Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/xinput-calibrator-0.7.5+git20140201/src/calibrator/EvdevTester.hpp Examining data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Usbtouchscreen.hpp Examining data/xinput-calibrator-0.7.5+git20140201/src/calibrator/EvdevTester.cpp Examining data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Tester.cpp Examining data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Tester.hpp Examining data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Evdev.hpp Examining data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.cpp Examining data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Usbtouchscreen.cpp Examining data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.hpp Examining data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Evdev.cpp Examining data/xinput-calibrator-0.7.5+git20140201/src/calibrator.cpp Examining data/xinput-calibrator-0.7.5+git20140201/src/main_gtkmm.cpp Examining data/xinput-calibrator-0.7.5+git20140201/src/main_x11.cpp Examining data/xinput-calibrator-0.7.5+git20140201/src/tester.cpp Examining data/xinput-calibrator-0.7.5+git20140201/src/gui/gui_common.hpp Examining data/xinput-calibrator-0.7.5+git20140201/src/gui/gtkmm.hpp Examining data/xinput-calibrator-0.7.5+git20140201/src/gui/x11.hpp Examining data/xinput-calibrator-0.7.5+git20140201/src/gui/x11.cpp Examining data/xinput-calibrator-0.7.5+git20140201/src/gui/gui_common.cpp Examining data/xinput-calibrator-0.7.5+git20140201/src/gui/gtkmm.cpp Examining data/xinput-calibrator-0.7.5+git20140201/src/main_common.cpp FINAL RESULTS: data/xinput-calibrator-0.7.5+git20140201/src/calibrator.cpp:216:20: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. (void) sprintf(filename, "%s/%s/%s", SYSFS_INPUT, ep->d_name, SYSFS_DEVNAME); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Evdev.cpp:531:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(line, " MatchProduct \"%s\"\n", sysfs_name); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Evdev.cpp:575:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(line, "<match key=\"info.product\" contains=\"%s\">\n", sysfs_name); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Evdev.cpp:613:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(line, " xinput set-int-prop \"%s\" \"Evdev Axis Calibration\" 32 %d %d %d %d\n", device_name, new_axys.x.min, new_axys.x.max, new_axys.y.min, new_axys.y.max); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Evdev.cpp:615:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(line, " xinput set-int-prop \"%s\" \"Evdev Axes Swap\" 8 %d\n", device_name, new_axys.swap_xy); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Usbtouchscreen.cpp:131:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(new_opt, "%s %s=%d %s=%d %s=%d %s=%d %s=%d %s=%d %s=%c %s=%c %s=%c %s=%c\n", data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Usbtouchscreen.cpp:155:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(filename, "%s/%s", module_prefix, param); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Usbtouchscreen.cpp:170:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(filename, "%s/%s", module_prefix, param); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Usbtouchscreen.cpp:186:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(filename, "%s/%s", module_prefix, param); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Usbtouchscreen.cpp:200:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(filename, "%s/%s", module_prefix, param); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.cpp:83:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(line, " MatchProduct \"%s\"\n", sysfs_name); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.cpp:136:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(line, "<match key=\"info.product\" contains=\"%s\">\n", sysfs_name); data/xinput-calibrator-0.7.5+git20140201/src/main_common.cpp:106:20: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. (void) sprintf(filename, "%s/%s/%s", SYSFS_INPUT, pre_device, SYSFS_DEVNAME); data/xinput-calibrator-0.7.5+git20140201/src/calibrator.cpp:215:13: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char filename[40]; // actually 35, but hey... data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Evdev.cpp:387:16: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). return atoi(name); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Evdev.cpp:411:14: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). id = atoi(name); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Evdev.cpp:526:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[MAX_LINE_LEN]; data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Evdev.cpp:533:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(line, " Option \"Calibration\" \"%d %d %d %d\"\n", data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Evdev.cpp:536:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(line, " Option \"SwapAxes\" \"%d\"\n", new_axys.swap_xy); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Evdev.cpp:546:21: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE* fid = fopen(output_filename, "w"); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Evdev.cpp:572:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[MAX_LINE_LEN]; data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Evdev.cpp:577:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(line, " <merge key=\"input.x11_options.calibration\" type=\"string\">%d %d %d %d</merge>\n", data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Evdev.cpp:580:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(line, " <merge key=\"input.x11_options.swapaxes\" type=\"string\">%d</merge>\n", data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Evdev.cpp:589:21: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE* fid = fopen(output_filename, "w"); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Evdev.cpp:610:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[MAX_LINE_LEN]; data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Evdev.cpp:622:15: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE* fid = fopen(output_filename, "w"); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Usbtouchscreen.cpp:109:17: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *fid = fopen(filename, "r"); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Usbtouchscreen.cpp:118:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[len]; data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Usbtouchscreen.cpp:139:11: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fid = fopen(filename, "w"); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Usbtouchscreen.cpp:154:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char filename[100]; data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Usbtouchscreen.cpp:156:17: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *fid = fopen(filename, "r"); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Usbtouchscreen.cpp:169:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char filename[100]; data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Usbtouchscreen.cpp:171:17: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *fid = fopen(filename, "r"); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Usbtouchscreen.cpp:177:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char val[3]; data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Usbtouchscreen.cpp:185:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char filename[100]; data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Usbtouchscreen.cpp:187:17: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *fid = fopen(filename, "w"); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Usbtouchscreen.cpp:199:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char filename[100]; data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Usbtouchscreen.cpp:201:17: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *fid = fopen(filename, "w"); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.cpp:78:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[MAX_LINE_LEN]; data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.cpp:85:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(line, " Option \"MinX\" \"%d\"\n", new_axys.x.min); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.cpp:87:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(line, " Option \"MaxX\" \"%d\"\n", new_axys.x.max); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.cpp:89:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(line, " Option \"MinY\" \"%d\"\n", new_axys.y.min); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.cpp:91:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(line, " Option \"MaxY\" \"%d\"\n", new_axys.y.max); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.cpp:93:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(line, " Option \"SwapXY\" \"%d\" # unless it was already set to 1\n", new_axys.swap_xy); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.cpp:95:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(line, " Option \"InvertX\" \"%d\" # unless it was already set\n", new_axys.x.invert); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.cpp:97:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(line, " Option \"InvertY\" \"%d\" # unless it was already set\n", new_axys.y.invert); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.cpp:107:21: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE* fid = fopen(output_filename, "w"); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.cpp:133:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[MAX_LINE_LEN]; data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.cpp:138:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(line, " <merge key=\"input.x11_options.minx\" type=\"string\">%d</merge>\n", new_axys.x.min); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.cpp:140:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(line, " <merge key=\"input.x11_options.maxx\" type=\"string\">%d</merge>\n", new_axys.x.max); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.cpp:142:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(line, " <merge key=\"input.x11_options.miny\" type=\"string\">%d</merge>\n", new_axys.y.min); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.cpp:144:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(line, " <merge key=\"input.x11_options.maxy\" type=\"string\">%d</merge>\n", new_axys.y.max); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.cpp:146:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(line, " <merge key=\"input.x11_options.swapxy\" type=\"string\">%d</merge>\n", new_axys.swap_xy); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.cpp:148:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(line, " <merge key=\"input.x11_options.invertx\" type=\"string\">%d</merge>\n", new_axys.x.invert); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.cpp:150:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(line, " <merge key=\"input.x11_options.inverty\" type=\"string\">%d</merge>\n", new_axys.y.invert); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/XorgPrint.cpp:160:21: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE* fid = fopen(output_filename, "w"); data/xinput-calibrator-0.7.5+git20140201/src/main_common.cpp:48:20: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. return (char*) memcpy(p, s, len); data/xinput-calibrator-0.7.5+git20140201/src/main_common.cpp:105:13: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char filename[40]; // actually 35, but hey... data/xinput-calibrator-0.7.5+git20140201/src/main_common.cpp:131:56: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). if ((pre_device_is_id && list->id == (XID) atoi(pre_device)) || data/xinput-calibrator-0.7.5+git20140201/src/main_common.cpp:258:38: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). pre_axys.x.min = atoi(argv[++i]); data/xinput-calibrator-0.7.5+git20140201/src/main_common.cpp:260:38: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). pre_axys.x.max = atoi(argv[++i]); data/xinput-calibrator-0.7.5+git20140201/src/main_common.cpp:262:38: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). pre_axys.y.min = atoi(argv[++i]); data/xinput-calibrator-0.7.5+git20140201/src/main_common.cpp:264:38: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). pre_axys.y.max = atoi(argv[++i]); data/xinput-calibrator-0.7.5+git20140201/src/main_common.cpp:270:36: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). thr_misclick = atoi(argv[++i]); data/xinput-calibrator-0.7.5+git20140201/src/calibrator.cpp:213:42: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strncmp(ep->d_name, "event", strlen("event")) == 0) { data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Evdev.cpp:399:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int len = strlen(name); data/xinput-calibrator-0.7.5+git20140201/src/calibrator/Usbtouchscreen.cpp:120:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). const int opt_len = strlen(opt); data/xinput-calibrator-0.7.5+git20140201/src/gui/x11.cpp:339:49: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int text_width = XTextWidth(font_info, msg, strlen(msg)); data/xinput-calibrator-0.7.5+git20140201/src/gui/x11.cpp:348:46: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). XDrawString(display, win, gc, x, y, msg, strlen(msg)); data/xinput-calibrator-0.7.5+git20140201/src/gui/x11.cpp:362:15: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ret = read(instance->timer_fd, &missed, sizeof (missed)); data/xinput-calibrator-0.7.5+git20140201/src/main_common.cpp:42:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t len = strlen(s) + 1; data/xinput-calibrator-0.7.5+git20140201/src/main_common.cpp:90:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int len = strlen(pre_device); data/xinput-calibrator-0.7.5+git20140201/src/main_common.cpp:102:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ( strlen(pre_device) < strlen("event") + 4 && data/xinput-calibrator-0.7.5+git20140201/src/main_common.cpp:102:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ( strlen(pre_device) < strlen("event") + 4 && data/xinput-calibrator-0.7.5+git20140201/src/main_common.cpp:103:43: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strncmp(pre_device, "event", strlen("event")) == 0 ) { ANALYSIS SUMMARY: Hits = 75 Lines analyzed = 3439 in approximately 0.13 seconds (27214 lines/second) Physical Source Lines of Code (SLOC) = 2169 Hits@level = [0] 140 [1] 11 [2] 51 [3] 0 [4] 13 [5] 0 Hits@level+ = [0+] 215 [1+] 75 [2+] 64 [3+] 13 [4+] 13 [5+] 0 Hits/KSLOC@level+ = [0+] 99.124 [1+] 34.5781 [2+] 29.5067 [3+] 5.99355 [4+] 5.99355 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.