The following issues were found

docs/examples/smtp-tls.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 78 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  size_t len = strlen(data);
    if(room < len)
      len = room;
    memcpy(ptr, data, len);
    upload_ctx->bytes_read += len;

    return len;
  }

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 75 Column: 18 CWE codes: 126 

                data = &payload_text[upload_ctx->bytes_read];

  if(data) {
    size_t len = strlen(data);
    if(room < len)
      len = room;
    memcpy(ptr, data, len);
    upload_ctx->bytes_read += len;

Reported by FlawFinder.

src/tool_cb_dbg.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 53 Column: 3 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                FILE *output = config->errors;
  const char *text;
  struct timeval tv;
  char timebuf[20];
  time_t secs;

  (void)handle; /* not used */

  if(config->tracetime) {

Reported by FlawFinder.

fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 84 Column: 30 CWE codes: 362 

                    /* Ok, this is somewhat hackish but we do it undocumented for now */
      config->trace_stream = config->errors;  /* aka stderr */
    else {
      config->trace_stream = fopen(config->trace_dump, FOPEN_WRITETEXT);
      config->trace_fopened = TRUE;
    }
  }

  if(config->trace_stream)

Reported by FlawFinder.

src/tool_writeout.c
2 issues
fprintf - If format strings can be influenced by an attacker, they can be exploited
Security

Line: 145 Column: 5 CWE codes: 134
Suggestion: Use a constant for the format specification 

                  if(use_json)
      fprintf(stream, "\"%s\":", wovar->name);

    fprintf(stream, "%" CURL_FORMAT_CURL_OFF_TU
            ".%06" CURL_FORMAT_CURL_OFF_TU, secs, us);
  }
  else {
    if(use_json)
      fprintf(stream, "\"%s\":null", wovar->name);

Reported by FlawFinder.

fprintf - If format strings can be influenced by an attacker, they can be exploited
Security

Line: 301 Column: 5 CWE codes: 134
Suggestion: Use a constant for the format specification 

                  if(use_json)
      fprintf(stream, "\"%s\":", wovar->name);

    fprintf(stream, "%" CURL_FORMAT_CURL_OFF_T, offinfo);
  }
  else {
    if(use_json)
      fprintf(stream, "\"%s\":null", wovar->name);
  }

Reported by FlawFinder.

tests/libtest/sethostname.c
2 issues
getenv - Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once
Security

Line: 32 Column: 32 CWE codes: 807 20
Suggestion: Check environment variables carefully before using them 

              
int gethostname(char *name, GETHOSTNAME_TYPE_ARG2 namelen)
{
  const char *force_hostname = getenv("CURL_GETHOSTNAME");
  if(force_hostname) {
    strncpy(name, force_hostname, namelen);
    name[namelen-1] = '\0';
    return 0;
  }

Reported by FlawFinder.

strncpy - Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned]
Security

Line: 34 Column: 5 CWE codes: 120 

              {
  const char *force_hostname = getenv("CURL_GETHOSTNAME");
  if(force_hostname) {
    strncpy(name, force_hostname, namelen);
    name[namelen-1] = '\0';
    return 0;
  }

  /* LD_PRELOAD used, but no hostname set, we'll just return a failure */

Reported by FlawFinder.

docs/examples/multi-event.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 66 Column: 3 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
static void add_download(const char *url, int num)
{
  char filename[50];
  FILE *file;
  CURL *handle;

  snprintf(filename, 50, "%d.download", num);

Reported by FlawFinder.

fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 72 Column: 10 CWE codes: 362 

              
  snprintf(filename, 50, "%d.download", num);

  file = fopen(filename, "wb");
  if(!file) {
    fprintf(stderr, "Error opening %s\n", filename);
    return;
  }

Reported by FlawFinder.

tests/unit/unit1398.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 32 Column: 1 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              UNITTEST_START

int rc;
char buf[3] = {'b', 'u', 'g'};
const char *str = "bug";
int width = 3;
char output[24];

/*#define curl_msnprintf snprintf */

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 35 Column: 1 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              char buf[3] = {'b', 'u', 'g'};
const char *str = "bug";
int width = 3;
char output[24];

/*#define curl_msnprintf snprintf */

/* without a trailing zero */
rc = curl_msnprintf(output, 4, "%.*s", width, buf);

Reported by FlawFinder.

tests/libtest/lib1911.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 32 Column: 8 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                 define not publicly exposed so we set our own */
#define MAX_INPUT_LENGTH 8000000

static char buffer[MAX_INPUT_LENGTH + 2];

int test(char *URL)
{
  const struct curl_easyoption *o;
  CURL *easy;

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 52 Column: 38 CWE codes: 126 

                memset(buffer, 'A', MAX_INPUT_LENGTH + 1);
  buffer[MAX_INPUT_LENGTH + 1] = 0;

  printf("string length: %d\n", (int)strlen(buffer));

  for(o = curl_easy_option_next(NULL);
      o;
      o = curl_easy_option_next(o)) {
    if(o->type == CURLOT_STRING) {

Reported by FlawFinder.

lib/getenv.c
2 issues
getenv - Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once
Security

Line: 69 Column: 15 CWE codes: 807 20
Suggestion: Check environment variables carefully before using them 

                  /* else rc is bytes needed, try again */
  }
#else
  char *env = getenv(variable);
  return (env && env[0])?strdup(env):NULL;
#endif
}

char *curl_getenv(const char *v)

Reported by FlawFinder.

curl_getenv - Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once
Security

Line: 74 Column: 7 CWE codes: 807 20
Suggestion: Check environment variables carefully before using them 

              #endif
}

char *curl_getenv(const char *v)
{
  return GetEnv(v);
}

Reported by FlawFinder.

docs/examples/smtp-ssl.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 78 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  size_t len = strlen(data);
    if(room < len)
      len = room;
    memcpy(ptr, data, len);
    upload_ctx->bytes_read += len;

    return len;
  }

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 75 Column: 18 CWE codes: 126 

                data = &payload_text[upload_ctx->bytes_read];

  if(data) {
    size_t len = strlen(data);
    if(room < len)
      len = room;
    memcpy(ptr, data, len);
    upload_ctx->bytes_read += len;

Reported by FlawFinder.

docs/examples/htmltidy.c
2 issues
printf - If format strings can be influenced by an attacker, they can be exploited
Security

Line: 56 Column: 9 CWE codes: 134
Suggestion: Use a constant for the format specification 

                    printf("%*.*s%s ", indent, indent, "<", name);
      /* walk the attribute list */
      for(attr = tidyAttrFirst(child); attr; attr = tidyAttrNext(attr) ) {
        printf(tidyAttrName(attr));
        tidyAttrValue(attr)?printf("=\"%s\" ",
                                   tidyAttrValue(attr)):printf(" ");
      }
      printf(">\n");
    }

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 79 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              {
  if(argc == 2) {
    CURL *curl;
    char curl_errbuf[CURL_ERROR_SIZE];
    TidyDoc tdoc;
    TidyBuffer docbuf = {0};
    TidyBuffer tidy_errbuf = {0};
    int err;

Reported by FlawFinder.