Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/vsdump-0.0.45/config.h Examining data/vsdump-0.0.45/src/vsd_parse_cmds.c Examining data/vsdump-0.0.45/src/vsd_inflate.c Examining data/vsdump-0.0.45/src/vsd_pointers.c Examining data/vsdump-0.0.45/src/vsd_dump_stream_c.c Examining data/vsdump-0.0.45/src/vsd_parse_blocks.h Examining data/vsdump-0.0.45/src/vsdump.h Examining data/vsdump-0.0.45/src/vsd_utils.h Examining data/vsdump-0.0.45/src/vsd_parse_chunks.c Examining data/vsdump-0.0.45/src/vsd_dump_stream_23.c Examining data/vsdump-0.0.45/src/vsd_parse_blocks.c Examining data/vsdump-0.0.45/src/vsdump.c Examining data/vsdump-0.0.45/src/vsd_parse_chunks.h Examining data/vsdump-0.0.45/src/vsd_dump_stream_15.c Examining data/vsdump-0.0.45/src/names.h Examining data/vsdump-0.0.45/src/vsd_dump_stream_23.h Examining data/vsdump-0.0.45/src/vsd_dump_stream_c.h Examining data/vsdump-0.0.45/src/vsd_parse_cmds.h Examining data/vsdump-0.0.45/src/vsd_dump_stream_15.h Examining data/vsdump-0.0.45/src/vsd_pointers.h Examining data/vsdump-0.0.45/src/vsd_fonts_colors_parse.c Examining data/vsdump-0.0.45/src/vsd_utils.c Examining data/vsdump-0.0.45/src/vsd_fonts_colors_parse.h Examining data/vsdump-0.0.45/src/vsd_inflate.h FINAL RESULTS: data/vsdump-0.0.45/src/vsd_parse_blocks.c:159:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(formula, name75[idx]); data/vsdump-0.0.45/src/vsd_parse_blocks.c:264:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(formula,"ThePage!%s", name75[idx]); data/vsdump-0.0.45/src/vsd_parse_blocks.c:267:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(formula,"Sheet.%d!%s", GSF_LE_GET_GUINT32(stream->data + *offset + 5), name75[idx]); data/vsdump-0.0.45/src/vsd_parse_blocks.c:296:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(formula, namefunc[idx]); data/vsdump-0.0.45/src/vsd_parse_blocks.c:317:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(formula, namefunc[idx]); data/vsdump-0.0.45/src/vsd_parse_blocks.c:345:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(formula, namefunc[idx]); data/vsdump-0.0.45/src/vsd_parse_blocks.c:355:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(formula, namefunc[idx]); data/vsdump-0.0.45/src/vsd_parse_blocks.c:553:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(*stack[tokens],"%s",tmp); data/vsdump-0.0.45/src/vsd_parse_blocks.c:585:6: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(*stack[tokens], "%s()", tmp); data/vsdump-0.0.45/src/vsd_parse_blocks.c:592:6: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(*stack[tokens], "%s()", tmp); data/vsdump-0.0.45/src/vsd_parse_blocks.c:597:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(*stack[tokens], "%s(%s", tmp, *stack[tokens-argnum]); data/vsdump-0.0.45/src/vsd_parse_blocks.c:605:6: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(*stack[tokens],"%s",tmp); data/vsdump-0.0.45/src/vsd_parse_blocks.c:610:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(tmp, "%s)", *stack[tokens]); data/vsdump-0.0.45/src/vsd_parse_blocks.c:614:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(*stack[tokens],"%s",tmp); data/vsdump-0.0.45/src/vsd_parse_blocks.c:133:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(tmp1, stream->data + *offset + 2, len+1); data/vsdump-0.0.45/src/vsd_parse_blocks.c:142:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(formula, "%d", stream->data[*offset + 1]); data/vsdump-0.0.45/src/vsd_parse_blocks.c:148:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(formula, "%%"); data/vsdump-0.0.45/src/vsd_parse_blocks.c:152:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(formula, "%d", GSF_LE_GET_GUINT16(stream->data + *offset + 1)); data/vsdump-0.0.45/src/vsd_parse_blocks.c:396:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(formula, "IF"); data/vsdump-0.0.45/src/vsd_parse_blocks.c:404:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(formula, "AND"); data/vsdump-0.0.45/src/vsd_parse_blocks.c:412:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(formula, "OR"); data/vsdump-0.0.45/src/vsd_parse_blocks.c:439:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(formula, "%g", GSF_LE_GET_DOUBLE(stream->data + *offset + 1)); data/vsdump-0.0.45/src/vsd_parse_blocks.c:505:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char **stack[256]; data/vsdump-0.0.45/src/vsd_parse_chunks.c:209:13: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). image = fopen(fullname, "a"); /* open it to append */ data/vsdump-0.0.45/src/vsd_parse_chunks.c:332:7: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(units, "Unit=\"MM\""); data/vsdump-0.0.45/src/vsd_parse_chunks.c:335:7: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(units, "Unit=\"DT\""); data/vsdump-0.0.45/src/vsd_parse_chunks.c:338:7: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(units, "Unit=\"PT\""); data/vsdump-0.0.45/src/vsd_parse_chunks.c:341:8: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(units, "Unit=\"IN_F\""); data/vsdump-0.0.45/src/vsd_parse_chunks.c:344:7: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(units, "Unit=\"DA\""); data/vsdump-0.0.45/src/vsd_parse_chunks.c:347:8: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(units, "Unit=\"DEG\""); data/vsdump-0.0.45/src/vsd_parse_cmds.c:55:19: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if(NULL==(ftbl = fopen("chunks_parse_cmds.tbl", "r"))){ data/vsdump-0.0.45/src/vsd_parse_cmds.c:65:14: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). ch_type = atoi(s+6); data/vsdump-0.0.45/src/vsd_parse_cmds.c:74:20: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). vaep->type = atoi(v[0]); data/vsdump-0.0.45/src/vsd_parse_cmds.c:75:20: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). vaep->offset = atoi(v[1]); data/vsdump-0.0.45/src/vsd_pointers.c:63:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&data2, decomp->data + i*16+offset, 2); data/vsdump-0.0.45/src/vsd_pointers.c:65:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&data2, decomp->data + i*16+offset + 2, 2); data/vsdump-0.0.45/src/vsd_pointers.c:67:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&data, decomp->data + i*16+offset + 4, 4); data/vsdump-0.0.45/src/vsd_pointers.c:69:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&data, decomp->data + i*16+offset + 8, 4); data/vsdump-0.0.45/src/vsd_pointers.c:71:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&data, decomp->data + i*16+offset + 12, 4); data/vsdump-0.0.45/src/vsd_pointers.c:95:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&data, decomp->data + i, 4); data/vsdump-0.0.45/src/vsd_pointers.c:97:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&data, decomp->data + i + 4, 4); data/vsdump-0.0.45/src/vsd_pointers.c:99:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&data, decomp->data + i + 8, 4); data/vsdump-0.0.45/src/vsd_pointers.c:101:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&data, decomp->data + i + 12, 4); data/vsdump-0.0.45/src/vsd_pointers.c:103:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&data2, decomp->data + i + 16, 2); data/vsdump-0.0.45/src/vsd_utils.c:38:9: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file = fopen(fullname, "w"); data/vsdump-0.0.45/src/vsd_parse_blocks.c:158:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). formula = malloc(strlen(name75[idx]) + 1); data/vsdump-0.0.45/src/vsd_parse_blocks.c:261:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). formula = malloc(15+strlen(name75[idx])); data/vsdump-0.0.45/src/vsd_parse_blocks.c:295:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). formula = malloc(strlen(namefunc[idx]) + 1); data/vsdump-0.0.45/src/vsd_parse_blocks.c:316:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). formula = malloc(strlen(namefunc[idx]) + 1); data/vsdump-0.0.45/src/vsd_parse_blocks.c:344:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). formula = malloc(strlen(namefunc[idx]) + 1); data/vsdump-0.0.45/src/vsd_parse_blocks.c:354:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). formula = malloc(strlen(namefunc[idx]) + 1); data/vsdump-0.0.45/src/vsd_parse_blocks.c:552:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). *stack[tokens] = g_malloc(strlen(tmp)+1); data/vsdump-0.0.45/src/vsd_parse_blocks.c:584:32: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). *stack[tokens] = g_malloc(strlen(tmp)+5); data/vsdump-0.0.45/src/vsd_parse_blocks.c:596:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). *stack[tokens] = g_malloc(strlen(tmp)+2+strlen(*stack[tokens-argnum])); data/vsdump-0.0.45/src/vsd_parse_blocks.c:596:45: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). *stack[tokens] = g_malloc(strlen(tmp)+2+strlen(*stack[tokens-argnum])); data/vsdump-0.0.45/src/vsd_parse_blocks.c:604:32: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). *stack[tokens] = g_malloc(strlen(tmp)+1); data/vsdump-0.0.45/src/vsd_parse_blocks.c:609:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). tmp = g_malloc(strlen(*stack[tokens])+2); data/vsdump-0.0.45/src/vsd_parse_blocks.c:613:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). *stack[tokens] = g_malloc(strlen(tmp)+1); data/vsdump-0.0.45/src/vsd_parse_chunks.c:350:7: [1] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant character. strcpy(units, ""); data/vsdump-0.0.45/src/vsd_parse_cmds.c:71:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). v[2]= g_strndup(v[2], strlen(v[2])-1); data/vsdump-0.0.45/src/vsd_parse_cmds.c:73:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). t = g_strndup(v[2], strlen(v[2])-1); ANALYSIS SUMMARY: Hits = 61 Lines analyzed = 2436 in approximately 0.13 seconds (18072 lines/second) Physical Source Lines of Code (SLOC) = 1878 Hits@level = [0] 39 [1] 16 [2] 31 [3] 0 [4] 14 [5] 0 Hits@level+ = [0+] 100 [1+] 61 [2+] 45 [3+] 14 [4+] 14 [5+] 0 Hits/KSLOC@level+ = [0+] 53.2481 [1+] 32.4814 [2+] 23.9617 [3+] 7.45474 [4+] 7.45474 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.