The following issues were found

docs/examples/href_extractor.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 42 Column: 35 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              {
  size_t realsize = size * nmemb, p;
  for(p = 0; p < realsize; p++) {
    html_parser_char_parse(hsp, ((char *)buffer)[p]);
    if(html_parser_cmp_tag(hsp, "a", 1))
      if(html_parser_cmp_attr(hsp, "href", 4))
        if(html_parser_is_in(hsp, HTML_VALUE_ENDED)) {
          html_parser_val(hsp)[html_parser_val_length(hsp)] = '\0';
          printf("%s\n", html_parser_val(hsp));

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 55 Column: 3 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
int main(int argc, char *argv[])
{
  char tag[1], attr[4], val[128];
  CURL *curl;
  HTMLSTREAMPARSER *hsp;

  if(argc != 2) {
    printf("Usage: %s URL\n", argv[0]);

Reported by FlawFinder.

docs/examples/ghiper.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 82 Column: 3 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                CURL *easy;
  char *url;
  GlobalInfo *global;
  char error[CURL_ERROR_SIZE];
} ConnInfo;

/* Information associated with a specific socket */
typedef struct _SockInfo {
  curl_socket_t sockfd;

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 401 Column: 12 CWE codes: 362 

                  exit(1);
  }

  socket = open(fifo, O_RDWR | O_NONBLOCK, 0);

  if(socket == -1) {
    perror("open");
    exit(1);
  }

Reported by FlawFinder.

src/tool_homedir.c
2 issues
curl_getenv - Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once
Security

Line: 46 Column: 9 CWE codes: 807 20
Suggestion: Check environment variables carefully before using them 

              {
  char *dupe, *env;

  env = curl_getenv(variable);
  if(!env)
    return NULL;

  dupe = strdup(env);
  curl_free(env);

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 89 Column: 18 CWE codes: 362 

                  if(home) {
      char *c = curl_maprintf("%s" DIR_CHAR "%s", home, fname);
      if(c) {
        int fd = open(c, O_RDONLY);
        curl_free(c);
        if(fd >= 0) {
          close(fd);
          return home;
        }

Reported by FlawFinder.

lib/c-hyper.c
2 issues
strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 490 Column: 46 CWE codes: 126 

                                    h2?"2":"1.1");
  if(!req)
    return CURLE_OUT_OF_MEMORY;
  Curl_debug(data, CURLINFO_HEADER_OUT, req, strlen(req));
  free(req);
  return CURLE_OK;
}

/*

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 860 Column: 55 CWE codes: 126 

                  }
  }

  if(hyper_request_set_method(req, (uint8_t *)method, strlen(method))) {
    failf(data, "error setting method");
    goto error;
  }

  result = request_target(data, conn, method, h2, req);

Reported by FlawFinder.

tests/libtest/lib510.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 55 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                    fprintf(stderr, "read buffer is too small to run test\n");
      return 0;
    }
    memcpy(ptr, data, len);
    pooh->counter++; /* advance pointer */
    return len;
  }
  return 0;                         /* no more data left to deliver */
}

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 50 Column: 18 CWE codes: 126 

                data = post[pooh->counter];

  if(data) {
    size_t len = strlen(data);
    if(size*nmemb < len) {
      fprintf(stderr, "read buffer is too small to run test\n");
      return 0;
    }
    memcpy(ptr, data, len);

Reported by FlawFinder.

docs/examples/ftpuploadfrommem.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 58 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  size_t copylen = max;
    if(copylen > upload->sizeleft)
      copylen = upload->sizeleft;
    memcpy(ptr, upload->readptr, copylen);
    upload->readptr += copylen;
    upload->sizeleft -= copylen;
    return copylen;
  }

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 75 Column: 21 CWE codes: 126 

                struct WriteThis upload;

  upload.readptr = data;
  upload.sizeleft = strlen(data);

  /* In windows, this will init the winsock stuff */
  res = curl_global_init(CURL_GLOBAL_DEFAULT);
  /* Check for errors */
  if(res != CURLE_OK) {

Reported by FlawFinder.

docs/examples/smtp-multi.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 74 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  size_t len = strlen(data);
    if(room < len)
      len = room;
    memcpy(ptr, data, len);
    upload_ctx->bytes_read += len;

    return len;
  }

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 71 Column: 18 CWE codes: 126 

                data = &payload_text[upload_ctx->bytes_read];

  if(data) {
    size_t len = strlen(data);
    if(room < len)
      len = room;
    memcpy(ptr, data, len);
    upload_ctx->bytes_read += len;

Reported by FlawFinder.

docs/examples/ftpgetresp.c
2 issues
fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 49 Column: 13 CWE codes: 362 

                FILE *respfile;

  /* local file name to store the file as */
  ftpfile = fopen(FTPBODY, "wb"); /* b is binary, needed on win32 */

  /* local file name to store the FTP server's response lines in */
  respfile = fopen(FTPHEADERS, "wb"); /* b is binary, needed on win32 */

  curl = curl_easy_init();

Reported by FlawFinder.

fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 52 Column: 14 CWE codes: 362 

                ftpfile = fopen(FTPBODY, "wb"); /* b is binary, needed on win32 */

  /* local file name to store the FTP server's response lines in */
  respfile = fopen(FTPHEADERS, "wb"); /* b is binary, needed on win32 */

  curl = curl_easy_init();
  if(curl) {
    /* Get a file listing from sunet */
    curl_easy_setopt(curl, CURLOPT_URL, "ftp://ftp.example.com/");

Reported by FlawFinder.

docs/examples/sepheaders.c
2 issues
fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 61 Column: 16 CWE codes: 362 

                curl_easy_setopt(curl_handle, CURLOPT_WRITEFUNCTION, write_data);

  /* open the header file */
  headerfile = fopen(headerfilename, "wb");
  if(!headerfile) {
    curl_easy_cleanup(curl_handle);
    return -1;
  }

Reported by FlawFinder.

fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 68 Column: 14 CWE codes: 362 

                }

  /* open the body file */
  bodyfile = fopen(bodyfilename, "wb");
  if(!bodyfile) {
    curl_easy_cleanup(curl_handle);
    fclose(headerfile);
    return -1;
  }

Reported by FlawFinder.

tests/unit/unit1305.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 92 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                ai->ai_addr = (void *)((char *)ai + sizeof(struct Curl_addrinfo));
  ai->ai_canonname = (void *)((char *)ai->ai_addr +
                              sizeof(struct sockaddr_in));
  memcpy(ai->ai_canonname, dummy, namelen);

  ai->ai_family = AF_INET;
  ai->ai_addrlen = sizeof(struct sockaddr_in);

  return ai;

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 127 Column: 15 CWE codes: 126 

                if(strcmp(arg, "1305") != 0) {
    CURLcode rc = create_node();
    abort_unless(rc == CURLE_OK, "data node creation failed");
    key_len = strlen(data_key);

    data_node->inuse = 1; /* hash will hold the reference */
    nodep = Curl_hash_add(&hp, data_key, key_len + 1, data_node);
    abort_unless(nodep, "insertion into hash failed");
    /* Freeing will now be done by Curl_hash_destroy */

Reported by FlawFinder.