:813:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char *sentmarks[2][10]; data/speakup-3.1.6.dfsg.1/src/main.c:816:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char sentbuf[2][256]; data/speakup-3.1.6.dfsg.1/src/main.c:1172:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(cp1, cp, key_data_len + 3); data/speakup-3.1.6.dfsg.1/src/main.c:1229:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(characters, default_chars, sizeof(default_chars)); data/speakup-3.1.6.dfsg.1/src/main.c:1234:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(spk_chartab, default_chartab, sizeof(default_chartab)); data/speakup-3.1.6.dfsg.1/src/main.c:1749:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char num_buf[32]; data/speakup-3.1.6.dfsg.1/src/main.c:1780:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char info[40]; data/speakup-3.1.6.dfsg.1/src/speakup_audptr.c:147:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char synth_id[40] = ""; data/speakup-3.1.6.dfsg.1/src/speakup_dtlk.c:267:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf[sizeof(struct synth_settings) + 1]; data/speakup-3.1.6.dfsg.1/src/speakup_ltlk.c:144:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buf[50], rom_v[20]; data/speakup-3.1.6.dfsg.1/src/speakup_soft.c:154:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf[40]; data/speakup-3.1.6.dfsg.1/src/speakup_soft.c:268:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char indbuf[5]; data/speakup-3.1.6.dfsg.1/src/spk_types.h:59:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char highbuf[8][COLOR_BUFFER_SIZE]; data/speakup-3.1.6.dfsg.1/src/synth.c:23:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char pitch_buff[32] = ""; data/speakup-3.1.6.dfsg.1/src/synth.c:222:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buf[160], *p; data/speakup-3.1.6.dfsg.1/src/varhandlers.c:88:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char nothing[2] = "\0"; data/speakup-3.1.6.dfsg.1/src/varhandlers.c:184:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[32]; data/speakup-3.1.6.dfsg.1/src/kobjects.c:333:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(buf); data/speakup-3.1.6.dfsg.1/src/kobjects.c:384:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(buf); data/speakup-3.1.6.dfsg.1/src/kobjects.c:387:2: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(new_synth_name, buf, len); data/speakup-3.1.6.dfsg.1/src/kobjects.c:415:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(buf); data/speakup-3.1.6.dfsg.1/src/kobjects.c:418:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(tmp, ptr, bytes); data/speakup-3.1.6.dfsg.1/src/kobjects.c:495:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). x = strlen(buf); data/speakup-3.1.6.dfsg.1/src/kobjects.c:512:2: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(punc_buf, buf, x); data/speakup-3.1.6.dfsg.1/src/kobjects.c:628:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(buf); data/speakup-3.1.6.dfsg.1/src/speakup_soft.c:167:12: [1] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source is a constant character. cp = cp + sprintf(cp, "\n"); ANALYSIS SUMMARY: Hits = 61 Lines analyzed = 10026 in approximately 0.28 seconds (35648 lines/second) Physical Source Lines of Code (SLOC) = 8258 Hits@level = [0] 5 [1] 9 [2] 39 [3] 0 [4] 13 [5] 0 Hits@level+ = [0+] 66 [1+] 61 [2+] 52 [3+] 13 [4+] 13 [5+] 0 Hits/KSLOC@level+ = [0+] 7.99225 [1+] 7.38678 [2+] 6.29692 [3+] 1.57423 [4+] 1.57423 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.