The following issues were found

java/com/google/scrollview/ui/SVAbstractMenuItem.java
4 issues
This abstract class does not have any abstract methods
Design

Line: 27 

              import javax.swing.JMenu;
import javax.swing.JMenuItem;

abstract class SVAbstractMenuItem {
  JMenuItem mi;
  public String name;
  public int id;

  /**

Reported by PMD.

Found non-transient, non-static member. Please mark as transient or provide accessors.
Error

Line: 28 

              import javax.swing.JMenuItem;

abstract class SVAbstractMenuItem {
  JMenuItem mi;
  public String name;
  public int id;

  /**
   * Sets the basic attributes for name, id and the corresponding swing item

Reported by PMD.

Found non-transient, non-static member. Please mark as transient or provide accessors.
Error

Line: 29 

              
abstract class SVAbstractMenuItem {
  JMenuItem mi;
  public String name;
  public int id;

  /**
   * Sets the basic attributes for name, id and the corresponding swing item
   */

Reported by PMD.

Found non-transient, non-static member. Please mark as transient or provide accessors.
Error

Line: 30 

              abstract class SVAbstractMenuItem {
  JMenuItem mi;
  public String name;
  public int id;

  /**
   * Sets the basic attributes for name, id and the corresponding swing item
   */
  SVAbstractMenuItem(int id, String name, JMenuItem jmi) {

Reported by PMD.

src/dict/trie.cpp
4 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 286 Column: 3 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
bool Trie::read_word_list(const char *filename, std::vector<std::string> *words) {
  FILE *word_file;
  char line_str[CHARS_PER_LINE];
  int word_count = 0;

  word_file = fopen(filename, "rb");
  if (word_file == nullptr) {
    return false;

Reported by FlawFinder.

fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 289 Column: 15 CWE codes: 362 

                char line_str[CHARS_PER_LINE];
  int word_count = 0;

  word_file = fopen(filename, "rb");
  if (word_file == nullptr) {
    return false;
  }

  while (fgets(line_str, sizeof(line_str), word_file) != nullptr) {

Reported by FlawFinder.

fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 396 Column: 24 CWE codes: 362 

                  return false;
  }

  FILE *pattern_file = fopen(filename, "rb");
  if (pattern_file == nullptr) {
    tprintf("Error opening pattern file %s\n", filename);
    return false;
  }

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 403 Column: 3 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                }

  int pattern_count = 0;
  char string[CHARS_PER_LINE];
  while (fgets(string, CHARS_PER_LINE, pattern_file) != nullptr) {
    chomp_string(string); // remove newline
    // Parse the pattern and construct a unichar id vector.
    // Record the number of repetitions of each unichar in the parallel vector.
    WERD_CHOICE word(&unicharset);

Reported by FlawFinder.

src/training/common/commandlineflags.cpp
4 issues
strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 132 Column: 34 CWE codes: 126 

              
static void PrintCommandLineFlags() {
  const char *kFlagNamePrefix = "FLAGS_";
  const int kFlagNamePrefixLen = strlen(kFlagNamePrefix);
  for (auto &param : GlobalParams()->int_params) {
    if (!strncmp(param->name_str(), kFlagNamePrefix, kFlagNamePrefixLen)) {
      printf("  --%s  %s  (type:int default:%d)\n",
             param->name_str() + kFlagNamePrefixLen,
             param->info_str(), int32_t(*param));

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 223 Column: 14 CWE codes: 126 

                  int32_t int_val;
    if (IntFlagExists(lhs.c_str(), &int_val)) {
      if (rhs != nullptr) {
        if (!strlen(rhs)) {
          // Bad input of the format --int_flag=
          tprintf("ERROR: Bad argument: %s\n", (*argv)[i]);
          exit(1);
        }
        if (!SafeAtoi(rhs, &int_val)) {

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 253 Column: 14 CWE codes: 126 

                  double double_val;
    if (DoubleFlagExists(lhs.c_str(), &double_val)) {
      if (rhs != nullptr) {
        if (!strlen(rhs)) {
          // Bad input of the format --double_flag=
          tprintf("ERROR: Bad argument: %s\n", (*argv)[i]);
          exit(1);
        }
        if (!SafeAtod(rhs, &double_val)) {

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 287 Column: 14 CWE codes: 126 

                      // --flag form
        bool_val = true;
      } else {
        if (!strlen(rhs)) {
          // Bad input of the format --bool_flag=
          tprintf("ERROR: Bad argument: %s\n", (*argv)[i]);
          exit(1);
        }
        if (!strcmp(rhs, "false") || !strcmp(rhs, "0")) {

Reported by FlawFinder.

src/api/capi.cpp
3 issues
fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 192 Column: 14 CWE codes: 362 

              }

BOOL TessBaseAPIPrintVariablesToFile(const TessBaseAPI *handle, const char *filename) {
  FILE *fp = fopen(filename, "w");
  if (fp != nullptr) {
    handle->PrintVariables(fp);
    fclose(fp);
    return TRUE;
  }

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 238 Column: 20 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              char **TessBaseAPIGetLoadedLanguagesAsVector(const TessBaseAPI *handle) {
  std::vector<std::string> languages;
  handle->GetLoadedLanguagesAsVector(&languages);
  char **arr = new char *[languages.size() + 1];
  for (auto &language : languages) {
    arr[&language - &languages[0]] = strdup(language.c_str());
  }
  arr[languages.size()] = nullptr;
  return arr;

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 249 Column: 20 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              char **TessBaseAPIGetAvailableLanguagesAsVector(const TessBaseAPI *handle) {
  std::vector<std::string> languages;
  handle->GetAvailableLanguagesAsVector(&languages);
  char **arr = new char *[languages.size() + 1];
  for (auto &language : languages) {
    arr[&language - &languages[0]] = strdup(language.c_str());
  }
  arr[languages.size()] = nullptr;
  return arr;

Reported by FlawFinder.

src/api/hocrrenderer.cpp
3 issues
strcpy - Does not check for buffer overflows when copying to destination [MS-banned]
Security

Line: 427 Column: 3 CWE codes: 120
Suggestion: Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused) 

              
  const std::string &text = hocr_str.str();
  char *result = new char[text.length() + 1];
  strcpy(result, text.c_str());
  return result;
}

/**********************************************************************
 * HOcr Text Renderer interface implementation

Reported by FlawFinder.

MultiByteToWideChar - Requires maximum length in CHARACTERS, not bytes
Security

Line: 150 Column: 19 CWE codes: 120 

              
#ifdef _WIN32
  // convert input name from ANSI encoding to utf-8
  int str16_len = MultiByteToWideChar(CP_ACP, 0, input_file_.c_str(), -1, nullptr, 0);
  wchar_t *uni16_str = new WCHAR[str16_len];
  str16_len = MultiByteToWideChar(CP_ACP, 0, input_file_.c_str(), -1, uni16_str, str16_len);
  int utf8_len =
      WideCharToMultiByte(CP_UTF8, 0, uni16_str, str16_len, nullptr, 0, nullptr, nullptr);
  char *utf8_str = new char[utf8_len];

Reported by FlawFinder.

MultiByteToWideChar - Requires maximum length in CHARACTERS, not bytes
Security

Line: 152 Column: 15 CWE codes: 120 

                // convert input name from ANSI encoding to utf-8
  int str16_len = MultiByteToWideChar(CP_ACP, 0, input_file_.c_str(), -1, nullptr, 0);
  wchar_t *uni16_str = new WCHAR[str16_len];
  str16_len = MultiByteToWideChar(CP_ACP, 0, input_file_.c_str(), -1, uni16_str, str16_len);
  int utf8_len =
      WideCharToMultiByte(CP_UTF8, 0, uni16_str, str16_len, nullptr, 0, nullptr, nullptr);
  char *utf8_str = new char[utf8_len];
  WideCharToMultiByte(CP_UTF8, 0, uni16_str, str16_len, utf8_str, utf8_len, nullptr, nullptr);
  input_file_ = utf8_str;

Reported by FlawFinder.

unittest/bitvector_test.cc
3 issues
syntax error
Error

Line: 116 

              };

// Tests the sieve of Eratosthenes as a way of testing set/reset and I/O.
TEST_F(BitVectorTest, Primes) {
  BitVector map;
  ComputePrimes(&map);
  TestPrimes(map);
  // It still works if we use the copy constructor.
  BitVector map2(map);

Reported by Cppcheck.

fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 129 Column: 14 CWE codes: 362 

                TestPrimes(map3);
  // Test file i/o too.
  std::string filename = OutputNameToPath("primesbitvector");
  FILE *fp = fopen(filename.c_str(), "wb");
  ASSERT_TRUE(fp != nullptr);
  EXPECT_TRUE(map.Serialize(fp));
  fclose(fp);
  fp = fopen(filename.c_str(), "rb");
  ASSERT_TRUE(fp != nullptr);

Reported by FlawFinder.

fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 133 Column: 8 CWE codes: 362 

                ASSERT_TRUE(fp != nullptr);
  EXPECT_TRUE(map.Serialize(fp));
  fclose(fp);
  fp = fopen(filename.c_str(), "rb");
  ASSERT_TRUE(fp != nullptr);
  BitVector read_map;
  EXPECT_TRUE(read_map.DeSerialize(false, fp));
  fclose(fp);
  TestPrimes(read_map);

Reported by FlawFinder.

src/ccutil/tprintf.cpp
3 issues
vfprintf - If format strings can be influenced by an attacker, they can be exploited
Security

Line: 65 Column: 5 CWE codes: 134
Suggestion: Use a constant for the format specification 

                va_list args;           // variable args
  va_start(args, format); // variable list
  if (debugfp != nullptr) {
    vfprintf(debugfp, format, args);
  } else {
    vfprintf(stderr, format, args);
  }
  va_end(args);
}

Reported by FlawFinder.

vfprintf - If format strings can be influenced by an attacker, they can be exploited
Security

Line: 67 Column: 5 CWE codes: 134
Suggestion: Use a constant for the format specification 

                if (debugfp != nullptr) {
    vfprintf(debugfp, format, args);
  } else {
    vfprintf(stderr, format, args);
  }
  va_end(args);
}

} // namespace tesseract

Reported by FlawFinder.

fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 56 Column: 15 CWE codes: 362 

              #endif

  if (debugfp == nullptr && debug_file_name[0] != '\0') {
    debugfp = fopen(debug_file_name, "wb");
  } else if (debugfp != nullptr && debug_file_name[0] == '\0') {
    fclose(debugfp);
    debugfp = nullptr;
  }

Reported by FlawFinder.

src/ccutil/tessdatamanager.cpp
3 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 160 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              void TessdataManager::OverwriteEntry(TessdataType type, const char *data, int size) {
  is_loaded_ = true;
  entries_[type].resize(size);
  memcpy(&entries_[type][0], data, size);
}

// Saves to the given filename.
bool TessdataManager::SaveFile(const char *filename, FileWriter writer) const {
  // TODO: This method supports only the proprietary file format.

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 255 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              // Sets the version string to the given v_str.
void TessdataManager::SetVersionString(const std::string &v_str) {
  entries_[TESSDATA_VERSION].resize(v_str.size());
  memcpy(&entries_[TESSDATA_VERSION][0], v_str.data(), v_str.size());
}

bool TessdataManager::CombineDataFiles(const char *language_data_path_prefix,
                                       const char *output_filename) {
  // Load individual tessdata components from files.

Reported by FlawFinder.

fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 266 Column: 16 CWE codes: 362 

                  ASSERT_HOST(TessdataTypeFromFileSuffix(filesuffix, &type));
    std::string filename = language_data_path_prefix;
    filename += filesuffix;
    FILE *fp = fopen(filename.c_str(), "rb");
    if (fp != nullptr) {
      fclose(fp);
      if (!LoadDataFromFile(filename.c_str(), &entries_[type])) {
        tprintf("Load of file %s failed!\n", filename.c_str());
        return false;

Reported by FlawFinder.

src/lstm/tfnetwork.cpp
3 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 49 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                model_proto_.SerializeToString(&proto_str);
  // TODO: optimize and avoid copy from proto_str to data.
  std::vector<char> data(proto_str.size());
  memcpy(&data[0], proto_str.data(), proto_str.size());
  return fp->Serialize(data);
}

// Reads from the given file. Returns false in case of error.
// Should be overridden by subclasses, but NOT called by their DeSerialize.

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 79 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                Tensor input_tensor(tensorflow::DT_FLOAT, shape);
  // The flat() member gives a 1d array, with a data() member to get the data.
  auto eigen_tensor = input_tensor.flat<float>();
  memcpy(eigen_tensor.data(), input.f(0), input.Width() * depth * sizeof(input.f(0)[0]));
  // Add the tensor to the vector of inputs.
  tf_inputs.emplace_back(model_proto_.image_input(), input_tensor);

  // Provide tensors giving the width and/or height of the image if they are
  // required. Some tf ops require a separate tensor with knowledge of the

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 119 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                ASSERT_HOST(output_depth == output_shape_.depth());
  output->Resize2d(false, output_steps, output_depth);
  auto eigen_output = output_tensor.flat<float>();
  memcpy(output->f(0), eigen_output.data(), output_steps * output_depth * sizeof(output->f(0)[0]));
}

int TFNetwork::InitFromProto() {
  spec_ = model_proto_.spec();
  input_shape_.SetShape(model_proto_.batch_size(), std::max(0, model_proto_.y_size()),

Reported by FlawFinder.

src/ccmain/ltrresultiterator.cpp
3 issues
strncpy - Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned]
Security

Line: 81 Column: 3 CWE codes: 120 

                }
  int length = text.length() + 1;
  char *result = new char[length];
  strncpy(result, text.c_str(), length);
  return result;
}

// Set the string inserted at the end of each text line. "\n" by default.
void LTRResultIterator::SetLineSeparator(const char *new_line) {

Reported by FlawFinder.

strncpy - Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned]
Security

Line: 324 Column: 3 CWE codes: 120 

                std::string truth_text = it_->word()->blamer_bundle->TruthString();
  int length = truth_text.length() + 1;
  char *result = new char[length];
  strncpy(result, truth_text.c_str(), length);
  return result;
}

// Returns the null terminated UTF-8 encoded normalized OCR string for the
// current word. Use delete [] to free after use.

Reported by FlawFinder.

strncpy - Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned]
Security

Line: 343 Column: 3 CWE codes: 120 

                }
  int length = ocr_text.length() + 1;
  char *result = new char[length];
  strncpy(result, ocr_text.c_str(), length);
  return result;
}

// Returns a pointer to serialized choice lattice.
// Fills lattice_size with the number of bytes in lattice data.

Reported by FlawFinder.