daily pastebin goal
56%
SHARE
TWEET

Flawfinder 1.31 - Ruby 2.2.x-master - 10/2/2015

a guest Oct 2nd, 2015 81 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Flawfinder version 1.31, (C) 2001-2014 David A. Wheeler.
  2. Number of rules (primarily dangerous function names) in C/C++ ruleset: 169
  3. Examining ./addr2line.c
  4. Examining ./array.c
  5. Examining ./bignum.c
  6. Examining ./class.c
  7. Examining ./compar.c
  8. Examining ./compile.c
  9. Examining ./complex.c
  10. Examining ./cont.c
  11. Examining ./debug.c
  12. Examining ./dir.c
  13. Examining ./dln.c
  14. Examining ./dln_find.c
  15. Examining ./dmydln.c
  16. Examining ./dmyenc.c
  17. Examining ./dmyext.c
  18. Examining ./encoding.c
  19. Examining ./enum.c
  20. Examining ./enumerator.c
  21. Examining ./error.c
  22. Examining ./eval.c
  23. Examining ./eval_error.c
  24. Examining ./eval_jump.c
  25. Examining ./file.c
  26. Examining ./gc.c
  27. Examining ./goruby.c
  28. Examining ./hash.c
  29. Examining ./id_table.c
  30. Examining ./inits.c
  31. Examining ./io.c
  32. Examining ./iseq.c
  33. Examining ./load.c
  34. Examining ./loadpath.c
  35. Examining ./localeinit.c
  36. Examining ./main.c
  37. Examining ./marshal.c
  38. Examining ./math.c
  39. Examining ./miniinit.c
  40. Examining ./node.c
  41. Examining ./numeric.c
  42. Examining ./object.c
  43. Examining ./pack.c
  44. Examining ./proc.c
  45. Examining ./process.c
  46. Examining ./random.c
  47. Examining ./range.c
  48. Examining ./rational.c
  49. Examining ./re.c
  50. Examining ./regcomp.c
  51. Examining ./regenc.c
  52. Examining ./regerror.c
  53. Examining ./regexec.c
  54. Examining ./regparse.c
  55. Examining ./regsyntax.c
  56. Examining ./ruby.c
  57. Examining ./safe.c
  58. Examining ./signal.c
  59. Examining ./siphash.c
  60. Examining ./sparc.c
  61. Examining ./sprintf.c
  62. Examining ./st.c
  63. Examining ./strftime.c
  64. Examining ./string.c
  65. Examining ./struct.c
  66. Examining ./symbol.c
  67. Examining ./thread.c
  68. Examining ./thread_pthread.c
  69. Examining ./thread_sync.c
  70. Examining ./thread_win32.c
  71. Examining ./time.c
  72. Examining ./transcode.c
  73. Examining ./util.c
  74. Examining ./variable.c
  75. Examining ./version.c
  76. Examining ./vm.c
  77. Examining ./vm_args.c
  78. Examining ./vm_backtrace.c
  79. Examining ./vm_dump.c
  80. Examining ./vm_eval.c
  81. Examining ./vm_exec.c
  82. Examining ./vm_insnhelper.c
  83. Examining ./vm_method.c
  84. Examining ./vm_trace.c
  85. Examining ./vsnprintf.c
  86.  
  87. FINAL RESULTS:
  88.  
  89. ./addr2line.c:650:  [5] (race) readlink:
  90.   This accepts filename arguments; if an attacker can move those files or
  91.   change the link content, a race condition results. Also, it does not
  92.   terminate with ASCII NUL. (CWE-362, CWE-20). Reconsider approach.
  93. ./file.c:104:  [5] (race) chmod:
  94.   This accepts filename arguments; if an attacker can move those files, a
  95.   race condition results. (CWE-362). Use fchmod( ) instead.
  96. ./file.c:105:  [5] (race) chmod:
  97.   This accepts filename arguments; if an attacker can move those files, a
  98.   race condition results. (CWE-362). Use fchmod( ) instead.
  99. ./file.c:106:  [5] (race) chown:
  100.   This accepts filename arguments; if an attacker can move those files, a
  101.   race condition results. (CWE-362). Use fchown( ) instead.
  102. ./file.c:107:  [5] (race) chown:
  103.   This accepts filename arguments; if an attacker can move those files, a
  104.   race condition results. (CWE-362). Use fchown( ) instead.
  105. ./file.c:134:  [5] (race) chown:
  106.   This accepts filename arguments; if an attacker can move those files, a
  107.   race condition results. (CWE-362). Use fchown( ) instead.
  108. ./file.c:136:  [5] (race) chown:
  109.   This accepts filename arguments; if an attacker can move those files, a
  110.   race condition results. (CWE-362). Use fchown( ) instead.
  111. ./file.c:2311:  [5] (race) chmod:
  112.   This accepts filename arguments; if an attacker can move those files, a
  113.   race condition results. (CWE-362). Use fchmod( ) instead.
  114. ./file.c:2380:  [5] (race) chmod:
  115.   This accepts filename arguments; if an attacker can move those files, a
  116.   race condition results. (CWE-362). Use fchmod( ) instead.
  117. ./file.c:2449:  [5] (race) chown:
  118.   This accepts filename arguments; if an attacker can move those files, a
  119.   race condition results. (CWE-362). Use fchown( ) instead.
  120. ./file.c:2514:  [5] (race) chown:
  121.   This accepts filename arguments; if an attacker can move those files, a
  122.   race condition results. (CWE-362). Use fchown( ) instead.
  123. ./file.c:2821:  [5] (race) readlink:
  124.   This accepts filename arguments; if an attacker can move those files or
  125.   change the link content, a race condition results. Also, it does not
  126.   terminate with ASCII NUL. (CWE-362, CWE-20). Reconsider approach.
  127. ./file.c:2902:  [5] (race) chmod:
  128.   This accepts filename arguments; if an attacker can move those files, a
  129.   race condition results. (CWE-362). Use fchmod( ) instead.
  130. ./io.c:8069:  [5] (race) chmod:
  131.   This accepts filename arguments; if an attacker can move those files, a
  132.   race condition results. (CWE-362). Use fchmod( ) instead.
  133. ./io.c:8076:  [5] (race) chown:
  134.   This accepts filename arguments; if an attacker can move those files, a
  135.   race condition results. (CWE-362). Use fchown( ) instead.
  136. ./addr2line.c:449:  [4] (buffer) strcpy:
  137.   Does not check for buffer overflows when copying to destination (CWE-120).
  138.   Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily
  139.   misused).
  140. ./addr2line.c:450:  [4] (buffer) strcpy:
  141.   Does not check for buffer overflows when copying to destination (CWE-120).
  142.   Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily
  143.   misused).
  144. ./addr2line.c:723:  [4] (buffer) strcpy:
  145.   Does not check for buffer overflows when copying to destination (CWE-120).
  146.   Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily
  147.   misused).
  148. ./bignum.c:2878:  [4] (format) printf:
  149.   If format strings can be influenced by an attacker, they can be exploited
  150.   (CWE-134). Use a constant for the format specification.
  151. ./bignum.c:2880:  [4] (format) printf:
  152.   If format strings can be influenced by an attacker, they can be exploited
  153.   (CWE-134). Use a constant for the format specification.
  154. ./compile.c:159:  [4] (format) printf:
  155.   If format strings can be influenced by an attacker, they can be exploited
  156.   (CWE-134). Use a constant for the format specification.
  157. ./compile.c:163:  [4] (format) printf:
  158.   If format strings can be influenced by an attacker, they can be exploited
  159.   (CWE-134). Use a constant for the format specification.
  160. ./debug.c:58:  [4] (format) vfprintf:
  161.   If format strings can be influenced by an attacker, they can be exploited
  162.   (CWE-134). Use a constant for the format specification.
  163. ./dln.c:98:  [4] (format) vfprintf:
  164.   If format strings can be influenced by an attacker, they can be exploited
  165.   (CWE-134). Use a constant for the format specification.
  166. ./dln.c:1254:  [4] (buffer) strcpy:
  167.   Does not check for buffer overflows when copying to destination (CWE-120).
  168.   Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily
  169.   misused).
  170. ./dln_find.c:17:  [4] (format) fprintf:
  171.   If format strings can be influenced by an attacker, they can be exploited
  172.   (CWE-134). Use a constant for the format specification.
  173. ./error.c:348:  [4] (format) vsnprintf:
  174.   If format strings can be influenced by an attacker, they can be exploited,
  175.   and note that sprintf variations do not always \0-terminate (CWE-134). Use
  176.   a constant for the format specification.
  177. ./error.c:372:  [4] (format) fprintf:
  178.   If format strings can be influenced by an attacker, they can be exploited
  179.   (CWE-134). Use a constant for the format specification.
  180. ./file.c:102:  [4] (race) access:
  181.   This usually indicates a security flaw. If an attacker can change anything
  182.   along the path between the call to access() and the file's actual use
  183.   (e.g., by moving files), the attacker can exploit the race condition
  184.   (CWE-362/CWE-367). Set up the correct permissions (e.g., using setuid())
  185.   and try to open the file directly.
  186. ./file.c:103:  [4] (race) access:
  187.   This usually indicates a security flaw. If an attacker can change anything
  188.   along the path between the call to access() and the file's actual use
  189.   (e.g., by moving files), the attacker can exploit the race condition
  190.   (CWE-362/CWE-367). Set up the correct permissions (e.g., using setuid())
  191.   and try to open the file directly.
  192. ./file.c:1290:  [4] (race) access:
  193.   This usually indicates a security flaw. If an attacker can change anything
  194.   along the path between the call to access() and the file's actual use
  195.   (e.g., by moving files), the attacker can exploit the race condition
  196.   (CWE-362/CWE-367). Set up the correct permissions (e.g., using setuid())
  197.   and try to open the file directly.
  198. ./file.c:1317:  [4] (race) access:
  199.   This usually indicates a security flaw. If an attacker can change anything
  200.   along the path between the call to access() and the file's actual use
  201.   (e.g., by moving files), the attacker can exploit the race condition
  202.   (CWE-362/CWE-367). Set up the correct permissions (e.g., using setuid())
  203.   and try to open the file directly.
  204. ./file.c:1585:  [4] (race) access:
  205.   This usually indicates a security flaw. If an attacker can change anything
  206.   along the path between the call to access() and the file's actual use
  207.   (e.g., by moving files), the attacker can exploit the race condition
  208.   (CWE-362/CWE-367). Set up the correct permissions (e.g., using setuid())
  209.   and try to open the file directly.
  210. ./file.c:1657:  [4] (race) access:
  211.   This usually indicates a security flaw. If an attacker can change anything
  212.   along the path between the call to access() and the file's actual use
  213.   (e.g., by moving files), the attacker can exploit the race condition
  214.   (CWE-362/CWE-367). Set up the correct permissions (e.g., using setuid())
  215.   and try to open the file directly.
  216. ./file.c:1721:  [4] (race) access:
  217.   This usually indicates a security flaw. If an attacker can change anything
  218.   along the path between the call to access() and the file's actual use
  219.   (e.g., by moving files), the attacker can exploit the race condition
  220.   (CWE-362/CWE-367). Set up the correct permissions (e.g., using setuid())
  221.   and try to open the file directly.
  222. ./file.c:1971:  [4] (race) access:
  223.   This usually indicates a security flaw. If an attacker can change anything
  224.   along the path between the call to access() and the file's actual use
  225.   (e.g., by moving files), the attacker can exploit the race condition
  226.   (CWE-362/CWE-367). Set up the correct permissions (e.g., using setuid())
  227.   and try to open the file directly.
  228. ./file.c:1972:  [4] (race) access:
  229.   This usually indicates a security flaw. If an attacker can change anything
  230.   along the path between the call to access() and the file's actual use
  231.   (e.g., by moving files), the attacker can exploit the race condition
  232.   (CWE-362/CWE-367). Set up the correct permissions (e.g., using setuid())
  233.   and try to open the file directly.
  234. ./file.c:5615:  [4] (race) access:
  235.   This usually indicates a security flaw. If an attacker can change anything
  236.   along the path between the call to access() and the file's actual use
  237.   (e.g., by moving files), the attacker can exploit the race condition
  238.   (CWE-362/CWE-367). Set up the correct permissions (e.g., using setuid())
  239.   and try to open the file directly.
  240. ./gc.c:5432:  [4] (format) vsnprintf:
  241.   If format strings can be influenced by an attacker, they can be exploited,
  242.   and note that sprintf variations do not always \0-terminate (CWE-134). Use
  243.   a constant for the format specification.
  244. ./gc.c:5788:  [4] (buffer) strcpy:
  245.   Does not check for buffer overflows when copying to destination (CWE-120).
  246.   Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily
  247.   misused).
  248. ./io.c:6127:  [4] (shell) popen:
  249.   This causes a new program to execute and is difficult to use safely
  250.   (CWE-78). try using a library call that implements the same functionality
  251.   if available.
  252. ./iseq.c:1505:  [4] (format) snprintf:
  253.   If format strings can be influenced by an attacker, they can be exploited,
  254.   and note that sprintf variations do not always \0-terminate (CWE-134). Use
  255.   a constant for the format specification.
  256. ./process.c:290:  [4] (shell) execv:
  257.   This causes a new program to execute and is difficult to use safely
  258.   (CWE-78). try using a library call that implements the same functionality
  259.   if available.
  260. ./process.c:291:  [4] (shell) execl:
  261.   This causes a new program to execute and is difficult to use safely
  262.   (CWE-78). try using a library call that implements the same functionality
  263.   if available.
  264. ./process.c:291:  [4] (shell) execle:
  265.   This causes a new program to execute and is difficult to use safely
  266.   (CWE-78). try using a library call that implements the same functionality
  267.   if available.
  268. ./process.c:328:  [4] (format) vfprintf:
  269.   If format strings can be influenced by an attacker, they can be exploited
  270.   (CWE-134). Use a constant for the format specification.
  271. ./process.c:1235:  [4] (shell) execv:
  272.   This causes a new program to execute and is difficult to use safely
  273.   (CWE-78). try using a library call that implements the same functionality
  274.   if available.
  275. ./process.c:1277:  [4] (buffer) strcpy:
  276.   Does not check for buffer overflows when copying to destination (CWE-120).
  277.   Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily
  278.   misused).
  279. ./process.c:1295:  [4] (shell) execv:
  280.   This causes a new program to execute and is difficult to use safely
  281.   (CWE-78). try using a library call that implements the same functionality
  282.   if available.
  283. ./process.c:1336:  [4] (shell) execl:
  284.   This causes a new program to execute and is difficult to use safely
  285.   (CWE-78). try using a library call that implements the same functionality
  286.   if available.
  287. ./process.c:1338:  [4] (shell) system:
  288.   This causes a new program to execute and is difficult to use safely
  289.   (CWE-78). try using a library call that implements the same functionality
  290.   if available.
  291. ./process.c:1344:  [4] (shell) execle:
  292.   This causes a new program to execute and is difficult to use safely
  293.   (CWE-78). try using a library call that implements the same functionality
  294.   if available.
  295. ./process.c:1346:  [4] (shell) execl:
  296.   This causes a new program to execute and is difficult to use safely
  297.   (CWE-78). try using a library call that implements the same functionality
  298.   if available.
  299. ./process.c:2618:  [4] (format) snprintf:
  300.   If format strings can be influenced by an attacker, they can be exploited,
  301.   and note that sprintf variations do not always \0-terminate (CWE-134). Use
  302.   a constant for the format specification.
  303. ./process.c:2619:  [4] (format) snprintf:
  304.   If format strings can be influenced by an attacker, they can be exploited,
  305.   and note that sprintf variations do not always \0-terminate (CWE-134). Use
  306.   a constant for the format specification.
  307. ./process.c:3967:  [4] (shell) system:
  308.   This causes a new program to execute and is difficult to use safely
  309.   (CWE-78). try using a library call that implements the same functionality
  310.   if available.
  311. ./sprintf.c:1185:  [4] (format) snprintf:
  312.   If format strings can be influenced by an attacker, they can be exploited,
  313.   and note that sprintf variations do not always \0-terminate (CWE-134). Use
  314.   a constant for the format specification.
  315. ./strftime.c:232:  [4] (format) snprintf:
  316.   If format strings can be influenced by an attacker, they can be exploited,
  317.   and note that sprintf variations do not always \0-terminate (CWE-134). Use
  318.   a constant for the format specification.
  319. ./strftime.c:499:  [4] (format) snprintf:
  320.   If format strings can be influenced by an attacker, they can be exploited,
  321.   and note that sprintf variations do not always \0-terminate (CWE-134). Use
  322.   a constant for the format specification.
  323. ./string.c:7865:  [4] (crypto) crypt:
  324.   Function crypt is a poor one-way hashing algorithm; since it only accepts
  325.   passwords of 8 characters or less, and only a two-byte salt, it is
  326.   excessively vulnerable to dictionary attacks given today's faster computing
  327.   equipment (CWE-327). Use a different algorithm, such as SHA-1, with a
  328.   larger non-repeating salt.
  329. ./string.c:7892:  [4] (crypto) crypt:
  330.   Function crypt is a poor one-way hashing algorithm; since it only accepts
  331.   passwords of 8 characters or less, and only a two-byte salt, it is
  332.   excessively vulnerable to dictionary attacks given today's faster computing
  333.   equipment (CWE-327). Use a different algorithm, such as SHA-1, with a
  334.   larger non-repeating salt.
  335. ./thread.c:262:  [4] (format) printf:
  336.   If format strings can be influenced by an attacker, they can be exploited
  337.   (CWE-134). Use a constant for the format specification.
  338. ./thread.c:284:  [4] (format) printf:
  339.   If format strings can be influenced by an attacker, they can be exploited
  340.   (CWE-134). Use a constant for the format specification.
  341. ./thread.c:293:  [4] (format) printf:
  342.   If format strings can be influenced by an attacker, they can be exploited
  343.   (CWE-134). Use a constant for the format specification.
  344. ./thread.c:327:  [4] (format) vsnprintf:
  345.   If format strings can be influenced by an attacker, they can be exploited,
  346.   and note that sprintf variations do not always \0-terminate (CWE-134). Use
  347.   a constant for the format specification.
  348. ./vm_dump.c:125:  [4] (format) fprintf:
  349.   If format strings can be influenced by an attacker, they can be exploited
  350.   (CWE-134). Use a constant for the format specification.
  351. ./vm_dump.c:151:  [4] (format) fprintf:
  352.   If format strings can be influenced by an attacker, they can be exploited
  353.   (CWE-134). Use a constant for the format specification.
  354. ./dir.c:54:  [3] (buffer) getenv:
  355.   Environment variables are untrustable input if they can be set by an
  356.   attacker. They can have any content and length, and the same variable can
  357.   be set more than once (CWE-807, CWE-20). Check environment variables
  358.   carefully before using them.
  359. ./dir.c:982:  [3] (buffer) getenv:
  360.   Environment variables are untrustable input if they can be set by an
  361.   attacker. They can have any content and length, and the same variable can
  362.   be set more than once (CWE-807, CWE-20). Check environment variables
  363.   carefully before using them.
  364. ./dir.c:984:  [3] (buffer) getenv:
  365.   Environment variables are untrustable input if they can be set by an
  366.   attacker. They can have any content and length, and the same variable can
  367.   be set more than once (CWE-807, CWE-20). Check environment variables
  368.   carefully before using them.
  369. ./dir.c:1074:  [3] (misc) chroot:
  370.   chroot can be very helpful, but is hard to use correctly (CWE-250, CWE-22).
  371.   Make sure the program immediately chdir("/"), closes file descriptors, and
  372.   drops root privileges, and that all necessary files (and no more!) are in
  373.   the new root.
  374. ./dln.c:76:  [3] (buffer) getenv:
  375.   Environment variables are untrustable input if they can be set by an
  376.   attacker. They can have any content and length, and the same variable can
  377.   be set more than once (CWE-807, CWE-20). Check environment variables
  378.   carefully before using them.
  379. ./dln.c:945:  [3] (buffer) getenv:
  380.   Environment variables are untrustable input if they can be set by an
  381.   attacker. They can have any content and length, and the same variable can
  382.   be set more than once (CWE-807, CWE-20). Check environment variables
  383.   carefully before using them.
  384. ./dln_find.c:63:  [3] (buffer) getenv:
  385.   Environment variables are untrustable input if they can be set by an
  386.   attacker. They can have any content and length, and the same variable can
  387.   be set more than once (CWE-807, CWE-20). Check environment variables
  388.   carefully before using them.
  389. ./dln_find.c:76:  [3] (buffer) getenv:
  390.   Environment variables are untrustable input if they can be set by an
  391.   attacker. They can have any content and length, and the same variable can
  392.   be set more than once (CWE-807, CWE-20). Check environment variables
  393.   carefully before using them.
  394. ./dln_find.c:230:  [3] (buffer) getenv:
  395.   Environment variables are untrustable input if they can be set by an
  396.   attacker. They can have any content and length, and the same variable can
  397.   be set more than once (CWE-807, CWE-20). Check environment variables
  398.   carefully before using them.
  399. ./file.c:3247:  [3] (buffer) getenv:
  400.   Environment variables are untrustable input if they can be set by an
  401.   attacker. They can have any content and length, and the same variable can
  402.   be set more than once (CWE-807, CWE-20). Check environment variables
  403.   carefully before using them.
  404. ./gc.c:7093:  [3] (buffer) getenv:
  405.   Environment variables are untrustable input if they can be set by an
  406.   attacker. They can have any content and length, and the same variable can
  407.   be set more than once (CWE-807, CWE-20). Check environment variables
  408.   carefully before using them.
  409. ./gc.c:7151:  [3] (buffer) getenv:
  410.   Environment variables are untrustable input if they can be set by an
  411.   attacker. They can have any content and length, and the same variable can
  412.   be set more than once (CWE-807, CWE-20). Check environment variables
  413.   carefully before using them.
  414. ./hash.c:2704:  [3] (buffer) getenv:
  415.   Environment variables are untrustable input if they can be set by an
  416.   attacker. They can have any content and length, and the same variable can
  417.   be set more than once (CWE-807, CWE-20). Check environment variables
  418.   carefully before using them.
  419. ./hash.c:2716:  [3] (buffer) getenv:
  420.   Environment variables are untrustable input if they can be set by an
  421.   attacker. They can have any content and length, and the same variable can
  422.   be set more than once (CWE-807, CWE-20). Check environment variables
  423.   carefully before using them.
  424. ./hash.c:2813:  [3] (buffer) getenv:
  425.   Environment variables are untrustable input if they can be set by an
  426.   attacker. They can have any content and length, and the same variable can
  427.   be set more than once (CWE-807, CWE-20). Check environment variables
  428.   carefully before using them.
  429. ./hash.c:2861:  [3] (buffer) getenv:
  430.   Environment variables are untrustable input if they can be set by an
  431.   attacker. They can have any content and length, and the same variable can
  432.   be set more than once (CWE-807, CWE-20). Check environment variables
  433.   carefully before using them.
  434. ./hash.c:2899:  [3] (buffer) getenv:
  435.   Environment variables are untrustable input if they can be set by an
  436.   attacker. They can have any content and length, and the same variable can
  437.   be set more than once (CWE-807, CWE-20). Check environment variables
  438.   carefully before using them.
  439. ./hash.c:2931:  [3] (buffer) getenv:
  440.   Environment variables are untrustable input if they can be set by an
  441.   attacker. They can have any content and length, and the same variable can
  442.   be set more than once (CWE-807, CWE-20). Check environment variables
  443.   carefully before using them.
  444. ./hash.c:3646:  [3] (buffer) getenv:
  445.   Environment variables are untrustable input if they can be set by an
  446.   attacker. They can have any content and length, and the same variable can
  447.   be set more than once (CWE-807, CWE-20). Check environment variables
  448.   carefully before using them.
  449. ./hash.c:3663:  [3] (buffer) getenv:
  450.   Environment variables are untrustable input if they can be set by an
  451.   attacker. They can have any content and length, and the same variable can
  452.   be set more than once (CWE-807, CWE-20). Check environment variables
  453.   carefully before using them.
  454. ./hash.c:3835:  [3] (buffer) getenv:
  455.   Environment variables are untrustable input if they can be set by an
  456.   attacker. They can have any content and length, and the same variable can
  457.   be set more than once (CWE-807, CWE-20). Check environment variables
  458.   carefully before using them.
  459. ./main.c:26:  [3] (buffer) getenv:
  460.   Environment variables are untrustable input if they can be set by an
  461.   attacker. They can have any content and length, and the same variable can
  462.   be set more than once (CWE-807, CWE-20). Check environment variables
  463.   carefully before using them.
  464. ./ruby.c:50:  [3] (buffer) getenv:
  465.   Environment variables are untrustable input if they can be set by an
  466.   attacker. They can have any content and length, and the same variable can
  467.   be set more than once (CWE-807, CWE-20). Check environment variables
  468.   carefully before using them.
  469. ./ruby.c:520:  [3] (buffer) getenv:
  470.   Environment variables are untrustable input if they can be set by an
  471.   attacker. They can have any content and length, and the same variable can
  472.   be set more than once (CWE-807, CWE-20). Check environment variables
  473.   carefully before using them.
  474. ./ruby.c:1352:  [3] (buffer) getenv:
  475.   Environment variables are untrustable input if they can be set by an
  476.   attacker. They can have any content and length, and the same variable can
  477.   be set more than once (CWE-807, CWE-20). Check environment variables
  478.   carefully before using them.
  479. ./ruby.c:1390:  [3] (buffer) getenv:
  480.   Environment variables are untrustable input if they can be set by an
  481.   attacker. They can have any content and length, and the same variable can
  482.   be set more than once (CWE-807, CWE-20). Check environment variables
  483.   carefully before using them.
  484. ./ruby.c:1397:  [3] (buffer) getenv:
  485.   Environment variables are untrustable input if they can be set by an
  486.   attacker. They can have any content and length, and the same variable can
  487.   be set more than once (CWE-807, CWE-20). Check environment variables
  488.   carefully before using them.
  489. ./st.c:211:  [3] (buffer) getenv:
  490.   Environment variables are untrustable input if they can be set by an
  491.   attacker. They can have any content and length, and the same variable can
  492.   be set more than once (CWE-807, CWE-20). Check environment variables
  493.   carefully before using them.
  494. ./strftime.c:120:  [3] (buffer) getenv:
  495.   Environment variables are untrustable input if they can be set by an
  496.   attacker. They can have any content and length, and the same variable can
  497.   be set more than once (CWE-807, CWE-20). Check environment variables
  498.   carefully before using them.
  499. ./thread_win32.c:339:  [3] (misc) EnterCriticalSection:
  500.   On some versions of Windows, exceptions can be thrown in low-memory
  501.   situations. Use InitializeCriticalSectionAndSpinCount instead.
  502. ./thread_win32.c:383:  [3] (misc) InitializeCriticalSection:
  503.   Exceptions can be thrown in low-memory situations. Use
  504.   InitializeCriticalSectionAndSpinCount instead.
  505. ./util.c:529:  [3] (buffer) getwd:
  506.   This does not protect against buffer overflows by itself, so use with
  507.   caution (CWE-120, CWE-20). Use getcwd instead.
  508. ./vm.c:1932:  [3] (buffer) getenv:
  509.   Environment variables are untrustable input if they can be set by an
  510.   attacker. They can have any content and length, and the same variable can
  511.   be set more than once (CWE-807, CWE-20). Check environment variables
  512.   carefully before using them.
  513. ./vm_dump.c:597:  [3] (misc) LoadLibrary:
  514.   Ensure that the full path to the library is specified, or current directory
  515.   may be used (CWE-829, CWE-20). Use registry entry or GetWindowsDirectory to
  516.   find library path, if you aren't already.
  517. ./vm_method.c:1991:  [3] (buffer) getenv:
  518.   Environment variables are untrustable input if they can be set by an
  519.   attacker. They can have any content and length, and the same variable can
  520.   be set more than once (CWE-807, CWE-20). Check environment variables
  521.   carefully before using them.
  522. ./addr2line.c:122:  [2] (buffer) char:
  523.   Statically-sized arrays can be improperly restricted, leading to potential
  524.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  525.   functions that limit length, or ensure that the size is larger than the
  526.   maximum possible length.
  527. ./addr2line.c:480:  [2] (misc) open:
  528.   Check when opening files - can an attacker redirect it (via symlinks),
  529.   force the opening of special file type (e.g., device files), move things
  530.   around to create a race condition, control its ancestors, or change its
  531.   contents? (CWE-362).
  532. ./addr2line.c:688:  [2] (buffer) memcpy:
  533.   Does not check for buffer overflows when copying to destination (CWE-120).
  534.   Make sure destination can always hold the source data.
  535. ./addr2line.c:824:  [2] (buffer) char:
  536.   Statically-sized arrays can be improperly restricted, leading to potential
  537.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  538.   functions that limit length, or ensure that the size is larger than the
  539.   maximum possible length.
  540. ./addr2line.c:896:  [2] (buffer) char:
  541.   Statically-sized arrays can be improperly restricted, leading to potential
  542.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  543.   functions that limit length, or ensure that the size is larger than the
  544.   maximum possible length.
  545. ./bignum.c:730:  [2] (buffer) char:
  546.   Statically-sized arrays can be improperly restricted, leading to potential
  547.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  548.   functions that limit length, or ensure that the size is larger than the
  549.   maximum possible length.
  550. ./bignum.c:4565:  [2] (buffer) char:
  551.   Statically-sized arrays can be improperly restricted, leading to potential
  552.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  553.   functions that limit length, or ensure that the size is larger than the
  554.   maximum possible length.
  555. ./dir.c:1308:  [2] (misc) open:
  556.   Check when opening files - can an attacker redirect it (via symlinks),
  557.   force the opening of special file type (e.g., device files), move things
  558.   around to create a race condition, control its ancestors, or change its
  559.   contents? (CWE-362).
  560. ./dir.c:1394:  [2] (buffer) memcpy:
  561.   Does not check for buffer overflows when copying to destination (CWE-120).
  562.   Make sure destination can always hold the source data.
  563. ./dir.c:1444:  [2] (buffer) memcpy:
  564.   Does not check for buffer overflows when copying to destination (CWE-120).
  565.   Make sure destination can always hold the source data.
  566. ./dir.c:1448:  [2] (buffer) memcpy:
  567.   Does not check for buffer overflows when copying to destination (CWE-120).
  568.   Make sure destination can always hold the source data.
  569. ./dir.c:1480:  [2] (buffer) char:
  570.   Statically-sized arrays can be improperly restricted, leading to potential
  571.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  572.   functions that limit length, or ensure that the size is larger than the
  573.   maximum possible length.
  574. ./dir.c:1518:  [2] (buffer) memcpy:
  575.   Does not check for buffer overflows when copying to destination (CWE-120).
  576.   Make sure destination can always hold the source data.
  577. ./dir.c:1576:  [2] (buffer) memcpy:
  578.   Does not check for buffer overflows when copying to destination (CWE-120).
  579.   Make sure destination can always hold the source data.
  580. ./dir.c:1591:  [2] (buffer) memcpy:
  581.   Does not check for buffer overflows when copying to destination (CWE-120).
  582.   Make sure destination can always hold the source data.
  583. ./dir.c:1881:  [2] (buffer) memcpy:
  584.   Does not check for buffer overflows when copying to destination (CWE-120).
  585.   Make sure destination can always hold the source data.
  586. ./dir.c:2053:  [2] (buffer) memcpy:
  587.   Does not check for buffer overflows when copying to destination (CWE-120).
  588.   Make sure destination can always hold the source data.
  589. ./dir.c:2067:  [2] (buffer) memcpy:
  590.   Does not check for buffer overflows when copying to destination (CWE-120).
  591.   Make sure destination can always hold the source data.
  592. ./dln.c:137:  [2] (buffer) char:
  593.   Statically-sized arrays can be improperly restricted, leading to potential
  594.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  595.   functions that limit length, or ensure that the size is larger than the
  596.   maximum possible length.
  597. ./dln.c:147:  [2] (buffer) memcpy:
  598.   Does not check for buffer overflows when copying to destination (CWE-120).
  599.   Make sure destination can always hold the source data.
  600. ./dln.c:148:  [2] (buffer) memcpy:
  601.   Does not check for buffer overflows when copying to destination (CWE-120).
  602.   Make sure destination can always hold the source data.
  603. ./dln.c:353:  [2] (buffer) char:
  604.   Statically-sized arrays can be improperly restricted, leading to potential
  605.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  606.   functions that limit length, or ensure that the size is larger than the
  607.   maximum possible length.
  608. ./dln.c:361:  [2] (misc) open:
  609.   Check when opening files - can an attacker redirect it (via symlinks),
  610.   force the opening of special file type (e.g., device files), move things
  611.   around to create a race condition, control its ancestors, or change its
  612.   contents? (CWE-362).
  613. ./dln.c:375:  [2] (buffer) char:
  614.   Statically-sized arrays can be improperly restricted, leading to potential
  615.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  616.   functions that limit length, or ensure that the size is larger than the
  617.   maximum possible length.
  618. ./dln.c:916:  [2] (buffer) char:
  619.   Statically-sized arrays can be improperly restricted, leading to potential
  620.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  621.   functions that limit length, or ensure that the size is larger than the
  622.   maximum possible length.
  623. ./dln.c:918:  [2] (buffer) char:
  624.   Statically-sized arrays can be improperly restricted, leading to potential
  625.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  626.   functions that limit length, or ensure that the size is larger than the
  627.   maximum possible length.
  628. ./dln.c:951:  [2] (misc) open:
  629.   Check when opening files - can an attacker redirect it (via symlinks),
  630.   force the opening of special file type (e.g., device files), move things
  631.   around to create a race condition, control its ancestors, or change its
  632.   contents? (CWE-362).
  633. ./dln.c:1067:  [2] (misc) open:
  634.   Check when opening files - can an attacker redirect it (via symlinks),
  635.   force the opening of special file type (e.g., device files), move things
  636.   around to create a race condition, control its ancestors, or change its
  637.   contents? (CWE-362).
  638. ./dln.c:1181:  [2] (buffer) char:
  639.   Statically-sized arrays can be improperly restricted, leading to potential
  640.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  641.   functions that limit length, or ensure that the size is larger than the
  642.   maximum possible length.
  643. ./dln.c:1260:  [2] (buffer) char:
  644.   Statically-sized arrays can be improperly restricted, leading to potential
  645.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  646.   functions that limit length, or ensure that the size is larger than the
  647.   maximum possible length.
  648. ./dln.c:1469:  [2] (buffer) char:
  649.   Statically-sized arrays can be improperly restricted, leading to potential
  650.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  651.   functions that limit length, or ensure that the size is larger than the
  652.   maximum possible length.
  653. ./dln_find.c:190:  [2] (buffer) memcpy:
  654.   Does not check for buffer overflows when copying to destination (CWE-120).
  655.   Make sure destination can always hold the source data.
  656. ./dln_find.c:236:  [2] (buffer) memcpy:
  657.   Does not check for buffer overflows when copying to destination (CWE-120).
  658.   Make sure destination can always hold the source data.
  659. ./dln_find.c:246:  [2] (buffer) memcpy:
  660.   Does not check for buffer overflows when copying to destination (CWE-120).
  661.   Make sure destination can always hold the source data.
  662. ./dln_find.c:263:  [2] (buffer) memcpy:
  663.   Does not check for buffer overflows when copying to destination (CWE-120).
  664.   Make sure destination can always hold the source data.
  665. ./enum.c:1213:  [2] (buffer) memcpy:
  666.   Does not check for buffer overflows when copying to destination (CWE-120).
  667.   Make sure destination can always hold the source data.
  668. ./enum.c:1214:  [2] (buffer) memcpy:
  669.   Does not check for buffer overflows when copying to destination (CWE-120).
  670.   Make sure destination can always hold the source data.
  671. ./enum.c:1215:  [2] (buffer) memcpy:
  672.   Does not check for buffer overflows when copying to destination (CWE-120).
  673.   Make sure destination can always hold the source data.
  674. ./error.c:331:  [2] (buffer) char:
  675.   Statically-sized arrays can be improperly restricted, leading to potential
  676.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  677.   functions that limit length, or ensure that the size is larger than the
  678.   maximum possible length.
  679. ./error.c:345:  [2] (buffer) char:
  680.   Statically-sized arrays can be improperly restricted, leading to potential
  681.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  682.   functions that limit length, or ensure that the size is larger than the
  683.   maximum possible length.
  684. ./error.c:1388:  [2] (buffer) char:
  685.   Statically-sized arrays can be improperly restricted, leading to potential
  686.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  687.   functions that limit length, or ensure that the size is larger than the
  688.   maximum possible length.
  689. ./file.c:1060:  [2] (buffer) MultiByteToWideChar:
  690.   Requires maximum length in CHARACTERS, not bytes (CWE-120).
  691. ./file.c:1062:  [2] (buffer) MultiByteToWideChar:
  692.   Requires maximum length in CHARACTERS, not bytes (CWE-120).
  693. ./file.c:3001:  [2] (buffer) char:
  694.   Statically-sized arrays can be improperly restricted, leading to potential
  695.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  696.   functions that limit length, or ensure that the size is larger than the
  697.   maximum possible length.
  698. ./file.c:3192:  [2] (buffer) memcpy:
  699.   Does not check for buffer overflows when copying to destination (CWE-120).
  700.   Make sure destination can always hold the source data.
  701. ./file.c:3214:  [2] (buffer) memcpy:
  702.   Does not check for buffer overflows when copying to destination (CWE-120).
  703.   Make sure destination can always hold the source data.
  704. ./file.c:3273:  [2] (buffer) memcpy:
  705.   Does not check for buffer overflows when copying to destination (CWE-120).
  706.   Make sure destination can always hold the source data.
  707. ./file.c:3310:  [2] (buffer) memcpy:
  708.   Does not check for buffer overflows when copying to destination (CWE-120).
  709.   Make sure destination can always hold the source data.
  710. ./file.c:3337:  [2] (buffer) memcpy:
  711.   Does not check for buffer overflows when copying to destination (CWE-120).
  712.   Make sure destination can always hold the source data.
  713. ./file.c:3532:  [2] (buffer) char:
  714.   Statically-sized arrays can be improperly restricted, leading to potential
  715.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  716.   functions that limit length, or ensure that the size is larger than the
  717.   maximum possible length.
  718. ./file.c:3581:  [2] (buffer) MultiByteToWideChar:
  719.   Requires maximum length in CHARACTERS, not bytes (CWE-120).
  720. ./file.c:3583:  [2] (buffer) MultiByteToWideChar:
  721.   Requires maximum length in CHARACTERS, not bytes (CWE-120).
  722. ./file.c:3609:  [2] (buffer) memcpy:
  723.   Does not check for buffer overflows when copying to destination (CWE-120).
  724.   Make sure destination can always hold the source data.
  725. ./gc.c:3257:  [2] (buffer) memcpy:
  726.   Does not check for buffer overflows when copying to destination (CWE-120).
  727.   Make sure destination can always hold the source data.
  728. ./gc.c:4510:  [2] (buffer) char:
  729.   Statically-sized arrays can be improperly restricted, leading to potential
  730.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  731.   functions that limit length, or ensure that the size is larger than the
  732.   maximum possible length.
  733. ./gc.c:5412:  [2] (buffer) char:
  734.   Statically-sized arrays can be improperly restricted, leading to potential
  735.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  736.   functions that limit length, or ensure that the size is larger than the
  737.   maximum possible length.
  738. ./gc.c:5777:  [2] (buffer) char:
  739.   Statically-sized arrays can be improperly restricted, leading to potential
  740.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  741.   functions that limit length, or ensure that the size is larger than the
  742.   maximum possible length.
  743. ./gc.c:6237:  [2] (buffer) char:
  744.   Statically-sized arrays can be improperly restricted, leading to potential
  745.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  746.   functions that limit length, or ensure that the size is larger than the
  747.   maximum possible length.
  748. ./gc.c:6247:  [2] (buffer) char:
  749.   Statically-sized arrays can be improperly restricted, leading to potential
  750.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  751.   functions that limit length, or ensure that the size is larger than the
  752.   maximum possible length.
  753. ./gc.c:6259:  [2] (buffer) char:
  754.   Statically-sized arrays can be improperly restricted, leading to potential
  755.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  756.   functions that limit length, or ensure that the size is larger than the
  757.   maximum possible length.
  758. ./gc.c:8258:  [2] (buffer) memcpy:
  759.   Does not check for buffer overflows when copying to destination (CWE-120).
  760.   Make sure destination can always hold the source data.
  761. ./gc.c:8621:  [2] (buffer) char:
  762.   Statically-sized arrays can be improperly restricted, leading to potential
  763.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  764.   functions that limit length, or ensure that the size is larger than the
  765.   maximum possible length.
  766. ./gc.c:9019:  [2] (buffer) char:
  767.   Statically-sized arrays can be improperly restricted, leading to potential
  768.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  769.   functions that limit length, or ensure that the size is larger than the
  770.   maximum possible length.
  771. ./io.c:151:  [2] (misc) open:
  772.   Check when opening files - can an attacker redirect it (via symlinks),
  773.   force the opening of special file type (e.g., device files), move things
  774.   around to create a race condition, control its ancestors, or change its
  775.   contents? (CWE-362).
  776. ./io.c:152:  [2] (misc) open:
  777.   Check when opening files - can an attacker redirect it (via symlinks),
  778.   force the opening of special file type (e.g., device files), move things
  779.   around to create a race condition, control its ancestors, or change its
  780.   contents? (CWE-362).
  781. ./io.c:280:  [2] (misc) open:
  782.   Check when opening files - can an attacker redirect it (via symlinks),
  783.   force the opening of special file type (e.g., device files), move things
  784.   around to create a race condition, control its ancestors, or change its
  785.   contents? (CWE-362).
  786. ./io.c:3042:  [2] (buffer) char:
  787.   Statically-sized arrays can be improperly restricted, leading to potential
  788.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  789.   functions that limit length, or ensure that the size is larger than the
  790.   maximum possible length.
  791. ./io.c:3779:  [2] (buffer) char:
  792.   Statically-sized arrays can be improperly restricted, leading to potential
  793.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  794.   functions that limit length, or ensure that the size is larger than the
  795.   maximum possible length.
  796. ./io.c:4151:  [2] (buffer) char:
  797.   Statically-sized arrays can be improperly restricted, leading to potential
  798.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  799.   functions that limit length, or ensure that the size is larger than the
  800.   maximum possible length.
  801. ./io.c:5130:  [2] (buffer) char:
  802.   Statically-sized arrays can be improperly restricted, leading to potential
  803.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  804.   functions that limit length, or ensure that the size is larger than the
  805.   maximum possible length.
  806. ./io.c:5148:  [2] (buffer) memcpy:
  807.   Does not check for buffer overflows when copying to destination (CWE-120).
  808.   Make sure destination can always hold the source data.
  809. ./io.c:5160:  [2] (buffer) memcpy:
  810.   Does not check for buffer overflows when copying to destination (CWE-120).
  811.   Make sure destination can always hold the source data.
  812. ./io.c:5860:  [2] (buffer) char:
  813.   Statically-sized arrays can be improperly restricted, leading to potential
  814.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  815.   functions that limit length, or ensure that the size is larger than the
  816.   maximum possible length.
  817. ./io.c:5953:  [2] (buffer) char:
  818.   Statically-sized arrays can be improperly restricted, leading to potential
  819.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  820.   functions that limit length, or ensure that the size is larger than the
  821.   maximum possible length.
  822. ./io.c:10480:  [2] (buffer) char:
  823.   Statically-sized arrays can be improperly restricted, leading to potential
  824.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  825.   functions that limit length, or ensure that the size is larger than the
  826.   maximum possible length.
  827. ./iseq.c:1498:  [2] (buffer) char:
  828.   Statically-sized arrays can be improperly restricted, leading to potential
  829.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  830.   functions that limit length, or ensure that the size is larger than the
  831.   maximum possible length.
  832. ./iseq.c:1499:  [2] (buffer) char:
  833.   Statically-sized arrays can be improperly restricted, leading to potential
  834.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  835.   functions that limit length, or ensure that the size is larger than the
  836.   maximum possible length.
  837. ./loadpath.c:41:  [2] (buffer) char:
  838.   Statically-sized arrays can be improperly restricted, leading to potential
  839.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  840.   functions that limit length, or ensure that the size is larger than the
  841.   maximum possible length.
  842. ./localeinit.c:33:  [2] (buffer) char:
  843.   Statically-sized arrays can be improperly restricted, leading to potential
  844.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  845.   functions that limit length, or ensure that the size is larger than the
  846.   maximum possible length.
  847. ./localeinit.c:104:  [2] (buffer) char:
  848.   Statically-sized arrays can be improperly restricted, leading to potential
  849.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  850.   functions that limit length, or ensure that the size is larger than the
  851.   maximum possible length.
  852. ./marshal.c:287:  [2] (buffer) char:
  853.   Statically-sized arrays can be improperly restricted, leading to potential
  854.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  855.   functions that limit length, or ensure that the size is larger than the
  856.   maximum possible length.
  857. ./marshal.c:381:  [2] (buffer) char:
  858.   Statically-sized arrays can be improperly restricted, leading to potential
  859.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  860.   functions that limit length, or ensure that the size is larger than the
  861.   maximum possible length.
  862. ./marshal.c:402:  [2] (buffer) memcpy:
  863.   Does not check for buffer overflows when copying to destination (CWE-120).
  864.   Make sure destination can always hold the source data.
  865. ./marshal.c:407:  [2] (buffer) memcpy:
  866.   Does not check for buffer overflows when copying to destination (CWE-120).
  867.   Make sure destination can always hold the source data.
  868. ./marshal.c:411:  [2] (buffer) memcpy:
  869.   Does not check for buffer overflows when copying to destination (CWE-120).
  870.   Make sure destination can always hold the source data.
  871. ./marshal.c:422:  [2] (buffer) memcpy:
  872.   Does not check for buffer overflows when copying to destination (CWE-120).
  873.   Make sure destination can always hold the source data.
  874. ./marshal.c:1141:  [2] (buffer) memcpy:
  875.   Does not check for buffer overflows when copying to destination (CWE-120).
  876.   Make sure destination can always hold the source data.
  877. ./marshal.c:1270:  [2] (buffer) memcpy:
  878.   Does not check for buffer overflows when copying to destination (CWE-120).
  879.   Make sure destination can always hold the source data.
  880. ./marshal.c:1313:  [2] (buffer) char:
  881.   Statically-sized arrays can be improperly restricted, leading to potential
  882.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  883.   functions that limit length, or ensure that the size is larger than the
  884.   maximum possible length.
  885. ./node.c:504:  [2] (buffer) char:
  886.   Statically-sized arrays can be improperly restricted, leading to potential
  887.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  888.   functions that limit length, or ensure that the size is larger than the
  889.   maximum possible length.
  890. ./numeric.c:728:  [2] (buffer) char:
  891.   Statically-sized arrays can be improperly restricted, leading to potential
  892.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  893.   functions that limit length, or ensure that the size is larger than the
  894.   maximum possible length.
  895. ./numeric.c:742:  [2] (buffer) memcpy:
  896.   Does not check for buffer overflows when copying to destination (CWE-120).
  897.   Make sure destination can always hold the source data.
  898. ./numeric.c:760:  [2] (buffer) memcpy:
  899.   Does not check for buffer overflows when copying to destination (CWE-120).
  900.   Make sure destination can always hold the source data.
  901. ./numeric.c:773:  [2] (buffer) memcpy:
  902.   Does not check for buffer overflows when copying to destination (CWE-120).
  903.   Make sure destination can always hold the source data.
  904. ./numeric.c:2240:  [2] (buffer) char:
  905.   Statically-sized arrays can be improperly restricted, leading to potential
  906.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  907.   functions that limit length, or ensure that the size is larger than the
  908.   maximum possible length.
  909. ./numeric.c:2241:  [2] (buffer) char:
  910.   Statically-sized arrays can be improperly restricted, leading to potential
  911.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  912.   functions that limit length, or ensure that the size is larger than the
  913.   maximum possible length.
  914. ./numeric.c:2252:  [2] (buffer) char:
  915.   Statically-sized arrays can be improperly restricted, leading to potential
  916.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  917.   functions that limit length, or ensure that the size is larger than the
  918.   maximum possible length.
  919. ./numeric.c:2863:  [2] (buffer) char:
  920.   Statically-sized arrays can be improperly restricted, leading to potential
  921.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  922.   functions that limit length, or ensure that the size is larger than the
  923.   maximum possible length.
  924. ./object.c:2564:  [2] (buffer) char:
  925.   Statically-sized arrays can be improperly restricted, leading to potential
  926.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  927.   functions that limit length, or ensure that the size is larger than the
  928.   maximum possible length.
  929. ./object.c:2829:  [2] (buffer) char:
  930.   Statically-sized arrays can be improperly restricted, leading to potential
  931.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  932.   functions that limit length, or ensure that the size is larger than the
  933.   maximum possible length.
  934. ./pack.c:112:  [2] (buffer) memcpy:
  935.   Does not check for buffer overflows when copying to destination (CWE-120).
  936.   Make sure destination can always hold the source data.
  937. ./pack.c:116:  [2] (buffer) memcpy:
  938.   Does not check for buffer overflows when copying to destination (CWE-120).
  939.   Make sure destination can always hold the source data.
  940. ./pack.c:136:  [2] (buffer) memcpy:
  941.   Does not check for buffer overflows when copying to destination (CWE-120).
  942.   Make sure destination can always hold the source data.
  943. ./pack.c:138:  [2] (buffer) memcpy:
  944.   Does not check for buffer overflows when copying to destination (CWE-120).
  945.   Make sure destination can always hold the source data.
  946. ./pack.c:140:  [2] (buffer) memcpy:
  947.   Does not check for buffer overflows when copying to destination (CWE-120).
  948.   Make sure destination can always hold the source data.
  949. ./pack.c:142:  [2] (buffer) memcpy:
  950.   Does not check for buffer overflows when copying to destination (CWE-120).
  951.   Make sure destination can always hold the source data.
  952. ./pack.c:144:  [2] (buffer) memcpy:
  953.   Does not check for buffer overflows when copying to destination (CWE-120).
  954.   Make sure destination can always hold the source data.
  955. ./pack.c:146:  [2] (buffer) memcpy:
  956.   Does not check for buffer overflows when copying to destination (CWE-120).
  957.   Make sure destination can always hold the source data.
  958. ./pack.c:148:  [2] (buffer) memcpy:
  959.   Does not check for buffer overflows when copying to destination (CWE-120).
  960.   Make sure destination can always hold the source data.
  961. ./pack.c:150:  [2] (buffer) memcpy:
  962.   Does not check for buffer overflows when copying to destination (CWE-120).
  963.   Make sure destination can always hold the source data.
  964. ./pack.c:162:  [2] (buffer) memcpy:
  965.   Does not check for buffer overflows when copying to destination (CWE-120).
  966.   Make sure destination can always hold the source data.
  967. ./pack.c:164:  [2] (buffer) memcpy:
  968.   Does not check for buffer overflows when copying to destination (CWE-120).
  969.   Make sure destination can always hold the source data.
  970. ./pack.c:166:  [2] (buffer) memcpy:
  971.   Does not check for buffer overflows when copying to destination (CWE-120).
  972.   Make sure destination can always hold the source data.
  973. ./pack.c:168:  [2] (buffer) memcpy:
  974.   Does not check for buffer overflows when copying to destination (CWE-120).
  975.   Make sure destination can always hold the source data.
  976. ./pack.c:170:  [2] (buffer) memcpy:
  977.   Does not check for buffer overflows when copying to destination (CWE-120).
  978.   Make sure destination can always hold the source data.
  979. ./pack.c:172:  [2] (buffer) memcpy:
  980.   Does not check for buffer overflows when copying to destination (CWE-120).
  981.   Make sure destination can always hold the source data.
  982. ./pack.c:174:  [2] (buffer) memcpy:
  983.   Does not check for buffer overflows when copying to destination (CWE-120).
  984.   Make sure destination can always hold the source data.
  985. ./pack.c:176:  [2] (buffer) memcpy:
  986.   Does not check for buffer overflows when copying to destination (CWE-120).
  987.   Make sure destination can always hold the source data.
  988. ./pack.c:710:  [2] (buffer) char:
  989.   Statically-sized arrays can be improperly restricted, leading to potential
  990.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  991.   functions that limit length, or ensure that the size is larger than the
  992.   maximum possible length.
  993. ./pack.c:821:  [2] (buffer) char:
  994.   Statically-sized arrays can be improperly restricted, leading to potential
  995.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  996.   functions that limit length, or ensure that the size is larger than the
  997.   maximum possible length.
  998. ./pack.c:936:  [2] (buffer) char:
  999.   Statically-sized arrays can be improperly restricted, leading to potential
  1000.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1001.   functions that limit length, or ensure that the size is larger than the
  1002.   maximum possible length.
  1003. ./pack.c:978:  [2] (buffer) char:
  1004.   Statically-sized arrays can be improperly restricted, leading to potential
  1005.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1006.   functions that limit length, or ensure that the size is larger than the
  1007.   maximum possible length.
  1008. ./pack.c:1028:  [2] (buffer) char:
  1009.   Statically-sized arrays can be improperly restricted, leading to potential
  1010.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1011.   functions that limit length, or ensure that the size is larger than the
  1012.   maximum possible length.
  1013. ./pack.c:1563:  [2] (buffer) memcpy:
  1014.   Does not check for buffer overflows when copying to destination (CWE-120).
  1015.   Make sure destination can always hold the source data.
  1016. ./pack.c:1576:  [2] (buffer) memcpy:
  1017.   Does not check for buffer overflows when copying to destination (CWE-120).
  1018.   Make sure destination can always hold the source data.
  1019. ./pack.c:1590:  [2] (buffer) memcpy:
  1020.   Does not check for buffer overflows when copying to destination (CWE-120).
  1021.   Make sure destination can always hold the source data.
  1022. ./pack.c:1603:  [2] (buffer) memcpy:
  1023.   Does not check for buffer overflows when copying to destination (CWE-120).
  1024.   Make sure destination can always hold the source data.
  1025. ./pack.c:1616:  [2] (buffer) memcpy:
  1026.   Does not check for buffer overflows when copying to destination (CWE-120).
  1027.   Make sure destination can always hold the source data.
  1028. ./pack.c:1630:  [2] (buffer) memcpy:
  1029.   Does not check for buffer overflows when copying to destination (CWE-120).
  1030.   Make sure destination can always hold the source data.
  1031. ./pack.c:1658:  [2] (buffer) char:
  1032.   Statically-sized arrays can be improperly restricted, leading to potential
  1033.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1034.   functions that limit length, or ensure that the size is larger than the
  1035.   maximum possible length.
  1036. ./pack.c:1690:  [2] (buffer) memcpy:
  1037.   Does not check for buffer overflows when copying to destination (CWE-120).
  1038.   Make sure destination can always hold the source data.
  1039. ./pack.c:1710:  [2] (buffer) char:
  1040.   Statically-sized arrays can be improperly restricted, leading to potential
  1041.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1042.   functions that limit length, or ensure that the size is larger than the
  1043.   maximum possible length.
  1044. ./pack.c:1840:  [2] (buffer) memcpy:
  1045.   Does not check for buffer overflows when copying to destination (CWE-120).
  1046.   Make sure destination can always hold the source data.
  1047. ./pack.c:1883:  [2] (buffer) memcpy:
  1048.   Does not check for buffer overflows when copying to destination (CWE-120).
  1049.   Make sure destination can always hold the source data.
  1050. ./pack.c:1939:  [2] (buffer) char:
  1051.   Statically-sized arrays can be improperly restricted, leading to potential
  1052.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1053.   functions that limit length, or ensure that the size is larger than the
  1054.   maximum possible length.
  1055. ./proc.c:2524:  [2] (buffer) memcpy:
  1056.   Does not check for buffer overflows when copying to destination (CWE-120).
  1057.   Make sure destination can always hold the source data.
  1058. ./process.c:102:  [2] (misc) open:
  1059.   Check when opening files - can an attacker redirect it (via symlinks),
  1060.   force the opening of special file type (e.g., device files), move things
  1061.   around to create a race condition, control its ancestors, or change its
  1062.   contents? (CWE-362).
  1063. ./process.c:103:  [2] (misc) open:
  1064.   Check when opening files - can an attacker redirect it (via symlinks),
  1065.   force the opening of special file type (e.g., device files), move things
  1066.   around to create a race condition, control its ancestors, or change its
  1067.   contents? (CWE-362).
  1068. ./process.c:320:  [2] (misc) fopen:
  1069.   Check when opening files - can an attacker redirect it (via symlinks),
  1070.   force the opening of special file type (e.g., device files), move things
  1071.   around to create a race condition, control its ancestors, or change its
  1072.   contents? (CWE-362).
  1073. ./process.c:322:  [2] (misc) fopen:
  1074.   Check when opening files - can an attacker redirect it (via symlinks),
  1075.   force the opening of special file type (e.g., device files), move things
  1076.   around to create a race condition, control its ancestors, or change its
  1077.   contents? (CWE-362).
  1078. ./process.c:1332:  [2] (buffer) char:
  1079.   Statically-sized arrays can be improperly restricted, leading to potential
  1080.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1081.   functions that limit length, or ensure that the size is larger than the
  1082.   maximum possible length.
  1083. ./process.c:1434:  [2] (buffer) char:
  1084.   Statically-sized arrays can be improperly restricted, leading to potential
  1085.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1086.   functions that limit length, or ensure that the size is larger than the
  1087.   maximum possible length.
  1088. ./process.c:1482:  [2] (buffer) char:
  1089.   Statically-sized arrays can be improperly restricted, leading to potential
  1090.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1091.   functions that limit length, or ensure that the size is larger than the
  1092.   maximum possible length.
  1093. ./process.c:2071:  [2] (buffer) char:
  1094.   Statically-sized arrays can be improperly restricted, leading to potential
  1095.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1096.   functions that limit length, or ensure that the size is larger than the
  1097.   maximum possible length.
  1098. ./process.c:2080:  [2] (buffer) char:
  1099.   Statically-sized arrays can be improperly restricted, leading to potential
  1100.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1101.   functions that limit length, or ensure that the size is larger than the
  1102.   maximum possible length.
  1103. ./process.c:2597:  [2] (buffer) char:
  1104.   Statically-sized arrays can be improperly restricted, leading to potential
  1105.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1106.   functions that limit length, or ensure that the size is larger than the
  1107.   maximum possible length.
  1108. ./process.c:3609:  [2] (race) vfork:
  1109.   On some old systems, vfork() permits race conditions, and it's very
  1110.   difficult to use correctly (CWE-362). Use fork() instead.
  1111. ./process.c:4368:  [2] (buffer) char:
  1112.   Statically-sized arrays can be improperly restricted, leading to potential
  1113.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1114.   functions that limit length, or ensure that the size is larger than the
  1115.   maximum possible length.
  1116. ./re.c:21:  [2] (buffer) char:
  1117.   Statically-sized arrays can be improperly restricted, leading to potential
  1118.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1119.   functions that limit length, or ensure that the size is larger than the
  1120.   maximum possible length.
  1121. ./re.c:320:  [2] (buffer) char:
  1122.   Statically-sized arrays can be improperly restricted, leading to potential
  1123.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1124.   functions that limit length, or ensure that the size is larger than the
  1125.   maximum possible length.
  1126. ./re.c:321:  [2] (buffer) char:
  1127.   Statically-sized arrays can be improperly restricted, leading to potential
  1128.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1129.   functions that limit length, or ensure that the size is larger than the
  1130.   maximum possible length.
  1131. ./re.c:440:  [2] (buffer) char:
  1132.   Statically-sized arrays can be improperly restricted, leading to potential
  1133.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1134.   functions that limit length, or ensure that the size is larger than the
  1135.   maximum possible length.
  1136. ./re.c:471:  [2] (buffer) char:
  1137.   Statically-sized arrays can be improperly restricted, leading to potential
  1138.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1139.   functions that limit length, or ensure that the size is larger than the
  1140.   maximum possible length.
  1141. ./re.c:558:  [2] (buffer) char:
  1142.   Statically-sized arrays can be improperly restricted, leading to potential
  1143.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1144.   functions that limit length, or ensure that the size is larger than the
  1145.   maximum possible length.
  1146. ./re.c:648:  [2] (buffer) memcpy:
  1147.   Does not check for buffer overflows when copying to destination (CWE-120).
  1148.   Make sure destination can always hold the source data.
  1149. ./re.c:671:  [2] (buffer) char:
  1150.   Statically-sized arrays can be improperly restricted, leading to potential
  1151.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1152.   functions that limit length, or ensure that the size is larger than the
  1153.   maximum possible length.
  1154. ./re.c:1997:  [2] (buffer) char:
  1155.   Statically-sized arrays can be improperly restricted, leading to potential
  1156.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1157.   functions that limit length, or ensure that the size is larger than the
  1158.   maximum possible length.
  1159. ./re.c:2166:  [2] (buffer) char:
  1160.   Statically-sized arrays can be improperly restricted, leading to potential
  1161.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1162.   functions that limit length, or ensure that the size is larger than the
  1163.   maximum possible length.
  1164. ./re.c:2192:  [2] (buffer) char:
  1165.   Statically-sized arrays can be improperly restricted, leading to potential
  1166.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1167.   functions that limit length, or ensure that the size is larger than the
  1168.   maximum possible length.
  1169. ./re.c:2198:  [2] (buffer) char:
  1170.   Statically-sized arrays can be improperly restricted, leading to potential
  1171.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1172.   functions that limit length, or ensure that the size is larger than the
  1173.   maximum possible length.
  1174. ./re.c:2278:  [2] (buffer) char:
  1175.   Statically-sized arrays can be improperly restricted, leading to potential
  1176.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1177.   functions that limit length, or ensure that the size is larger than the
  1178.   maximum possible length.
  1179. ./re.c:3125:  [2] (buffer) memcpy:
  1180.   Does not check for buffer overflows when copying to destination (CWE-120).
  1181.   Make sure destination can always hold the source data.
  1182. ./regcomp.c:59:  [2] (buffer) char:
  1183.   Statically-sized arrays can be improperly restricted, leading to potential
  1184.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1185.   functions that limit length, or ensure that the size is larger than the
  1186.   maximum possible length.
  1187. ./regerror.c:194:  [2] (buffer) sprintf:
  1188.   Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  1189.   vsnprintf. Risk is low because the source has a constant maximum length.
  1190. ./regerror.c:199:  [2] (buffer) sprintf:
  1191.   Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  1192.   vsnprintf. Risk is low because the source has a constant maximum length.
  1193. ./regerror.c:340:  [2] (buffer) strcat:
  1194.   Does not check for buffer overflows when concatenating to destination
  1195.   (CWE-120). Consider using strcat_s, strncat, or strlcat (warning, strncat
  1196.   is easily misused). Risk is low because the source is a constant string.
  1197. ./ruby.c:245:  [2] (buffer) char:
  1198.   Statically-sized arrays can be improperly restricted, leading to potential
  1199.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1200.   functions that limit length, or ensure that the size is larger than the
  1201.   maximum possible length.
  1202. ./ruby.c:422:  [2] (buffer) char:
  1203.   Statically-sized arrays can be improperly restricted, leading to potential
  1204.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1205.   functions that limit length, or ensure that the size is larger than the
  1206.   maximum possible length.
  1207. ./ruby.c:667:  [2] (buffer) memcpy:
  1208.   Does not check for buffer overflows when copying to destination (CWE-120).
  1209.   Make sure destination can always hold the source data.
  1210. ./ruby.c:1338:  [2] (buffer) char:
  1211.   Statically-sized arrays can be improperly restricted, leading to potential
  1212.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1213.   functions that limit length, or ensure that the size is larger than the
  1214.   maximum possible length.
  1215. ./signal.c:219:  [2] (buffer) char:
  1216.   Statically-sized arrays can be improperly restricted, leading to potential
  1217.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1218.   functions that limit length, or ensure that the size is larger than the
  1219.   maximum possible length.
  1220. ./siphash.c:135:  [2] (buffer) char:
  1221.   Statically-sized arrays can be improperly restricted, leading to potential
  1222.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1223.   functions that limit length, or ensure that the size is larger than the
  1224.   maximum possible length.
  1225. ./siphash.c:232:  [2] (buffer) memcpy:
  1226.   Does not check for buffer overflows when copying to destination (CWE-120).
  1227.   Make sure destination can always hold the source data.
  1228. ./siphash.c:245:  [2] (buffer) memcpy:
  1229.   Does not check for buffer overflows when copying to destination (CWE-120).
  1230.   Make sure destination can always hold the source data.
  1231. ./sprintf.c:68:  [2] (buffer) memcpy:
  1232.   Does not check for buffer overflows when copying to destination (CWE-120).
  1233.   Make sure destination can always hold the source data.
  1234. ./sprintf.c:748:  [2] (buffer) memcpy:
  1235.   Does not check for buffer overflows when copying to destination (CWE-120).
  1236.   Make sure destination can always hold the source data.
  1237. ./sprintf.c:778:  [2] (buffer) char:
  1238.   Statically-sized arrays can be improperly restricted, leading to potential
  1239.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1240.   functions that limit length, or ensure that the size is larger than the
  1241.   maximum possible length.
  1242. ./sprintf.c:869:  [2] (buffer) char:
  1243.   Statically-sized arrays can be improperly restricted, leading to potential
  1244.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1245.   functions that limit length, or ensure that the size is larger than the
  1246.   maximum possible length.
  1247. ./sprintf.c:903:  [2] (buffer) char:
  1248.   Statically-sized arrays can be improperly restricted, leading to potential
  1249.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1250.   functions that limit length, or ensure that the size is larger than the
  1251.   maximum possible length.
  1252. ./sprintf.c:1074:  [2] (buffer) memcpy:
  1253.   Does not check for buffer overflows when copying to destination (CWE-120).
  1254.   Make sure destination can always hold the source data.
  1255. ./sprintf.c:1092:  [2] (buffer) memcpy:
  1256.   Does not check for buffer overflows when copying to destination (CWE-120).
  1257.   Make sure destination can always hold the source data.
  1258. ./sprintf.c:1097:  [2] (buffer) memcpy:
  1259.   Does not check for buffer overflows when copying to destination (CWE-120).
  1260.   Make sure destination can always hold the source data.
  1261. ./sprintf.c:1128:  [2] (buffer) char:
  1262.   Statically-sized arrays can be improperly restricted, leading to potential
  1263.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1264.   functions that limit length, or ensure that the size is larger than the
  1265.   maximum possible length.
  1266. ./sprintf.c:1155:  [2] (buffer) memcpy:
  1267.   Does not check for buffer overflows when copying to destination (CWE-120).
  1268.   Make sure destination can always hold the source data.
  1269. ./sprintf.c:1164:  [2] (buffer) memcpy:
  1270.   Does not check for buffer overflows when copying to destination (CWE-120).
  1271.   Make sure destination can always hold the source data.
  1272. ./st.c:187:  [2] (buffer) char:
  1273.   Statically-sized arrays can be improperly restricted, leading to potential
  1274.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1275.   functions that limit length, or ensure that the size is larger than the
  1276.   maximum possible length.
  1277. ./st.c:188:  [2] (misc) fopen:
  1278.   Check when opening files - can an attacker redirect it (via symlinks),
  1279.   force the opening of special file type (e.g., device files), move things
  1280.   around to create a race condition, control its ancestors, or change its
  1281.   contents? (CWE-362).
  1282. ./strftime.c:171:  [2] (buffer) char:
  1283.   Statically-sized arrays can be improperly restricted, leading to potential
  1284.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1285.   functions that limit length, or ensure that the size is larger than the
  1286.   maximum possible length.
  1287. ./strftime.c:802:  [2] (buffer) memcpy:
  1288.   Does not check for buffer overflows when copying to destination (CWE-120).
  1289.   Make sure destination can always hold the source data.
  1290. ./strftime.c:1142:  [2] (buffer) char:
  1291.   Statically-sized arrays can be improperly restricted, leading to potential
  1292.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1293.   functions that limit length, or ensure that the size is larger than the
  1294.   maximum possible length.
  1295. ./string.c:124:  [2] (buffer) memcpy:
  1296.   Does not check for buffer overflows when copying to destination (CWE-120).
  1297.   Make sure destination can always hold the source data.
  1298. ./string.c:656:  [2] (buffer) memcpy:
  1299.   Does not check for buffer overflows when copying to destination (CWE-120).
  1300.   Make sure destination can always hold the source data.
  1301. ./string.c:969:  [2] (buffer) memcpy:
  1302.   Does not check for buffer overflows when copying to destination (CWE-120).
  1303.   Make sure destination can always hold the source data.
  1304. ./string.c:1168:  [2] (buffer) memcpy:
  1305.   Does not check for buffer overflows when copying to destination (CWE-120).
  1306.   Make sure destination can always hold the source data.
  1307. ./string.c:1551:  [2] (buffer) memcpy:
  1308.   Does not check for buffer overflows when copying to destination (CWE-120).
  1309.   Make sure destination can always hold the source data.
  1310. ./string.c:1552:  [2] (buffer) memcpy:
  1311.   Does not check for buffer overflows when copying to destination (CWE-120).
  1312.   Make sure destination can always hold the source data.
  1313. ./string.c:1596:  [2] (buffer) memcpy:
  1314.   Does not check for buffer overflows when copying to destination (CWE-120).
  1315.   Make sure destination can always hold the source data.
  1316. ./string.c:1598:  [2] (buffer) memcpy:
  1317.   Does not check for buffer overflows when copying to destination (CWE-120).
  1318.   Make sure destination can always hold the source data.
  1319. ./string.c:1601:  [2] (buffer) memcpy:
  1320.   Does not check for buffer overflows when copying to destination (CWE-120).
  1321.   Make sure destination can always hold the source data.
  1322. ./string.c:1674:  [2] (buffer) memcpy:
  1323.   Does not check for buffer overflows when copying to destination (CWE-120).
  1324.   Make sure destination can always hold the source data.
  1325. ./string.c:1683:  [2] (buffer) memcpy:
  1326.   Does not check for buffer overflows when copying to destination (CWE-120).
  1327.   Make sure destination can always hold the source data.
  1328. ./string.c:2293:  [2] (buffer) memcpy:
  1329.   Does not check for buffer overflows when copying to destination (CWE-120).
  1330.   Make sure destination can always hold the source data.
  1331. ./string.c:2513:  [2] (buffer) char:
  1332.   Statically-sized arrays can be improperly restricted, leading to potential
  1333.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1334.   functions that limit length, or ensure that the size is larger than the
  1335.   maximum possible length.
  1336. ./string.c:2545:  [2] (buffer) memcpy:
  1337.   Does not check for buffer overflows when copying to destination (CWE-120).
  1338.   Make sure destination can always hold the source data.
  1339. ./string.c:3337:  [2] (buffer) char:
  1340.   Statically-sized arrays can be improperly restricted, leading to potential
  1341.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1342.   functions that limit length, or ensure that the size is larger than the
  1343.   maximum possible length.
  1344. ./string.c:3431:  [2] (buffer) char:
  1345.   Statically-sized arrays can be improperly restricted, leading to potential
  1346.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1347.   functions that limit length, or ensure that the size is larger than the
  1348.   maximum possible length.
  1349. ./string.c:3471:  [2] (buffer) char:
  1350.   Statically-sized arrays can be improperly restricted, leading to potential
  1351.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1352.   functions that limit length, or ensure that the size is larger than the
  1353.   maximum possible length.
  1354. ./string.c:4358:  [2] (buffer) memcpy:
  1355.   Does not check for buffer overflows when copying to destination (CWE-120).
  1356.   Make sure destination can always hold the source data.
  1357. ./string.c:4920:  [2] (buffer) memcpy:
  1358.   Does not check for buffer overflows when copying to destination (CWE-120).
  1359.   Make sure destination can always hold the source data.
  1360. ./string.c:4932:  [2] (buffer) memcpy:
  1361.   Does not check for buffer overflows when copying to destination (CWE-120).
  1362.   Make sure destination can always hold the source data.
  1363. ./string.c:5089:  [2] (buffer) char:
  1364.   Statically-sized arrays can be improperly restricted, leading to potential
  1365.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1366.   functions that limit length, or ensure that the size is larger than the
  1367.   maximum possible length.
  1368. ./string.c:5102:  [2] (buffer) char:
  1369.   Statically-sized arrays can be improperly restricted, leading to potential
  1370.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1371.   functions that limit length, or ensure that the size is larger than the
  1372.   maximum possible length.
  1373. ./string.c:5150:  [2] (buffer) char:
  1374.   Statically-sized arrays can be improperly restricted, leading to potential
  1375.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1376.   functions that limit length, or ensure that the size is larger than the
  1377.   maximum possible length.
  1378. ./string.c:6061:  [2] (buffer) char:
  1379.   Statically-sized arrays can be improperly restricted, leading to potential
  1380.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1381.   functions that limit length, or ensure that the size is larger than the
  1382.   maximum possible length.
  1383. ./string.c:6065:  [2] (buffer) char:
  1384.   Statically-sized arrays can be improperly restricted, leading to potential
  1385.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1386.   functions that limit length, or ensure that the size is larger than the
  1387.   maximum possible length.
  1388. ./string.c:6125:  [2] (buffer) char:
  1389.   Statically-sized arrays can be improperly restricted, leading to potential
  1390.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1391.   functions that limit length, or ensure that the size is larger than the
  1392.   maximum possible length.
  1393. ./string.c:6157:  [2] (buffer) char:
  1394.   Statically-sized arrays can be improperly restricted, leading to potential
  1395.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1396.   functions that limit length, or ensure that the size is larger than the
  1397.   maximum possible length.
  1398. ./string.c:6250:  [2] (buffer) char:
  1399.   Statically-sized arrays can be improperly restricted, leading to potential
  1400.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1401.   functions that limit length, or ensure that the size is larger than the
  1402.   maximum possible length.
  1403. ./string.c:6414:  [2] (buffer) char:
  1404.   Statically-sized arrays can be improperly restricted, leading to potential
  1405.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1406.   functions that limit length, or ensure that the size is larger than the
  1407.   maximum possible length.
  1408. ./string.c:6481:  [2] (buffer) char:
  1409.   Statically-sized arrays can be improperly restricted, leading to potential
  1410.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1411.   functions that limit length, or ensure that the size is larger than the
  1412.   maximum possible length.
  1413. ./string.c:7870:  [2] (buffer) char:
  1414.   Statically-sized arrays can be improperly restricted, leading to potential
  1415.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1416.   functions that limit length, or ensure that the size is larger than the
  1417.   maximum possible length.
  1418. ./string.c:8042:  [2] (buffer) memcpy:
  1419.   Does not check for buffer overflows when copying to destination (CWE-120).
  1420.   Make sure destination can always hold the source data.
  1421. ./string.c:8047:  [2] (buffer) memcpy:
  1422.   Does not check for buffer overflows when copying to destination (CWE-120).
  1423.   Make sure destination can always hold the source data.
  1424. ./string.c:8051:  [2] (buffer) memcpy:
  1425.   Does not check for buffer overflows when copying to destination (CWE-120).
  1426.   Make sure destination can always hold the source data.
  1427. ./string.c:8059:  [2] (buffer) memcpy:
  1428.   Does not check for buffer overflows when copying to destination (CWE-120).
  1429.   Make sure destination can always hold the source data.
  1430. ./string.c:8064:  [2] (buffer) memcpy:
  1431.   Does not check for buffer overflows when copying to destination (CWE-120).
  1432.   Make sure destination can always hold the source data.
  1433. ./string.c:8482:  [2] (buffer) char:
  1434.   Statically-sized arrays can be improperly restricted, leading to potential
  1435.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1436.   functions that limit length, or ensure that the size is larger than the
  1437.   maximum possible length.
  1438. ./string.c:8877:  [2] (buffer) memcpy:
  1439.   Does not check for buffer overflows when copying to destination (CWE-120).
  1440.   Make sure destination can always hold the source data.
  1441. ./symbol.c:56:  [2] (buffer) char:
  1442.   Statically-sized arrays can be improperly restricted, leading to potential
  1443.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1444.   functions that limit length, or ensure that the size is larger than the
  1445.   maximum possible length.
  1446. ./thread.c:314:  [2] (buffer) char:
  1447.   Statically-sized arrays can be improperly restricted, leading to potential
  1448.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1449.   functions that limit length, or ensure that the size is larger than the
  1450.   maximum possible length.
  1451. ./thread.c:3305:  [2] (buffer) memcpy:
  1452.   Does not check for buffer overflows when copying to destination (CWE-120).
  1453.   Make sure destination can always hold the source data.
  1454. ./thread.c:3368:  [2] (buffer) memcpy:
  1455.   Does not check for buffer overflows when copying to destination (CWE-120).
  1456.   Make sure destination can always hold the source data.
  1457. ./thread.c:3380:  [2] (buffer) memcpy:
  1458.   Does not check for buffer overflows when copying to destination (CWE-120).
  1459.   Make sure destination can always hold the source data.
  1460. ./thread_pthread.c:610:  [2] (buffer) char:
  1461.   Statically-sized arrays can be improperly restricted, leading to potential
  1462.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1463.   functions that limit length, or ensure that the size is larger than the
  1464.   maximum possible length.
  1465. ./thread_pthread.c:664:  [2] (buffer) char:
  1466.   Statically-sized arrays can be improperly restricted, leading to potential
  1467.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1468.   functions that limit length, or ensure that the size is larger than the
  1469.   maximum possible length.
  1470. ./thread_pthread.c:1292:  [2] (buffer) char:
  1471.   Statically-sized arrays can be improperly restricted, leading to potential
  1472.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1473.   functions that limit length, or ensure that the size is larger than the
  1474.   maximum possible length.
  1475. ./thread_pthread.c:1309:  [2] (buffer) char:
  1476.   Statically-sized arrays can be improperly restricted, leading to potential
  1477.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1478.   functions that limit length, or ensure that the size is larger than the
  1479.   maximum possible length.
  1480. ./thread_pthread.c:1354:  [2] (buffer) char:
  1481.   Statically-sized arrays can be improperly restricted, leading to potential
  1482.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1483.   functions that limit length, or ensure that the size is larger than the
  1484.   maximum possible length.
  1485. ./thread_pthread.c:1534:  [2] (buffer) char:
  1486.   Statically-sized arrays can be improperly restricted, leading to potential
  1487.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1488.   functions that limit length, or ensure that the size is larger than the
  1489.   maximum possible length.
  1490. ./thread_win32.c:202:  [2] (buffer) memcpy:
  1491.   Does not check for buffer overflows when copying to destination (CWE-120).
  1492.   Make sure destination can always hold the source data.
  1493. ./time.c:1652:  [2] (buffer) char:
  1494.   Statically-sized arrays can be improperly restricted, leading to potential
  1495.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1496.   functions that limit length, or ensure that the size is larger than the
  1497.   maximum possible length.
  1498. ./time.c:4369:  [2] (buffer) char:
  1499.   Statically-sized arrays can be improperly restricted, leading to potential
  1500.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1501.   functions that limit length, or ensure that the size is larger than the
  1502.   maximum possible length.
  1503. ./time.c:4572:  [2] (buffer) char:
  1504.   Statically-sized arrays can be improperly restricted, leading to potential
  1505.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1506.   functions that limit length, or ensure that the size is larger than the
  1507.   maximum possible length.
  1508. ./time.c:4625:  [2] (buffer) char:
  1509.   Statically-sized arrays can be improperly restricted, leading to potential
  1510.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1511.   functions that limit length, or ensure that the size is larger than the
  1512.   maximum possible length.
  1513. ./time.c:4696:  [2] (buffer) char:
  1514.   Statically-sized arrays can be improperly restricted, leading to potential
  1515.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1516.   functions that limit length, or ensure that the size is larger than the
  1517.   maximum possible length.
  1518. ./transcode.c:65:  [2] (buffer) char:
  1519.   Statically-sized arrays can be improperly restricted, leading to potential
  1520.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1521.   functions that limit length, or ensure that the size is larger than the
  1522.   maximum possible length.
  1523. ./transcode.c:72:  [2] (buffer) char:
  1524.   Statically-sized arrays can be improperly restricted, leading to potential
  1525.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1526.   functions that limit length, or ensure that the size is larger than the
  1527.   maximum possible length.
  1528. ./transcode.c:78:  [2] (buffer) char:
  1529.   Statically-sized arrays can be improperly restricted, leading to potential
  1530.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1531.   functions that limit length, or ensure that the size is larger than the
  1532.   maximum possible length.
  1533. ./transcode.c:373:  [2] (buffer) memcpy:
  1534.   Does not check for buffer overflows when copying to destination (CWE-120).
  1535.   Make sure destination can always hold the source data.
  1536. ./transcode.c:374:  [2] (buffer) memcpy:
  1537.   Does not check for buffer overflows when copying to destination (CWE-120).
  1538.   Make sure destination can always hold the source data.
  1539. ./transcode.c:1067:  [2] (buffer) char:
  1540.   Statically-sized arrays can be improperly restricted, leading to potential
  1541.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1542.   functions that limit length, or ensure that the size is larger than the
  1543.   maximum possible length.
  1544. ./transcode.c:1278:  [2] (buffer) memcpy:
  1545.   Does not check for buffer overflows when copying to destination (CWE-120).
  1546.   Make sure destination can always hold the source data.
  1547. ./transcode.c:1285:  [2] (buffer) memcpy:
  1548.   Does not check for buffer overflows when copying to destination (CWE-120).
  1549.   Make sure destination can always hold the source data.
  1550. ./transcode.c:1304:  [2] (buffer) memcpy:
  1551.   Does not check for buffer overflows when copying to destination (CWE-120).
  1552.   Make sure destination can always hold the source data.
  1553. ./transcode.c:1323:  [2] (buffer) memcpy:
  1554.   Does not check for buffer overflows when copying to destination (CWE-120).
  1555.   Make sure destination can always hold the source data.
  1556. ./transcode.c:1330:  [2] (buffer) memcpy:
  1557.   Does not check for buffer overflows when copying to destination (CWE-120).
  1558.   Make sure destination can always hold the source data.
  1559. ./transcode.c:1389:  [2] (buffer) char:
  1560.   Statically-sized arrays can be improperly restricted, leading to potential
  1561.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1562.   functions that limit length, or ensure that the size is larger than the
  1563.   maximum possible length.
  1564. ./transcode.c:1393:  [2] (buffer) char:
  1565.   Statically-sized arrays can be improperly restricted, leading to potential
  1566.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1567.   functions that limit length, or ensure that the size is larger than the
  1568.   maximum possible length.
  1569. ./transcode.c:1557:  [2] (buffer) memcpy:
  1570.   Does not check for buffer overflows when copying to destination (CWE-120).
  1571.   Make sure destination can always hold the source data.
  1572. ./transcode.c:1587:  [2] (buffer) char:
  1573.   Statically-sized arrays can be improperly restricted, leading to potential
  1574.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1575.   functions that limit length, or ensure that the size is larger than the
  1576.   maximum possible length.
  1577. ./transcode.c:1679:  [2] (buffer) memcpy:
  1578.   Does not check for buffer overflows when copying to destination (CWE-120).
  1579.   Make sure destination can always hold the source data.
  1580. ./transcode.c:1682:  [2] (buffer) memcpy:
  1581.   Does not check for buffer overflows when copying to destination (CWE-120).
  1582.   Make sure destination can always hold the source data.
  1583. ./transcode.c:1755:  [2] (buffer) memcpy:
  1584.   Does not check for buffer overflows when copying to destination (CWE-120).
  1585.   Make sure destination can always hold the source data.
  1586. ./transcode.c:3056:  [2] (buffer) char:
  1587.   Statically-sized arrays can be improperly restricted, leading to potential
  1588.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1589.   functions that limit length, or ensure that the size is larger than the
  1590.   maximum possible length.
  1591. ./util.c:493:  [2] (buffer) memcpy:
  1592.   Does not check for buffer overflows when copying to destination (CWE-120).
  1593.   Make sure destination can always hold the source data.
  1594. ./util.c:1086:  [2] (buffer) memcpy:
  1595.   Does not check for buffer overflows when copying to destination (CWE-120).
  1596.   Make sure destination can always hold the source data.
  1597. ./variable.c:627:  [2] (buffer) memcpy:
  1598.   Does not check for buffer overflows when copying to destination (CWE-120).
  1599.   Make sure destination can always hold the source data.
  1600. ./variable.c:905:  [2] (buffer) char:
  1601.   Statically-sized arrays can be improperly restricted, leading to potential
  1602.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1603.   functions that limit length, or ensure that the size is larger than the
  1604.   maximum possible length.
  1605. ./variable.c:1082:  [2] (buffer) memcpy:
  1606.   Does not check for buffer overflows when copying to destination (CWE-120).
  1607.   Make sure destination can always hold the source data.
  1608. ./vm.c:1933:  [2] (integer) atol:
  1609.   Unless checked, the resulting number can exceed the expected range
  1610.   (CWE-190). If source untrusted, check both minimum and maximum, even if the
  1611.   input had no minus sign (large numbers can roll over into negative number;
  1612.   consider saving to an unsigned value if that is intended).
  1613. ./vm.c:2995:  [2] (buffer) char:
  1614.   Statically-sized arrays can be improperly restricted, leading to potential
  1615.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1616.   functions that limit length, or ensure that the size is larger than the
  1617.   maximum possible length.
  1618. ./vm_dump.c:33:  [2] (buffer) char:
  1619.   Statically-sized arrays can be improperly restricted, leading to potential
  1620.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1621.   functions that limit length, or ensure that the size is larger than the
  1622.   maximum possible length.
  1623. ./vm_dump.c:458:  [2] (buffer) char:
  1624.   Statically-sized arrays can be improperly restricted, leading to potential
  1625.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1626.   functions that limit length, or ensure that the size is larger than the
  1627.   maximum possible length.
  1628. ./vm_dump.c:567:  [2] (buffer) char:
  1629.   Statically-sized arrays can be improperly restricted, leading to potential
  1630.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1631.   functions that limit length, or ensure that the size is larger than the
  1632.   maximum possible length.
  1633. ./vm_dump.c:618:  [2] (buffer) char:
  1634.   Statically-sized arrays can be improperly restricted, leading to potential
  1635.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1636.   functions that limit length, or ensure that the size is larger than the
  1637.   maximum possible length.
  1638. ./vm_dump.c:619:  [2] (buffer) char:
  1639.   Statically-sized arrays can be improperly restricted, leading to potential
  1640.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1641.   functions that limit length, or ensure that the size is larger than the
  1642.   maximum possible length.
  1643. ./vm_dump.c:819:  [2] (buffer) char:
  1644.   Statically-sized arrays can be improperly restricted, leading to potential
  1645.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1646.   functions that limit length, or ensure that the size is larger than the
  1647.   maximum possible length.
  1648. ./vm_dump.c:1062:  [2] (misc) fopen:
  1649.   Check when opening files - can an attacker redirect it (via symlinks),
  1650.   force the opening of special file type (e.g., device files), move things
  1651.   around to create a race condition, control its ancestors, or change its
  1652.   contents? (CWE-362).
  1653. ./vm_dump.c:1067:  [2] (buffer) char:
  1654.   Statically-sized arrays can be improperly restricted, leading to potential
  1655.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1656.   functions that limit length, or ensure that the size is larger than the
  1657.   maximum possible length.
  1658. ./vm_method.c:1994:  [2] (integer) atoi:
  1659.   Unless checked, the resulting number can exceed the expected range
  1660.   (CWE-190). If source untrusted, check both minimum and maximum, even if the
  1661.   input had no minus sign (large numbers can roll over into negative number;
  1662.   consider saving to an unsigned value if that is intended).
  1663. ./vsnprintf.c:253:  [2] (buffer) memcpy:
  1664.   Does not check for buffer overflows when copying to destination (CWE-120).
  1665.   Make sure destination can always hold the source data.
  1666. ./vsnprintf.c:556:  [2] (buffer) char:
  1667.   Statically-sized arrays can be improperly restricted, leading to potential
  1668.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1669.   functions that limit length, or ensure that the size is larger than the
  1670.   maximum possible length.
  1671. ./vsnprintf.c:571:  [2] (buffer) char:
  1672.   Statically-sized arrays can be improperly restricted, leading to potential
  1673.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1674.   functions that limit length, or ensure that the size is larger than the
  1675.   maximum possible length.
  1676. ./vsnprintf.c:572:  [2] (buffer) char:
  1677.   Statically-sized arrays can be improperly restricted, leading to potential
  1678.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1679.   functions that limit length, or ensure that the size is larger than the
  1680.   maximum possible length.
  1681. ./vsnprintf.c:584:  [2] (buffer) char:
  1682.   Statically-sized arrays can be improperly restricted, leading to potential
  1683.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1684.   functions that limit length, or ensure that the size is larger than the
  1685.   maximum possible length.
  1686. ./vsnprintf.c:586:  [2] (buffer) char:
  1687.   Statically-sized arrays can be improperly restricted, leading to potential
  1688.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1689.   functions that limit length, or ensure that the size is larger than the
  1690.   maximum possible length.
  1691. ./vsnprintf.c:1267:  [2] (buffer) memcpy:
  1692.   Does not check for buffer overflows when copying to destination (CWE-120).
  1693.   Make sure destination can always hold the source data.
  1694. ./vsnprintf.c:1289:  [2] (buffer) char:
  1695.   Statically-sized arrays can be improperly restricted, leading to potential
  1696.   overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  1697.   functions that limit length, or ensure that the size is larger than the
  1698.   maximum possible length.
  1699. ./addr2line.c:448:  [1] (buffer) strlen:
  1700.   Does not handle strings that are not \0-terminated; if given one it may
  1701.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1702. ./addr2line.c:1077:  [1] (buffer) strlen:
  1703.   Does not handle strings that are not \0-terminated; if given one it may
  1704.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1705. ./bignum.c:4067:  [1] (buffer) strlen:
  1706.   Does not handle strings that are not \0-terminated; if given one it may
  1707.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1708. ./class.c:1722:  [1] (buffer) read:
  1709.   Check buffer boundaries if used in a loop including recursive loops
  1710.   (CWE-120, CWE-20).
  1711. ./class.c:1724:  [1] (buffer) read:
  1712.   Check buffer boundaries if used in a loop including recursive loops
  1713.   (CWE-120, CWE-20).
  1714. ./complex.c:1750:  [1] (buffer) strlen:
  1715.   Does not handle strings that are not \0-terminated; if given one it may
  1716.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1717. ./complex.c:1751:  [1] (buffer) strlen:
  1718.   Does not handle strings that are not \0-terminated; if given one it may
  1719.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1720. ./complex.c:1806:  [1] (buffer) strlen:
  1721.   Does not handle strings that are not \0-terminated; if given one it may
  1722.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1723. ./dir.c:26:  [1] (buffer) strlen:
  1724.   Does not handle strings that are not \0-terminated; if given one it may
  1725.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1726. ./dir.c:29:  [1] (buffer) strlen:
  1727.   Does not handle strings that are not \0-terminated; if given one it may
  1728.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1729. ./dir.c:287:  [1] (buffer) strlen:
  1730.   Does not handle strings that are not \0-terminated; if given one it may
  1731.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1732. ./dir.c:289:  [1] (buffer) strlen:
  1733.   Does not handle strings that are not \0-terminated; if given one it may
  1734.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1735. ./dir.c:372:  [1] (buffer) strlen:
  1736.   Does not handle strings that are not \0-terminated; if given one it may
  1737.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1738. ./dir.c:1229:  [1] (buffer) strlen:
  1739.   Does not handle strings that are not \0-terminated; if given one it may
  1740.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1741. ./dir.c:1736:  [1] (buffer) strlen:
  1742.   Does not handle strings that are not \0-terminated; if given one it may
  1743.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1744. ./dir.c:1875:  [1] (buffer) strlen:
  1745.   Does not handle strings that are not \0-terminated; if given one it may
  1746.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1747. ./dir.c:1913:  [1] (buffer) strlen:
  1748.   Does not handle strings that are not \0-terminated; if given one it may
  1749.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1750. ./dir.c:1940:  [1] (buffer) strlen:
  1751.   Does not handle strings that are not \0-terminated; if given one it may
  1752.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1753. ./dir.c:1951:  [1] (buffer) strlen:
  1754.   Does not handle strings that are not \0-terminated; if given one it may
  1755.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1756. ./dir.c:2017:  [1] (buffer) strlen:
  1757.   Does not handle strings that are not \0-terminated; if given one it may
  1758.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1759. ./dir.c:2028:  [1] (buffer) strlen:
  1760.   Does not handle strings that are not \0-terminated; if given one it may
  1761.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1762. ./dir.c:2048:  [1] (buffer) strlen:
  1763.   Does not handle strings that are not \0-terminated; if given one it may
  1764.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1765. ./dir.c:2166:  [1] (buffer) strlen:
  1766.   Does not handle strings that are not \0-terminated; if given one it may
  1767.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1768. ./dir.c:2170:  [1] (buffer) strlen:
  1769.   Does not handle strings that are not \0-terminated; if given one it may
  1770.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1771. ./dir.c:2399:  [1] (buffer) strlen:
  1772.   Does not handle strings that are not \0-terminated; if given one it may
  1773.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1774. ./dln.c:202:  [1] (buffer) read:
  1775.   Check buffer boundaries if used in a loop including recursive loops
  1776.   (CWE-120, CWE-20).
  1777. ./dln.c:280:  [1] (buffer) read:
  1778.   Check buffer boundaries if used in a loop including recursive loops
  1779.   (CWE-120, CWE-20).
  1780. ./dln.c:299:  [1] (buffer) read:
  1781.   Check buffer boundaries if used in a loop including recursive loops
  1782.   (CWE-120, CWE-20).
  1783. ./dln.c:310:  [1] (buffer) read:
  1784.   Check buffer boundaries if used in a loop including recursive loops
  1785.   (CWE-120, CWE-20).
  1786. ./dln.c:380:  [1] (buffer) read:
  1787.   Check buffer boundaries if used in a loop including recursive loops
  1788.   (CWE-120, CWE-20).
  1789. ./dln.c:385:  [1] (buffer) read:
  1790.   Check buffer boundaries if used in a loop including recursive loops
  1791.   (CWE-120, CWE-20).
  1792. ./dln.c:393:  [1] (buffer) read:
  1793.   Check buffer boundaries if used in a loop including recursive loops
  1794.   (CWE-120, CWE-20).
  1795. ./dln.c:401:  [1] (buffer) read:
  1796.   Check buffer boundaries if used in a loop including recursive loops
  1797.   (CWE-120, CWE-20).
  1798. ./dln.c:442:  [1] (buffer) read:
  1799.   Check buffer boundaries if used in a loop including recursive loops
  1800.   (CWE-120, CWE-20).
  1801. ./dln.c:850:  [1] (buffer) strlen:
  1802.   Does not handle strings that are not \0-terminated; if given one it may
  1803.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1804. ./dln.c:935:  [1] (buffer) strlen:
  1805.   Does not handle strings that are not \0-terminated; if given one it may
  1806.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1807. ./dln.c:937:  [1] (port) snprintf:
  1808.   On some very old systems, snprintf is incorrectly implemented and permits
  1809.   buffer overflows; there are also incompatible standard definitions of it.
  1810.   Check it during installation, or use something else.
  1811. ./dln.c:953:  [1] (buffer) read:
  1812.   Check buffer boundaries if used in a loop including recursive loops
  1813.   (CWE-120, CWE-20).
  1814. ./dln.c:960:  [1] (buffer) read:
  1815.   Check buffer boundaries if used in a loop including recursive loops
  1816.   (CWE-120, CWE-20).
  1817. ./dln.c:972:  [1] (buffer) read:
  1818.   Check buffer boundaries if used in a loop including recursive loops
  1819.   (CWE-120, CWE-20).
  1820. ./dln.c:1009:  [1] (buffer) read:
  1821.   Check buffer boundaries if used in a loop including recursive loops
  1822.   (CWE-120, CWE-20).
  1823. ./dln.c:1062:  [1] (buffer) strlen:
  1824.   Does not handle strings that are not \0-terminated; if given one it may
  1825.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1826. ./dln.c:1131:  [1] (port) snprintf:
  1827.   On some very old systems, snprintf is incorrectly implemented and permits
  1828.   buffer overflows; there are also incompatible standard definitions of it.
  1829.   Check it during installation, or use something else.
  1830. ./dln.c:1184:  [1] (port) snprintf:
  1831.   On some very old systems, snprintf is incorrectly implemented and permits
  1832.   buffer overflows; there are also incompatible standard definitions of it.
  1833.   Check it during installation, or use something else.
  1834. ./dln.c:1239:  [1] (buffer) strlen:
  1835.   Does not handle strings that are not \0-terminated; if given one it may
  1836.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1837. ./dln.c:1254:  [1] (buffer) strlen:
  1838.   Does not handle strings that are not \0-terminated; if given one it may
  1839.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1840. ./dln_find.c:132:  [1] (buffer) strlen:
  1841.   Does not handle strings that are not \0-terminated; if given one it may
  1842.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1843. ./dln_find.c:208:  [1] (buffer) strlen:
  1844.   Does not handle strings that are not \0-terminated; if given one it may
  1845.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1846. ./dln_find.c:232:  [1] (buffer) strlen:
  1847.   Does not handle strings that are not \0-terminated; if given one it may
  1848.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1849. ./dln_find.c:269:  [1] (buffer) strlen:
  1850.   Does not handle strings that are not \0-terminated; if given one it may
  1851.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1852. ./encoding.c:67:  [1] (buffer) strlen:
  1853.   Does not handle strings that are not \0-terminated; if given one it may
  1854.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1855. ./encoding.c:1547:  [1] (buffer) strlen:
  1856.   Does not handle strings that are not \0-terminated; if given one it may
  1857.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1858. ./error.c:71:  [1] (port) snprintf:
  1859.   On some very old systems, snprintf is incorrectly implemented and permits
  1860.   buffer overflows; there are also incompatible standard definitions of it.
  1861.   Check it during installation, or use something else.
  1862. ./error.c:74:  [1] (port) snprintf:
  1863.   On some very old systems, snprintf is incorrectly implemented and permits
  1864.   buffer overflows; there are also incompatible standard definitions of it.
  1865.   Check it during installation, or use something else.
  1866. ./error.c:350:  [1] (port) snprintf:
  1867.   On some very old systems, snprintf is incorrectly implemented and permits
  1868.   buffer overflows; there are also incompatible standard definitions of it.
  1869.   Check it during installation, or use something else.
  1870. ./error.c:453:  [1] (buffer) strlen:
  1871.   Does not handle strings that are not \0-terminated; if given one it may
  1872.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1873. ./error.c:464:  [1] (buffer) strlen:
  1874.   Does not handle strings that are not \0-terminated; if given one it may
  1875.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1876. ./error.c:467:  [1] (buffer) strlen:
  1877.   Does not handle strings that are not \0-terminated; if given one it may
  1878.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1879. ./error.c:682:  [1] (buffer) strlen:
  1880.   Does not handle strings that are not \0-terminated; if given one it may
  1881.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1882. ./error.c:1390:  [1] (port) snprintf:
  1883.   On some very old systems, snprintf is incorrectly implemented and permits
  1884.   buffer overflows; there are also incompatible standard definitions of it.
  1885.   Check it during installation, or use something else.
  1886. ./file.c:2935:  [1] (access) umask:
  1887.   Ensure that umask is given most restrictive possible setting (e.g., 066 or
  1888.   077) (CWE-732).
  1889. ./file.c:2936:  [1] (access) umask:
  1890.   Ensure that umask is given most restrictive possible setting (e.g., 066 or
  1891.   077) (CWE-732).
  1892. ./file.c:2939:  [1] (access) umask:
  1893.   Ensure that umask is given most restrictive possible setting (e.g., 066 or
  1894.   077) (CWE-732).
  1895. ./file.c:3212:  [1] (buffer) strlen:
  1896.   Does not handle strings that are not \0-terminated; if given one it may
  1897.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1898. ./file.c:3260:  [1] (buffer) strlen:
  1899.   Does not handle strings that are not \0-terminated; if given one it may
  1900.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1901. ./file.c:3539:  [1] (buffer) strlen:
  1902.   Does not handle strings that are not \0-terminated; if given one it may
  1903.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1904. ./file.c:3575:  [1] (buffer) strlen:
  1905.   Does not handle strings that are not \0-terminated; if given one it may
  1906.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1907. ./file.c:3616:  [1] (buffer) strlen:
  1908.   Does not handle strings that are not \0-terminated; if given one it may
  1909.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1910. ./file.c:3742:  [1] (buffer) strlen:
  1911.   Does not handle strings that are not \0-terminated; if given one it may
  1912.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1913. ./file.c:4020:  [1] (buffer) strlen:
  1914.   Does not handle strings that are not \0-terminated; if given one it may
  1915.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1916. ./file.c:4209:  [1] (buffer) strlen:
  1917.   Does not handle strings that are not \0-terminated; if given one it may
  1918.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1919. ./file.c:5648:  [1] (buffer) strlen:
  1920.   Does not handle strings that are not \0-terminated; if given one it may
  1921.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1922. ./gc.c:4717:  [1] (buffer) strlen:
  1923.   Does not handle strings that are not \0-terminated; if given one it may
  1924.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1925. ./gc.c:5781:  [1] (port) snprintf:
  1926.   On some very old systems, snprintf is incorrectly implemented and permits
  1927.   buffer overflows; there are also incompatible standard definitions of it.
  1928.   Check it during installation, or use something else.
  1929. ./gc.c:5787:  [1] (buffer) strlen:
  1930.   Does not handle strings that are not \0-terminated; if given one it may
  1931.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1932. ./gc.c:7397:  [1] (free) memalign:
  1933.   On some systems (though not Linux-based systems) an attempt to free()
  1934.   results from memalign() may fail. This may, on a few systems, be
  1935.   exploitable. Also note that memalign() may not check that the boundary
  1936.   parameter is correct (CWE-676). Use posix_memalign instead (defined in
  1937.   POSIX's 1003.1d). Don't switch to valloc(); it is marked as obsolete in BSD
  1938.   4.3, as legacy in SUSv2, and is no longer defined in SUSv3. In some cases,
  1939.   malloc()'s alignment may be sufficient.
  1940. ./gc.c:8913:  [1] (port) snprintf:
  1941.   On some very old systems, snprintf is incorrectly implemented and permits
  1942.   buffer overflows; there are also incompatible standard definitions of it.
  1943.   Check it during installation, or use something else.
  1944. ./gc.c:8925:  [1] (port) snprintf:
  1945.   On some very old systems, snprintf is incorrectly implemented and permits
  1946.   buffer overflows; there are also incompatible standard definitions of it.
  1947.   Check it during installation, or use something else.
  1948. ./gc.c:8930:  [1] (port) snprintf:
  1949.   On some very old systems, snprintf is incorrectly implemented and permits
  1950.   buffer overflows; there are also incompatible standard definitions of it.
  1951.   Check it during installation, or use something else.
  1952. ./gc.c:8935:  [1] (port) snprintf:
  1953.   On some very old systems, snprintf is incorrectly implemented and permits
  1954.   buffer overflows; there are also incompatible standard definitions of it.
  1955.   Check it during installation, or use something else.
  1956. ./gc.c:8940:  [1] (port) snprintf:
  1957.   On some very old systems, snprintf is incorrectly implemented and permits
  1958.   buffer overflows; there are also incompatible standard definitions of it.
  1959.   Check it during installation, or use something else.
  1960. ./gc.c:8944:  [1] (port) snprintf:
  1961.   On some very old systems, snprintf is incorrectly implemented and permits
  1962.   buffer overflows; there are also incompatible standard definitions of it.
  1963.   Check it during installation, or use something else.
  1964. ./gc.c:8950:  [1] (port) snprintf:
  1965.   On some very old systems, snprintf is incorrectly implemented and permits
  1966.   buffer overflows; there are also incompatible standard definitions of it.
  1967.   Check it during installation, or use something else.
  1968. ./gc.c:8956:  [1] (port) snprintf:
  1969.   On some very old systems, snprintf is incorrectly implemented and permits
  1970.   buffer overflows; there are also incompatible standard definitions of it.
  1971.   Check it during installation, or use something else.
  1972. ./gc.c:8963:  [1] (port) snprintf:
  1973.   On some very old systems, snprintf is incorrectly implemented and permits
  1974.   buffer overflows; there are also incompatible standard definitions of it.
  1975.   Check it during installation, or use something else.
  1976. ./gc.c:8982:  [1] (port) snprintf:
  1977.   On some very old systems, snprintf is incorrectly implemented and permits
  1978.   buffer overflows; there are also incompatible standard definitions of it.
  1979.   Check it during installation, or use something else.
  1980. ./gc.c:8987:  [1] (port) snprintf:
  1981.   On some very old systems, snprintf is incorrectly implemented and permits
  1982.   buffer overflows; there are also incompatible standard definitions of it.
  1983.   Check it during installation, or use something else.
  1984. ./gc.c:8995:  [1] (port) snprintf:
  1985.   On some very old systems, snprintf is incorrectly implemented and permits
  1986.   buffer overflows; there are also incompatible standard definitions of it.
  1987.   Check it during installation, or use something else.
  1988. ./hash.c:2774:  [1] (buffer) strlen:
  1989.   Does not handle strings that are not \0-terminated; if given one it may
  1990.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1991. ./hash.c:2951:  [1] (buffer) strlen:
  1992.   Does not handle strings that are not \0-terminated; if given one it may
  1993.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1994. ./hash.c:2969:  [1] (buffer) strlen:
  1995.   Does not handle strings that are not \0-terminated; if given one it may
  1996.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  1997. ./hash.c:3011:  [1] (buffer) strlen:
  1998.   Does not handle strings that are not \0-terminated; if given one it may
  1999.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2000. ./hash.c:3011:  [1] (buffer) strlen:
  2001.   Does not handle strings that are not \0-terminated; if given one it may
  2002.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2003. ./hash.c:3058:  [1] (buffer) strlen:
  2004.   Does not handle strings that are not \0-terminated; if given one it may
  2005.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2006. ./hash.c:3060:  [1] (buffer) strlen:
  2007.   Does not handle strings that are not \0-terminated; if given one it may
  2008.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2009. ./hash.c:3064:  [1] (port) snprintf:
  2010.   On some very old systems, snprintf is incorrectly implemented and permits
  2011.   buffer overflows; there are also incompatible standard definitions of it.
  2012.   Check it during installation, or use something else.
  2013. ./hash.c:3115:  [1] (buffer) strlen:
  2014.   Does not handle strings that are not \0-terminated; if given one it may
  2015.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2016. ./hash.c:3115:  [1] (buffer) strlen:
  2017.   Does not handle strings that are not \0-terminated; if given one it may
  2018.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2019. ./hash.c:3117:  [1] (port) snprintf:
  2020.   On some very old systems, snprintf is incorrectly implemented and permits
  2021.   buffer overflows; there are also incompatible standard definitions of it.
  2022.   Check it during installation, or use something else.
  2023. ./hash.c:3687:  [1] (buffer) strlen:
  2024.   Does not handle strings that are not \0-terminated; if given one it may
  2025.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2026. ./hash.c:3718:  [1] (buffer) strlen:
  2027.   Does not handle strings that are not \0-terminated; if given one it may
  2028.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2029. ./hash.c:3749:  [1] (buffer) strlen:
  2030.   Does not handle strings that are not \0-terminated; if given one it may
  2031.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2032. ./io.c:945:  [1] (buffer) read:
  2033.   Check buffer boundaries if used in a loop including recursive loops
  2034.   (CWE-120, CWE-20).
  2035. ./io.c:2053:  [1] (buffer) strlen:
  2036.   Does not handle strings that are not \0-terminated; if given one it may
  2037.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2038. ./io.c:2062:  [1] (buffer) strlen:
  2039.   Does not handle strings that are not \0-terminated; if given one it may
  2040.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2041. ./io.c:4966:  [1] (buffer) strlen:
  2042.   Does not handle strings that are not \0-terminated; if given one it may
  2043.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2044. ./io.c:5155:  [1] (buffer) strlen:
  2045.   Does not handle strings that are not \0-terminated; if given one it may
  2046.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2047. ./io.c:5864:  [1] (buffer) read:
  2048.   Check buffer boundaries if used in a loop including recursive loops
  2049.   (CWE-120, CWE-20).
  2050. ./io.c:7333:  [1] (buffer) strlen:
  2051.   Does not handle strings that are not \0-terminated; if given one it may
  2052.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2053. ./io.c:7837:  [1] (buffer) strlen:
  2054.   Does not handle strings that are not \0-terminated; if given one it may
  2055.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2056. ./io.c:8005:  [1] (buffer) strlen:
  2057.   Does not handle strings that are not \0-terminated; if given one it may
  2058.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2059. ./io.c:8432:  [1] (buffer) read:
  2060.   Check buffer boundaries if used in a loop including recursive loops
  2061.   (CWE-120, CWE-20).
  2062. ./io.c:8442:  [1] (buffer) read:
  2063.   Check buffer boundaries if used in a loop including recursive loops
  2064.   (CWE-120, CWE-20).
  2065. ./io.c:8443:  [1] (buffer) read:
  2066.   Check buffer boundaries if used in a loop including recursive loops
  2067.   (CWE-120, CWE-20).
  2068. ./io.c:8444:  [1] (buffer) read:
  2069.   Check buffer boundaries if used in a loop including recursive loops
  2070.   (CWE-120, CWE-20).
  2071. ./io.c:8445:  [1] (buffer) read:
  2072.   Check buffer boundaries if used in a loop including recursive loops
  2073.   (CWE-120, CWE-20).
  2074. ./io.c:8510:  [1] (buffer) read:
  2075.   Check buffer boundaries if used in a loop including recursive loops
  2076.   (CWE-120, CWE-20).
  2077. ./io.c:8511:  [1] (buffer) read:
  2078.   Check buffer boundaries if used in a loop including recursive loops
  2079.   (CWE-120, CWE-20).
  2080. ./io.c:8557:  [1] (buffer) read:
  2081.   Check buffer boundaries if used in a loop including recursive loops
  2082.   (CWE-120, CWE-20).
  2083. ./io.c:8567:  [1] (buffer) read:
  2084.   Check buffer boundaries if used in a loop including recursive loops
  2085.   (CWE-120, CWE-20).
  2086. ./io.c:8904:  [1] (buffer) read:
  2087.   Check buffer boundaries if used in a loop including recursive loops
  2088.   (CWE-120, CWE-20).
  2089. ./io.c:10405:  [1] (buffer) read:
  2090.   Check buffer boundaries if used in a loop including recursive loops
  2091.   (CWE-120, CWE-20).
  2092. ./iseq.c:1510:  [1] (port) snprintf:
  2093.   On some very old systems, snprintf is incorrectly implemented and permits
  2094.   buffer overflows; there are also incompatible standard definitions of it.
  2095.   Check it during installation, or use something else.
  2096. ./load.c:371:  [1] (buffer) strlen:
  2097.   Does not handle strings that are not \0-terminated; if given one it may
  2098.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2099. ./load.c:390:  [1] (buffer) strlen:
  2100.   Does not handle strings that are not \0-terminated; if given one it may
  2101.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2102. ./load.c:391:  [1] (buffer) strlen:
  2103.   Does not handle strings that are not \0-terminated; if given one it may
  2104.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2105. ./load.c:395:  [1] (buffer) strlen:
  2106.   Does not handle strings that are not \0-terminated; if given one it may
  2107.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2108. ./load.c:1200:  [1] (buffer) strlen:
  2109.   Does not handle strings that are not \0-terminated; if given one it may
  2110.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2111. ./localeinit.c:23:  [1] (port) snprintf:
  2112.   On some very old systems, snprintf is incorrectly implemented and permits
  2113.   buffer overflows; there are also incompatible standard definitions of it.
  2114.   Check it during installation, or use something else.
  2115. ./marshal.c:275:  [1] (buffer) strlen:
  2116.   Does not handle strings that are not \0-terminated; if given one it may
  2117.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2118. ./marshal.c:404:  [1] (port) snprintf:
  2119.   On some very old systems, snprintf is incorrectly implemented and permits
  2120.   buffer overflows; there are also incompatible standard definitions of it.
  2121.   Check it during installation, or use something else.
  2122. ./numeric.c:2246:  [1] (port) snprintf:
  2123.   On some very old systems, snprintf is incorrectly implemented and permits
  2124.   buffer overflows; there are also incompatible standard definitions of it.
  2125.   Check it during installation, or use something else.
  2126. ./pack.c:942:  [1] (port) snprintf:
  2127.   On some very old systems, snprintf is incorrectly implemented and permits
  2128.   buffer overflows; there are also incompatible standard definitions of it.
  2129.   Check it during installation, or use something else.
  2130. ./process.c:1277:  [1] (buffer) strlen:
  2131.   Does not handle strings that are not \0-terminated; if given one it may
  2132.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2133. ./process.c:2245:  [1] (buffer) strlen:
  2134.   Does not handle strings that are not \0-terminated; if given one it may
  2135.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2136. ./process.c:2432:  [1] (buffer) strlen:
  2137.   Does not handle strings that are not \0-terminated; if given one it may
  2138.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2139. ./process.c:3061:  [1] (access) umask:
  2140.   Ensure that umask is given most restrictive possible setting (e.g., 066 or
  2141.   077) (CWE-732).
  2142. ./process.c:3320:  [1] (buffer) read:
  2143.   Check buffer boundaries if used in a loop including recursive loops
  2144.   (CWE-120, CWE-20).
  2145. ./process.c:3335:  [1] (buffer) strlen:
  2146.   Does not handle strings that are not \0-terminated; if given one it may
  2147.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2148. ./random.c:472:  [1] (buffer) read:
  2149.   Check buffer boundaries if used in a loop including recursive loops
  2150.   (CWE-120, CWE-20).
  2151. ./rational.c:2160:  [1] (buffer) strlen:
  2152.   Does not handle strings that are not \0-terminated; if given one it may
  2153.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2154. ./re.c:443:  [1] (port) snprintf:
  2155.   On some very old systems, snprintf is incorrectly implemented and permits
  2156.   buffer overflows; there are also incompatible standard definitions of it.
  2157.   Check it during installation, or use something else.
  2158. ./re.c:1138:  [1] (buffer) strlen:
  2159.   Does not handle strings that are not \0-terminated; if given one it may
  2160.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2161. ./re.c:2167:  [1] (port) snprintf:
  2162.   On some very old systems, snprintf is incorrectly implemented and permits
  2163.   buffer overflows; there are also incompatible standard definitions of it.
  2164.   Check it during installation, or use something else.
  2165. ./re.c:2193:  [1] (port) snprintf:
  2166.   On some very old systems, snprintf is incorrectly implemented and permits
  2167.   buffer overflows; there are also incompatible standard definitions of it.
  2168.   Check it during installation, or use something else.
  2169. ./regenc.c:941:  [1] (buffer) strlen:
  2170.   Does not handle strings that are not \0-terminated; if given one it may
  2171.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2172. ./regexec.c:1424:  [1] (buffer) strlen:
  2173.   Does not handle strings that are not \0-terminated; if given one it may
  2174.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2175. ./ruby.c:263:  [1] (buffer) strncpy:
  2176.   Easily used incorrectly; doesn't always \0-terminate or check for invalid
  2177.   pointers (CWE-120).
  2178. ./ruby.c:513:  [1] (buffer) strlen:
  2179.   Does not handle strings that are not \0-terminated; if given one it may
  2180.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2181. ./ruby.c:525:  [1] (buffer) strlen:
  2182.   Does not handle strings that are not \0-terminated; if given one it may
  2183.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2184. ./ruby.c:662:  [1] (buffer) strlen:
  2185.   Does not handle strings that are not \0-terminated; if given one it may
  2186.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2187. ./ruby.c:784:  [1] (buffer) strlen:
  2188.   Does not handle strings that are not \0-terminated; if given one it may
  2189.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2190. ./ruby.c:973:  [1] (buffer) strlen:
  2191.   Does not handle strings that are not \0-terminated; if given one it may
  2192.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2193. ./signal.c:921:  [1] (buffer) strlen:
  2194.   Does not handle strings that are not \0-terminated; if given one it may
  2195.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2196. ./signal.c:928:  [1] (buffer) strlen:
  2197.   Does not handle strings that are not \0-terminated; if given one it may
  2198.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2199. ./sprintf.c:925:  [1] (port) snprintf:
  2200.   On some very old systems, snprintf is incorrectly implemented and permits
  2201.   buffer overflows; there are also incompatible standard definitions of it.
  2202.   Check it during installation, or use something else.
  2203. ./sprintf.c:927:  [1] (buffer) strlen:
  2204.   Does not handle strings that are not \0-terminated; if given one it may
  2205.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2206. ./sprintf.c:979:  [1] (buffer) strlen:
  2207.   Does not handle strings that are not \0-terminated; if given one it may
  2208.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2209. ./sprintf.c:1000:  [1] (buffer) strlen:
  2210.   Does not handle strings that are not \0-terminated; if given one it may
  2211.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2212. ./sprintf.c:1140:  [1] (buffer) strlen:
  2213.   Does not handle strings that are not \0-terminated; if given one it may
  2214.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2215. ./sprintf.c:1147:  [1] (port) snprintf:
  2216.   On some very old systems, snprintf is incorrectly implemented and permits
  2217.   buffer overflows; there are also incompatible standard definitions of it.
  2218.   Check it during installation, or use something else.
  2219. ./sprintf.c:1155:  [1] (buffer) strlen:
  2220.   Does not handle strings that are not \0-terminated; if given one it may
  2221.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2222. ./sprintf.c:1159:  [1] (buffer) strlen:
  2223.   Does not handle strings that are not \0-terminated; if given one it may
  2224.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2225. ./sprintf.c:1161:  [1] (buffer) strlen:
  2226.   Does not handle strings that are not \0-terminated; if given one it may
  2227.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2228. ./sprintf.c:1164:  [1] (buffer) strlen:
  2229.   Does not handle strings that are not \0-terminated; if given one it may
  2230.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2231. ./sprintf.c:1165:  [1] (buffer) strlen:
  2232.   Does not handle strings that are not \0-terminated; if given one it may
  2233.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2234. ./sprintf.c:1167:  [1] (buffer) strlen:
  2235.   Does not handle strings that are not \0-terminated; if given one it may
  2236.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2237. ./sprintf.c:1186:  [1] (buffer) strlen:
  2238.   Does not handle strings that are not \0-terminated; if given one it may
  2239.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2240. ./sprintf.c:1220:  [1] (port) snprintf:
  2241.   On some very old systems, snprintf is incorrectly implemented and permits
  2242.   buffer overflows; there are also incompatible standard definitions of it.
  2243.   Check it during installation, or use something else.
  2244. ./sprintf.c:1221:  [1] (buffer) strlen:
  2245.   Does not handle strings that are not \0-terminated; if given one it may
  2246.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2247. ./sprintf.c:1225:  [1] (port) snprintf:
  2248.   On some very old systems, snprintf is incorrectly implemented and permits
  2249.   buffer overflows; there are also incompatible standard definitions of it.
  2250.   Check it during installation, or use something else.
  2251. ./sprintf.c:1226:  [1] (buffer) strlen:
  2252.   Does not handle strings that are not \0-terminated; if given one it may
  2253.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2254. ./st.c:188:  [1] (port) snprintf:
  2255.   On some very old systems, snprintf is incorrectly implemented and permits
  2256.   buffer overflows; there are also incompatible standard definitions of it.
  2257.   Check it during installation, or use something else.
  2258. ./st.c:1635:  [1] (buffer) strlen:
  2259.   Does not handle strings that are not \0-terminated; if given one it may
  2260.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2261. ./strftime.c:200:  [1] (buffer) strlen:
  2262.   Does not handle strings that are not \0-terminated; if given one it may
  2263.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2264. ./strftime.c:314:  [1] (buffer) strlen:
  2265.   Does not handle strings that are not \0-terminated; if given one it may
  2266.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2267. ./strftime.c:339:  [1] (buffer) strlen:
  2268.   Does not handle strings that are not \0-terminated; if given one it may
  2269.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2270. ./strftime.c:511:  [1] (port) snprintf:
  2271.   On some very old systems, snprintf is incorrectly implemented and permits
  2272.   buffer overflows; there are also incompatible standard definitions of it.
  2273.   Check it during installation, or use something else.
  2274. ./strftime.c:519:  [1] (port) snprintf:
  2275.   On some very old systems, snprintf is incorrectly implemented and permits
  2276.   buffer overflows; there are also incompatible standard definitions of it.
  2277.   Check it during installation, or use something else.
  2278. ./strftime.c:552:  [1] (buffer) strlen:
  2279.   Does not handle strings that are not \0-terminated; if given one it may
  2280.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2281. ./strftime.c:701:  [1] (port) snprintf:
  2282.   On some very old systems, snprintf is incorrectly implemented and permits
  2283.   buffer overflows; there are also incompatible standard definitions of it.
  2284.   Check it during installation, or use something else.
  2285. ./strftime.c:709:  [1] (port) snprintf:
  2286.   On some very old systems, snprintf is incorrectly implemented and permits
  2287.   buffer overflows; there are also incompatible standard definitions of it.
  2288.   Check it during installation, or use something else.
  2289. ./strftime.c:731:  [1] (port) snprintf:
  2290.   On some very old systems, snprintf is incorrectly implemented and permits
  2291.   buffer overflows; there are also incompatible standard definitions of it.
  2292.   Check it during installation, or use something else.
  2293. ./string.c:353:  [1] (buffer) strlen:
  2294.   Does not handle strings that are not \0-terminated; if given one it may
  2295.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2296. ./string.c:707:  [1] (buffer) strlen:
  2297.   Does not handle strings that are not \0-terminated; if given one it may
  2298.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2299. ./string.c:733:  [1] (buffer) strlen:
  2300.   Does not handle strings that are not \0-terminated; if given one it may
  2301.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2302. ./string.c:913:  [1] (buffer) strlen:
  2303.   Does not handle strings that are not \0-terminated; if given one it may
  2304.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2305. ./string.c:925:  [1] (buffer) strlen:
  2306.   Does not handle strings that are not \0-terminated; if given one it may
  2307.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2308. ./string.c:937:  [1] (buffer) strlen:
  2309.   Does not handle strings that are not \0-terminated; if given one it may
  2310.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2311. ./string.c:1101:  [1] (buffer) strlen:
  2312.   Does not handle strings that are not \0-terminated; if given one it may
  2313.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2314. ./string.c:2300:  [1] (buffer) strlen:
  2315.   Does not handle strings that are not \0-terminated; if given one it may
  2316.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2317. ./string.c:2316:  [1] (buffer) strlen:
  2318.   Does not handle strings that are not \0-terminated; if given one it may
  2319.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2320. ./string.c:2423:  [1] (buffer) strlen:
  2321.   Does not handle strings that are not \0-terminated; if given one it may
  2322.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2323. ./string.c:5110:  [1] (port) snprintf:
  2324.   On some very old systems, snprintf is incorrectly implemented and permits
  2325.   buffer overflows; there are also incompatible standard definitions of it.
  2326.   Check it during installation, or use something else.
  2327. ./string.c:5113:  [1] (port) snprintf:
  2328.   On some very old systems, snprintf is incorrectly implemented and permits
  2329.   buffer overflows; there are also incompatible standard definitions of it.
  2330.   Check it during installation, or use something else.
  2331. ./string.c:5116:  [1] (port) snprintf:
  2332.   On some very old systems, snprintf is incorrectly implemented and permits
  2333.   buffer overflows; there are also incompatible standard definitions of it.
  2334.   Check it during installation, or use something else.
  2335. ./string.c:5121:  [1] (port) snprintf:
  2336.   On some very old systems, snprintf is incorrectly implemented and permits
  2337.   buffer overflows; there are also incompatible standard definitions of it.
  2338.   Check it during installation, or use something else.
  2339. ./string.c:5124:  [1] (port) snprintf:
  2340.   On some very old systems, snprintf is incorrectly implemented and permits
  2341.   buffer overflows; there are also incompatible standard definitions of it.
  2342.   Check it during installation, or use something else.
  2343. ./string.c:5127:  [1] (buffer) strlen:
  2344.   Does not handle strings that are not \0-terminated; if given one it may
  2345.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2346. ./string.c:5179:  [1] (port) snprintf:
  2347.   On some very old systems, snprintf is incorrectly implemented and permits
  2348.   buffer overflows; there are also incompatible standard definitions of it.
  2349.   Check it during installation, or use something else.
  2350. ./string.c:5180:  [1] (buffer) strlen:
  2351.   Does not handle strings that are not \0-terminated; if given one it may
  2352.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2353. ./string.c:5299:  [1] (buffer) strlen:
  2354.   Does not handle strings that are not \0-terminated; if given one it may
  2355.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2356. ./string.c:5360:  [1] (port) snprintf:
  2357.   On some very old systems, snprintf is incorrectly implemented and permits
  2358.   buffer overflows; there are also incompatible standard definitions of it.
  2359.   Check it during installation, or use something else.
  2360. ./string.c:5361:  [1] (buffer) strlen:
  2361.   Does not handle strings that are not \0-terminated; if given one it may
  2362.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2363. ./string.c:5365:  [1] (port) snprintf:
  2364.   On some very old systems, snprintf is incorrectly implemented and permits
  2365.   buffer overflows; there are also incompatible standard definitions of it.
  2366.   Check it during installation, or use something else.
  2367. ./string.c:5372:  [1] (port) snprintf:
  2368.   On some very old systems, snprintf is incorrectly implemented and permits
  2369.   buffer overflows; there are also incompatible standard definitions of it.
  2370.   Check it during installation, or use something else.
  2371. ./string.c:8814:  [1] (buffer) strlen:
  2372.   Does not handle strings that are not \0-terminated; if given one it may
  2373.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2374. ./symbol.c:28:  [1] (buffer) strlen:
  2375.   Does not handle strings that are not \0-terminated; if given one it may
  2376.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2377. ./symbol.c:245:  [1] (buffer) strlen:
  2378.   Does not handle strings that are not \0-terminated; if given one it may
  2379.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2380. ./symbol.c:663:  [1] (buffer) strlen:
  2381.   Does not handle strings that are not \0-terminated; if given one it may
  2382.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2383. ./thread.c:3535:  [1] (buffer) read:
  2384.   Check buffer boundaries if used in a loop including recursive loops
  2385.   (CWE-120, CWE-20).
  2386. ./thread.c:3553:  [1] (buffer) read:
  2387.   Check buffer boundaries if used in a loop including recursive loops
  2388.   (CWE-120, CWE-20).
  2389. ./thread.c:3562:  [1] (buffer) read:
  2390.   Check buffer boundaries if used in a loop including recursive loops
  2391.   (CWE-120, CWE-20).
  2392. ./thread.c:3565:  [1] (buffer) read:
  2393.   Check buffer boundaries if used in a loop including recursive loops
  2394.   (CWE-120, CWE-20).
  2395. ./thread.c:3567:  [1] (buffer) read:
  2396.   Check buffer boundaries if used in a loop including recursive loops
  2397.   (CWE-120, CWE-20).
  2398. ./thread.c:3578:  [1] (buffer) read:
  2399.   Check buffer boundaries if used in a loop including recursive loops
  2400.   (CWE-120, CWE-20).
  2401. ./thread.c:3595:  [1] (buffer) read:
  2402.   Check buffer boundaries if used in a loop including recursive loops
  2403.   (CWE-120, CWE-20).
  2404. ./thread.c:3598:  [1] (buffer) read:
  2405.   Check buffer boundaries if used in a loop including recursive loops
  2406.   (CWE-120, CWE-20).
  2407. ./thread.c:3607:  [1] (buffer) read:
  2408.   Check buffer boundaries if used in a loop including recursive loops
  2409.   (CWE-120, CWE-20).
  2410. ./thread.c:3608:  [1] (buffer) read:
  2411.   Check buffer boundaries if used in a loop including recursive loops
  2412.   (CWE-120, CWE-20).
  2413. ./thread.c:3616:  [1] (buffer) read:
  2414.   Check buffer boundaries if used in a loop including recursive loops
  2415.   (CWE-120, CWE-20).
  2416. ./thread.c:3750:  [1] (buffer) read:
  2417.   Check buffer boundaries if used in a loop including recursive loops
  2418.   (CWE-120, CWE-20).
  2419. ./thread.c:3763:  [1] (buffer) read:
  2420.   Check buffer boundaries if used in a loop including recursive loops
  2421.   (CWE-120, CWE-20).
  2422. ./thread.c:3768:  [1] (buffer) read:
  2423.   Check buffer boundaries if used in a loop including recursive loops
  2424.   (CWE-120, CWE-20).
  2425. ./thread.c:3768:  [1] (buffer) read:
  2426.   Check buffer boundaries if used in a loop including recursive loops
  2427.   (CWE-120, CWE-20).
  2428. ./thread.c:3783:  [1] (buffer) read:
  2429.   Check buffer boundaries if used in a loop including recursive loops
  2430.   (CWE-120, CWE-20).
  2431. ./thread.c:3783:  [1] (buffer) read:
  2432.   Check buffer boundaries if used in a loop including recursive loops
  2433.   (CWE-120, CWE-20).
  2434. ./thread_pthread.c:1358:  [1] (buffer) read:
  2435.   Check buffer boundaries if used in a loop including recursive loops
  2436.   (CWE-120, CWE-20).
  2437. ./thread_pthread.c:1543:  [1] (port) snprintf:
  2438.   On some very old systems, snprintf is incorrectly implemented and permits
  2439.   buffer overflows; there are also incompatible standard definitions of it.
  2440.   Check it during installation, or use something else.
  2441. ./time.c:4330:  [1] (buffer) strlen:
  2442.   Does not handle strings that are not \0-terminated; if given one it may
  2443.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2444. ./time.c:4600:  [1] (buffer) strlen:
  2445.   Does not handle strings that are not \0-terminated; if given one it may
  2446.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2447. ./transcode.c:367:  [1] (buffer) strlen:
  2448.   Does not handle strings that are not \0-terminated; if given one it may
  2449.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2450. ./transcode.c:1421:  [1] (port) snprintf:
  2451.   On some very old systems, snprintf is incorrectly implemented and permits
  2452.   buffer overflows; there are also incompatible standard definitions of it.
  2453.   Check it during installation, or use something else.
  2454. ./transcode.c:1423:  [1] (buffer) strlen:
  2455.   Does not handle strings that are not \0-terminated; if given one it may
  2456.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2457. ./util.c:490:  [1] (buffer) strlen:
  2458.   Does not handle strings that are not \0-terminated; if given one it may
  2459.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2460. ./util.c:503:  [1] (buffer) strcpy:
  2461.   Does not check for buffer overflows when copying to destination (CWE-120).
  2462.   Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily
  2463.   misused). Risk is low because the source is a constant character.
  2464. ./util.c:3068:  [1] (buffer) strlen:
  2465.   Does not handle strings that are not \0-terminated; if given one it may
  2466.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2467. ./variable.c:624:  [1] (buffer) strlen:
  2468.   Does not handle strings that are not \0-terminated; if given one it may
  2469.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2470. ./vm.c:3001:  [1] (port) snprintf:
  2471.   On some very old systems, snprintf is incorrectly implemented and permits
  2472.   buffer overflows; there are also incompatible standard definitions of it.
  2473.   Check it during installation, or use something else.
  2474. ./vm_dump.c:106:  [1] (port) snprintf:
  2475.   On some very old systems, snprintf is incorrectly implemented and permits
  2476.   buffer overflows; there are also incompatible standard definitions of it.
  2477.   Check it during installation, or use something else.
  2478. ./vm_dump.c:112:  [1] (port) snprintf:
  2479.   On some very old systems, snprintf is incorrectly implemented and permits
  2480.   buffer overflows; there are also incompatible standard definitions of it.
  2481.   Check it during installation, or use something else.
  2482. ./vm_dump.c:822:  [1] (port) snprintf:
  2483.   On some very old systems, snprintf is incorrectly implemented and permits
  2484.   buffer overflows; there are also incompatible standard definitions of it.
  2485.   Check it during installation, or use something else.
  2486. ./vm_dump.c:824:  [1] (port) snprintf:
  2487.   On some very old systems, snprintf is incorrectly implemented and permits
  2488.   buffer overflows; there are also incompatible standard definitions of it.
  2489.   Check it during installation, or use something else.
  2490. ./vm_method.c:1071:  [1] (buffer) read:
  2491.   Check buffer boundaries if used in a loop including recursive loops
  2492.   (CWE-120, CWE-20).
  2493. ./vm_method.c:1097:  [1] (buffer) read:
  2494.   Check buffer boundaries if used in a loop including recursive loops
  2495.   (CWE-120, CWE-20).
  2496. ./vsnprintf.c:1022:  [1] (buffer) strlen:
  2497.   Does not handle strings that are not \0-terminated; if given one it may
  2498.   perform an over-read (it could cause a crash if unprotected) (CWE-126).
  2499.  
  2500. ANALYSIS SUMMARY:
  2501.  
  2502. Hits = 636
  2503. Lines analyzed = 197285 in approximately 3.93 seconds (50139 lines/second)
  2504. Physical Source Lines of Code (SLOC) = 141537
  2505. Hits@level = [0]   0 [1] 246 [2] 288 [3]  35 [4]  52 [5]  15
  2506. Hits@level+ = [0+] 636 [1+] 636 [2+] 390 [3+] 102 [4+]  67 [5+]  15
  2507. Hits/KSLOC@level+ = [0+] 4.49352 [1+] 4.49352 [2+] 2.75546 [3+] 0.72066 [4+] 0.473374 [5+] 0.105979
  2508. Minimum risk level = 1
  2509. Not every hit is necessarily a security vulnerability.
  2510. There may be other security vulnerabilities; review your code!
  2511. See 'Secure Programming for Linux and Unix HOWTO'
  2512. (http://www.dwheeler.com/secure-programs) for more information.
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top