Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/woff2-1.0.2/include/woff2/decode.h Examining data/woff2-1.0.2/include/woff2/encode.h Examining data/woff2-1.0.2/include/woff2/output.h Examining data/woff2-1.0.2/src/buffer.h Examining data/woff2-1.0.2/src/convert_woff2ttf_fuzzer.cc Examining data/woff2-1.0.2/src/convert_woff2ttf_fuzzer_new_entry.cc Examining data/woff2-1.0.2/src/file.h Examining data/woff2-1.0.2/src/font.cc Examining data/woff2-1.0.2/src/font.h Examining data/woff2-1.0.2/src/glyph.cc Examining data/woff2-1.0.2/src/glyph.h Examining data/woff2-1.0.2/src/normalize.cc Examining data/woff2-1.0.2/src/normalize.h Examining data/woff2-1.0.2/src/port.h Examining data/woff2-1.0.2/src/round.h Examining data/woff2-1.0.2/src/store_bytes.h Examining data/woff2-1.0.2/src/table_tags.cc Examining data/woff2-1.0.2/src/table_tags.h Examining data/woff2-1.0.2/src/transform.cc Examining data/woff2-1.0.2/src/transform.h Examining data/woff2-1.0.2/src/variable_length.cc Examining data/woff2-1.0.2/src/variable_length.h Examining data/woff2-1.0.2/src/woff2_common.cc Examining data/woff2-1.0.2/src/woff2_common.h Examining data/woff2-1.0.2/src/woff2_compress.cc Examining data/woff2-1.0.2/src/woff2_dec.cc Examining data/woff2-1.0.2/src/woff2_decompress.cc Examining data/woff2-1.0.2/src/woff2_enc.cc Examining data/woff2-1.0.2/src/woff2_info.cc Examining data/woff2-1.0.2/src/woff2_out.cc FINAL RESULTS: data/woff2-1.0.2/src/buffer.h:78:12: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. std::memcpy(data, buffer_ + offset_, n_bytes); data/woff2-1.0.2/src/buffer.h:97:10: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. std::memcpy(value, buffer_ + offset_, sizeof(uint16_t)); data/woff2-1.0.2/src/buffer.h:122:10: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. std::memcpy(value, buffer_ + offset_, sizeof(uint32_t)); data/woff2-1.0.2/src/buffer.h:136:10: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. std::memcpy(value, buffer_ + offset_, sizeof(uint32_t)); data/woff2-1.0.2/src/buffer.h:145:10: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. std::memcpy(value, buffer_ + offset_, sizeof(uint64_t)); data/woff2-1.0.2/src/font.cc:250:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst + table.offset, table.data, table.length); data/woff2-1.0.2/src/normalize.cc:99:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, table->data, table->length); data/woff2-1.0.2/src/store_bytes.h:65:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&dst[*offset], data, len); data/woff2-1.0.2/src/transform.cc:30:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&(*out)[offset], data, len); data/woff2-1.0.2/src/woff2_out.cc:61:8: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. std::memcpy(buf_ + offset, buf, n); ANALYSIS SUMMARY: Hits = 10 Lines analyzed = 4795 in approximately 0.12 seconds (38401 lines/second) Physical Source Lines of Code (SLOC) = 3651 Hits@level = [0] 50 [1] 0 [2] 10 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 60 [1+] 10 [2+] 10 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 16.4339 [1+] 2.73898 [2+] 2.73898 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.