HOST-Oman / libraqm

A library for complex text layout
MIT License
270 stars 62 forks source link

flawfinder result #28

Closed abderraouf-adjal closed 8 years ago

abderraouf-adjal commented 8 years ago

flawfinder - lexically find potential security flaws ("hits") in source code

Note: Not every hit is necessarily a security vulnerability.

result at commit 70aa7564d54e9fd719eca06ea3919e696fbbaec5

raqm.h

raqm.h:30:  [4] (format) fprintf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
raqm.h:36:  [4] (format) printf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.

raqm.c

raqm.c:28:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
raqm.c:428:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
khaledhosny commented 8 years ago

The first three warnings are in testing and debugging code that is not compiled by default (except in make check), so can be safely ignored. I fixed the last one.

abderraouf-adjal commented 8 years ago

:thumbsup: