The following issues were found

docs/examples/smtp-authzid.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 84 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  size_t len = strlen(data);
    if(room < len)
      len = room;
    memcpy(ptr, data, len);
    upload_ctx->bytes_read += len;

    return len;
  }

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 81 Column: 18 CWE codes: 126 

                data = &payload_text[upload_ctx->bytes_read];

  if(data) {
    size_t len = strlen(data);
    if(room < len)
      len = room;
    memcpy(ptr, data, len);
    upload_ctx->bytes_read += len;

Reported by FlawFinder.

tests/libtest/lib643.c
2 issues
strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 93 Column: 26 CWE codes: 126 

              
  pooh.readptr = data;
#ifndef LIB645
  datasize = (curl_off_t)strlen(data);
#endif
  pooh.sizeleft = datasize;

  curl = curl_easy_init();
  if(!curl) {

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 148 Column: 26 CWE codes: 126 

              
  pooh2.readptr = data;
#ifndef LIB645
  datasize = (curl_off_t)strlen(data);
#endif
  pooh2.sizeleft = datasize;

  part = curl_mime_addpart(mime);
  if(!part) {

Reported by FlawFinder.

include/curl/curl.h
2 issues
curl_getenv - Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once
Security

Line: 2506 Column: 19 CWE codes: 807 20
Suggestion: Check environment variables carefully before using them 

               * Returns a malloc()'ed string that MUST be curl_free()ed after usage is
 * complete. DEPRECATED - see lib/README.curlx
 */
CURL_EXTERN char *curl_getenv(const char *variable);

/*
 * NAME curl_version()
 *
 * DESCRIPTION

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 973 Column: 3 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                char *name;
  size_t namelen;
  unsigned int includeSubDomains:1;
  char expire[18]; /* YYYYMMDD HH:MM:SS [null-terminated] */
};

struct curl_index {
  size_t index; /* the provided entry's "index" or count */
  size_t total; /* total number of entries to save */

Reported by FlawFinder.

packages/vms/report_openssl_version.c
2 issues
strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 84 Column: 33 CWE codes: 126 

                    const unsigned long table_type = LIB$K_CLI_LOCAL_SYM;

      symbol_dsc.dsc$a_pointer = argv[2];
      symbol_dsc.dsc$w_length = strlen(argv[2]);
      symbol_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
      symbol_dsc.dsc$b_class = DSC$K_CLASS_S;

      value_dsc.dsc$a_pointer = (char *)version; /* Cast ok */
      value_dsc.dsc$w_length = strlen(version);

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 89 Column: 32 CWE codes: 126 

                    symbol_dsc.dsc$b_class = DSC$K_CLASS_S;

      value_dsc.dsc$a_pointer = (char *)version; /* Cast ok */
      value_dsc.dsc$w_length = strlen(version);
      value_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
      value_dsc.dsc$b_class = DSC$K_CLASS_S;

      status = LIB$SET_SYMBOL(&symbol_dsc, &value_dsc, &table_type);
      if (!$VMS_STATUS_SUCCESS(status)) {

Reported by FlawFinder.

lib/warnless.h
2 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 75 Column: 11 CWE codes: 120 20 

              ssize_t curlx_write(int fd, const void *buf, size_t count);

#ifndef BUILDING_WARNLESS_C
#  undef  read
#  define read(fd, buf, count)  curlx_read(fd, buf, count)
#  undef  write
#  define write(fd, buf, count) curlx_write(fd, buf, count)
#endif

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 76 Column: 11 CWE codes: 120 20 

              
#ifndef BUILDING_WARNLESS_C
#  undef  read
#  define read(fd, buf, count)  curlx_read(fd, buf, count)
#  undef  write
#  define write(fd, buf, count) curlx_write(fd, buf, count)
#endif

#endif /* WIN32 || _WIN32 */

Reported by FlawFinder.

tests/libtest/lib1541.c
2 issues
access - This usually indicates a security flaw. If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition
Security

Line: 56 Column: 38 CWE codes: 362/367!
Suggestion: Set up the correct permissions (e.g., using setuid()) and try to open the file directly 

              }

static void lock_cb(CURL *handle, curl_lock_data data,
                    curl_lock_access access, void *userptr)
{
  (void)access; /* unused */
  (void)userptr; /* unused */
  (void)handle; /* unused */
  (void)data; /* unused */

Reported by FlawFinder.

access - This usually indicates a security flaw. If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition
Security

Line: 58 Column: 9 CWE codes: 362/367!
Suggestion: Set up the correct permissions (e.g., using setuid()) and try to open the file directly 

              static void lock_cb(CURL *handle, curl_lock_data data,
                    curl_lock_access access, void *userptr)
{
  (void)access; /* unused */
  (void)userptr; /* unused */
  (void)handle; /* unused */
  (void)data; /* unused */
  pthread_mutex_lock(&connlock);
}

Reported by FlawFinder.

lib/curl_fnmatch.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 76 Column: 3 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              {
  parsekey_state state = CURLFNM_PKW_INIT;
#define KEYLEN 10
  char keyword[KEYLEN] = { 0 };
  int found = FALSE;
  int i;
  unsigned char *p = *pattern;
  for(i = 0; !found; i++) {
    char c = *p++;

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 260 Column: 12 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              {
  unsigned char *p = (unsigned char *)pattern;
  unsigned char *s = (unsigned char *)string;
  unsigned char charset[CURLFNM_CHSET_SIZE] = { 0 };

  for(;;) {
    unsigned char *pp;

    switch(*p) {

Reported by FlawFinder.

docs/examples/simplessl.c
2 issues
Resource leak: headerfile
Error

Line: 140 CWE codes: 775 

              
  curl_global_cleanup();

  return 0;
}

Reported by Cppcheck.

fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 74 Column: 16 CWE codes: 362 

                pEngine   = NULL;
#endif

  headerfile = fopen(pHeaderFile, "wb");

  curl_global_init(CURL_GLOBAL_DEFAULT);

  curl = curl_easy_init();
  if(curl) {

Reported by FlawFinder.

docs/examples/multi-uv.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 76 Column: 3 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
static void add_download(const char *url, int num)
{
  char filename[50];
  FILE *file;
  CURL *handle;

  snprintf(filename, 50, "%d.download", num);

Reported by FlawFinder.

fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 82 Column: 10 CWE codes: 362 

              
  snprintf(filename, 50, "%d.download", num);

  file = fopen(filename, "wb");
  if(!file) {
    fprintf(stderr, "Error opening %s\n", filename);
    return;
  }

Reported by FlawFinder.

src/tool_strdup.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 39 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                if(!newstr)
    return (char *)NULL;

  memcpy(newstr, str, len);
  return newstr;
}
#endif

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 33 Column: 9 CWE codes: 126 

                if(!str)
    return (char *)NULL;

  len = strlen(str) + 1;

  newstr = malloc(len);
  if(!newstr)
    return (char *)NULL;

Reported by FlawFinder.