The following issues were found
lib/md4.c
5 issues
Line: 184
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(!ctx->data) {
ctx->data = malloc(size);
if(ctx->data != NULL) {
memcpy(ctx->data, data, size);
ctx->size = size;
}
}
}
Reported by FlawFinder.
Line: 253
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct md4_ctx {
MD4_u32plus lo, hi;
MD4_u32plus a, b, c, d;
unsigned char buffer[64];
MD4_u32plus block[16];
};
typedef struct md4_ctx MD4_CTX;
static void MD4_Init(MD4_CTX *ctx);
Reported by FlawFinder.
Line: 425
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned long available = 64 - used;
if(size < available) {
memcpy(&ctx->buffer[used], data, size);
return;
}
memcpy(&ctx->buffer[used], data, available);
data = (const unsigned char *)data + available;
Reported by FlawFinder.
Line: 429
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(&ctx->buffer[used], data, available);
data = (const unsigned char *)data + available;
size -= available;
body(ctx, ctx->buffer, 64);
}
Reported by FlawFinder.
Line: 440
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size &= 0x3f;
}
memcpy(ctx->buffer, data, size);
}
static void MD4_Final(unsigned char *result, MD4_CTX *ctx)
{
unsigned long used, available;
Reported by FlawFinder.
docs/examples/ephiperfifo.c
5 issues
Line: 97
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
CURL *easy;
char *url;
GlobalInfo *global;
char error[CURL_ERROR_SIZE];
} ConnInfo;
/* Information associated with a specific socket */
typedef struct _SockInfo
Reported by FlawFinder.
Line: 394
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* This gets called whenever data is received from the fifo */
static void fifo_cb(GlobalInfo* g, int revents)
{
char s[1024];
long int rv = 0;
int n = 0;
do {
s[0]='\0';
Reported by FlawFinder.
Line: 431
Column: 12
CWE codes:
362
perror("mkfifo");
exit(1);
}
sockfd = open(fifo, O_RDWR | O_NONBLOCK, 0);
if(sockfd == -1) {
perror("open");
exit(1);
}
Reported by FlawFinder.
Line: 225
Column: 9
CWE codes:
120
20
uint64_t count = 0;
ssize_t err = 0;
err = read(g->tfd, &count, sizeof(uint64_t));
if(err == -1) {
/* Note that we may call the timer callback even if the timerfd isn't
* readable. It's possible that there are multiple events stored in the
* epoll buffer (i.e. the timer may have fired multiple times). The
* event count is cleared after the first call so future events in the
Reported by FlawFinder.
Line: 400
Column: 10
CWE codes:
120
Suggestion:
Check that the limit is sufficiently small, or use a different input function
do {
s[0]='\0';
rv = fscanf(g->input, "%1023s%n", s, &n);
s[n]='\0';
if(n && s[0]) {
new_conn(s, g); /* if we read a URL, go get it! */
}
else
Reported by FlawFinder.
lib/base64.c
5 issues
Line: 184
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char **outptr, size_t *outlen)
{
CURLcode result;
unsigned char ibuf[3];
unsigned char obuf[4];
int i;
int inputparts;
char *output;
char *base64data;
Reported by FlawFinder.
Line: 185
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
CURLcode result;
unsigned char ibuf[3];
unsigned char obuf[4];
int i;
int inputparts;
char *output;
char *base64data;
char *convbuf = NULL;
Reported by FlawFinder.
Line: 121
Column: 12
CWE codes:
126
*outptr = NULL;
*outlen = 0;
srclen = strlen(src);
/* Check the length of the input string is valid */
if(!srclen || srclen % 4)
return CURLE_BAD_CONTENT_ENCODING;
Reported by FlawFinder.
Line: 198
Column: 14
CWE codes:
126
*outlen = 0;
if(!insize)
insize = strlen(indata);
#if SIZEOF_SIZE_T == 4
if(insize > UINT_MAX/4)
return CURLE_OUT_OF_MEMORY;
#endif
Reported by FlawFinder.
Line: 276
Column: 13
CWE codes:
126
free(convbuf);
/* Return the length of the new data */
*outlen = strlen(base64data);
return CURLE_OK;
}
/*
Reported by FlawFinder.
packages/vms/curl_crtl_init.c
5 issues
Line: 201
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void set_features(void)
{
int status;
char unix_shell_name[255];
int use_unix_settings = 1;
status = sys_trnlnm("GNV$UNIX_SHELL",
unix_shell_name, sizeof unix_shell_name -1);
if (!$VMS_STATUS_SUCCESS(status)) {
Reported by FlawFinder.
Line: 124
Column: 29
CWE codes:
126
itlst[1].buflen = 0;
itlst[1].itmcode = 0;
name_dsc.dsc$w_length = strlen(logname);
name_dsc.dsc$a_pointer = (char *)logname;
name_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
name_dsc.dsc$b_class = DSC$K_CLASS_S;
status = SYS$TRNLNM(&attr, &table_dsc, &name_dsc, 0, itlst);
Reported by FlawFinder.
Line: 153
Column: 35
CWE codes:
126
struct itmlst_3 item_list[2];
proc_table_dsc.dsc$a_pointer = (char *) proc_table;
proc_table_dsc.dsc$w_length = strlen(proc_table);
proc_table_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
proc_table_dsc.dsc$b_class = DSC$K_CLASS_S;
logname_dsc.dsc$a_pointer = (char *) logname;
logname_dsc.dsc$w_length = strlen(logname);
Reported by FlawFinder.
Line: 158
Column: 32
CWE codes:
126
proc_table_dsc.dsc$b_class = DSC$K_CLASS_S;
logname_dsc.dsc$a_pointer = (char *) logname;
logname_dsc.dsc$w_length = strlen(logname);
logname_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
logname_dsc.dsc$b_class = DSC$K_CLASS_S;
item_list[0].buflen = strlen(value);
item_list[0].itmcode = LNM$_STRING;
Reported by FlawFinder.
Line: 162
Column: 27
CWE codes:
126
logname_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
logname_dsc.dsc$b_class = DSC$K_CLASS_S;
item_list[0].buflen = strlen(value);
item_list[0].itmcode = LNM$_STRING;
item_list[0].bufadr = (char *)value;
item_list[0].retlen = NULL;
item_list[1].buflen = 0;
Reported by FlawFinder.
lib/strdup.c
5 issues
Line: 119
CWE codes:
415
void *datap = realloc(ptr, size);
if(size && !datap)
/* only free 'ptr' if size was non-zero */
free(ptr);
return datap;
}
Reported by Cppcheck.
Line: 52
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(!newstr)
return (char *)NULL;
memcpy(newstr, str, len);
return newstr;
}
#endif
#ifdef WIN32
Reported by FlawFinder.
Line: 95
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(!buffer)
return NULL; /* fail */
memcpy(buffer, src, length);
return buffer;
}
/***************************************************************************
Reported by FlawFinder.
Line: 46
Column: 9
CWE codes:
126
if(!str)
return (char *)NULL;
len = strlen(str) + 1;
newstr = malloc(len);
if(!newstr)
return (char *)NULL;
Reported by FlawFinder.
Line: 70
Column: 19
CWE codes:
126
***************************************************************************/
wchar_t *Curl_wcsdup(const wchar_t *src)
{
size_t length = wcslen(src);
if(length > (SIZE_T_MAX / sizeof(wchar_t)) - 1)
return (wchar_t *)NULL; /* integer overflow */
return (wchar_t *)Curl_memdup(src, (length + 1) * sizeof(wchar_t));
Reported by FlawFinder.
docs/examples/curlx.c
5 issues
Line: 332
Column: 17
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
}
else if(strcmp(*args, "-envpass") == 0) {
if(args[1]) {
p.pst = getenv(*(++args));
}
else
badarg = 1;
}
else if(strcmp(*args, "-connect") == 0) {
Reported by FlawFinder.
Line: 157
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(!ia5 || !ia5->length)
return NULL;
tmp = OPENSSL_malloc(ia5->length + 1);
memcpy(tmp, ia5->data, ia5->length);
tmp[ia5->length] = 0;
return tmp;
}
/* A convenience routine to get an access URI. */
Reported by FlawFinder.
Line: 452
Column: 18
CWE codes:
126
/* determine URL to go */
if(hostporturl) {
size_t len = strlen(hostporturl) + 9;
serverurl = malloc(len);
snprintf(serverurl, len, "https://%s", hostporturl);
}
else if(p.accesstype) { /* see whether we can find an AIA or SIA for a
given access type */
Reported by FlawFinder.
Line: 495
Column: 29
CWE codes:
126
/* pass our list of custom made headers */
contenttype = malloc(15 + strlen(mimetype));
snprintf(contenttype, 15 + strlen(mimetype), "Content-type: %s", mimetype);
headers = curl_slist_append(headers, contenttype);
curl_easy_setopt(p.curl, CURLOPT_HTTPHEADER, headers);
if(p.verbose)
Reported by FlawFinder.
Line: 496
Column: 30
CWE codes:
126
/* pass our list of custom made headers */
contenttype = malloc(15 + strlen(mimetype));
snprintf(contenttype, 15 + strlen(mimetype), "Content-type: %s", mimetype);
headers = curl_slist_append(headers, contenttype);
curl_easy_setopt(p.curl, CURLOPT_HTTPHEADER, headers);
if(p.verbose)
BIO_printf(p.errorbio, "Service URL: <%s>\n", serverurl);
Reported by FlawFinder.
lib/formdata.c
5 issues
Line: 725
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
NULL, MIMESTRATEGY_FORM);
while(!result) {
char buffer[8192];
size_t nread = Curl_mime_read(buffer, 1, sizeof(buffer), &toppart);
if(!nread)
break;
Reported by FlawFinder.
Line: 785
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
zname = malloc(len + 1);
if(!zname)
return CURLE_OUT_OF_MEMORY;
memcpy(zname, name, len);
zname[len] = '\0';
res = curl_mime_name(part, zname);
free(zname);
return res;
}
Reported by FlawFinder.
Line: 83
Column: 59
CWE codes:
126
post = calloc(1, sizeof(struct curl_httppost));
if(post) {
post->name = name;
post->namelength = (long)(name?(namelength?namelength:strlen(name)):0);
post->contents = value;
post->contentlen = contentslength;
post->buffer = buffer;
post->bufferlength = (long)bufferlength;
post->contenttype = contenttype;
Reported by FlawFinder.
Line: 608
Column: 36
CWE codes:
126
/* copy name (without strdup; possibly not null-terminated) */
form->name = Curl_memdup(form->name, form->namelength?
form->namelength:
strlen(form->name) + 1);
}
if(!form->name) {
return_value = CURL_FORMADD_MEMORY;
break;
}
Reported by FlawFinder.
Line: 622
Column: 18
CWE codes:
126
/* copy value (without strdup; possibly contains null characters) */
size_t clen = (size_t) form->contentslength;
if(!clen)
clen = strlen(form->value) + 1;
form->value = Curl_memdup(form->value, clen);
if(!form->value) {
return_value = CURL_FORMADD_MEMORY;
Reported by FlawFinder.
lib/rtsp.c
5 issues
Line: 624
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return CURLE_OUT_OF_MEMORY;
}
rtspc->rtp_buf = newptr;
memcpy(rtspc->rtp_buf + rtspc->rtp_bufsize, k->str, *nread);
rtspc->rtp_bufsize += *nread;
rtp = rtspc->rtp_buf;
rtp_dataleft = rtspc->rtp_bufsize;
}
else {
Reported by FlawFinder.
Line: 696
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rtspc->rtp_bufsize = 0;
return CURLE_OUT_OF_MEMORY;
}
memcpy(scratch, rtp, rtp_dataleft);
Curl_safefree(rtspc->rtp_buf);
rtspc->rtp_buf = scratch;
rtspc->rtp_bufsize = rtp_dataleft;
/* As far as the transfer is concerned, this data is consumed */
Reported by FlawFinder.
Line: 830
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data->set.str[STRING_RTSP_SESSION_ID] = malloc(idlen + 1);
if(!data->set.str[STRING_RTSP_SESSION_ID])
return CURLE_OUT_OF_MEMORY;
memcpy(data->set.str[STRING_RTSP_SESSION_ID], start, idlen);
(data->set.str[STRING_RTSP_SESSION_ID])[idlen] = '\0';
}
}
return CURLE_OK;
}
Reported by FlawFinder.
Line: 519
Column: 44
CWE codes:
126
else {
postsize = (data->state.infilesize != -1)?
data->state.infilesize:
(data->set.postfields? (curl_off_t)strlen(data->set.postfields):0);
data->state.httpreq = HTTPREQ_POST;
}
if(putsize > 0 || postsize > 0) {
/* As stated in the http comments, it is probably not wise to
Reported by FlawFinder.
Line: 814
Column: 10
CWE codes:
126
if(data->set.str[STRING_RTSP_SESSION_ID]) {
/* If the Session ID is set, then compare */
if(strlen(data->set.str[STRING_RTSP_SESSION_ID]) != idlen ||
strncmp(start, data->set.str[STRING_RTSP_SESSION_ID], idlen) != 0) {
failf(data, "Got RTSP Session ID Line [%s], but wanted ID [%s]",
start, data->set.str[STRING_RTSP_SESSION_ID]);
return CURLE_RTSP_SESSION_ERROR;
}
Reported by FlawFinder.
lib/progress.c
5 issues
Line: 42
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
{
curl_off_t h;
if(seconds <= 0) {
strcpy(r, "--:--:--");
return;
}
h = seconds / CURL_OFF_T_C(3600);
if(h <= CURL_OFF_T_C(99)) {
curl_off_t m = (seconds - (h*CURL_OFF_T_C(3600))) / CURL_OFF_T_C(60);
Reported by FlawFinder.
Line: 458
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifndef CURL_DISABLE_PROGRESS_METER
static void progress_meter(struct Curl_easy *data)
{
char max5[6][10];
curl_off_t dlpercen = 0;
curl_off_t ulpercen = 0;
curl_off_t total_percen = 0;
curl_off_t total_transfer;
curl_off_t total_expected_transfer;
Reported by FlawFinder.
Line: 464
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
curl_off_t total_percen = 0;
curl_off_t total_transfer;
curl_off_t total_expected_transfer;
char time_left[10];
char time_total[10];
char time_spent[10];
curl_off_t ulestimate = 0;
curl_off_t dlestimate = 0;
curl_off_t total_estimate;
Reported by FlawFinder.
Line: 465
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
curl_off_t total_transfer;
curl_off_t total_expected_transfer;
char time_left[10];
char time_total[10];
char time_spent[10];
curl_off_t ulestimate = 0;
curl_off_t dlestimate = 0;
curl_off_t total_estimate;
curl_off_t timespent =
Reported by FlawFinder.
Line: 466
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
curl_off_t total_expected_transfer;
char time_left[10];
char time_total[10];
char time_spent[10];
curl_off_t ulestimate = 0;
curl_off_t dlestimate = 0;
curl_off_t total_estimate;
curl_off_t timespent =
(curl_off_t)data->progress.timespent/1000000; /* seconds */
Reported by FlawFinder.
src/tool_main.c
5 issues
Line: 117
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
char fname[CURL_MT_LOGFNAME_BUFSIZE];
if(strlen(env) >= CURL_MT_LOGFNAME_BUFSIZE)
env[CURL_MT_LOGFNAME_BUFSIZE-1] = '\0';
strcpy(fname, env);
curl_free(env);
curl_dbg_memdebug(fname);
/* this weird stuff here is to make curl_free() get called before
curl_gdb_memdebug() as otherwise memory tracking will log a free()
without an alloc! */
Reported by FlawFinder.
Line: 283
Column: 6
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
}
#ifdef __NOVELL_LIBC__
if(getenv("_IN_NETWARE_BASH_") == NULL)
tool_pressanykey();
#endif
#ifdef __VMS
vms_special_exit(result, vms_show);
Reported by FlawFinder.
Line: 114
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
env = curlx_getenv("CURL_MEMDEBUG");
if(env) {
/* use the value as file name */
char fname[CURL_MT_LOGFNAME_BUFSIZE];
if(strlen(env) >= CURL_MT_LOGFNAME_BUFSIZE)
env[CURL_MT_LOGFNAME_BUFSIZE-1] = '\0';
strcpy(fname, env);
curl_free(env);
curl_dbg_memdebug(fname);
Reported by FlawFinder.
Line: 115
Column: 8
CWE codes:
126
if(env) {
/* use the value as file name */
char fname[CURL_MT_LOGFNAME_BUFSIZE];
if(strlen(env) >= CURL_MT_LOGFNAME_BUFSIZE)
env[CURL_MT_LOGFNAME_BUFSIZE-1] = '\0';
strcpy(fname, env);
curl_free(env);
curl_dbg_memdebug(fname);
/* this weird stuff here is to make curl_free() get called before
Reported by FlawFinder.
Line: 129
Column: 44
CWE codes:
126
if(env) {
char *endptr;
long num = strtol(env, &endptr, 10);
if((endptr != env) && (endptr == env + strlen(env)) && (num > 0))
curl_dbg_memlimit(num);
curl_free(env);
}
}
#else
Reported by FlawFinder.