The following issues were found

src/third_party/zstandard-1.4.4/zstd/contrib/experimental_dict_builders/randomDictBuilder/random.c
2 issues
fprintf - If format strings can be influenced by an attacker, they can be exploited
Security

Line: 18 Column: 30 CWE codes: 134
Suggestion: Use a constant for the format specification 

              /*-*************************************
*  Console display
***************************************/
#define DISPLAY(...)         fprintf(stderr, __VA_ARGS__)
#define DISPLAYLEVEL(l, ...) if (displayLevel>=l) { DISPLAY(__VA_ARGS__); }

#define LOCALDISPLAYUPDATE(displayLevel, l, ...)                               \
  if (displayLevel >= l) {                                                     \
    if ((clock() - g_time > refreshRate) || (displayLevel >= 4)) {             \

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 115 Column: 7 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                    segmentSize = MIN(segment.end - segment.begin + 1, tail);

      tail -= segmentSize;
      memcpy(dict + tail, samples + segment.begin, segmentSize);
      DISPLAYUPDATE(
          2, "\r%u%%       ",
          (U32)(((dictBufferCapacity - tail) * 100) / dictBufferCapacity));
    }

Reported by FlawFinder.

src/third_party/zstandard-1.4.4/zstd/tests/roundTripCrash.c
2 issues
fprintf - If format strings can be influenced by an attacker, they can be exploited
Security

Line: 49 Column: 9 CWE codes: 134
Suggestion: Use a constant for the format specification 

              #define CHECK_Z(f) {                            \
    size_t const err = f;                       \
    if (ZSTD_isError(err)) {                    \
        fprintf(stderr,                         \
                "Error=> %s: %s",               \
                #f, ZSTD_getErrorName(err));    \
        crash(1);                                \
}   }

Reported by FlawFinder.

fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 194 Column: 21 CWE codes: 362 

              *   requirement : `buffer` size >= `fileSize` */
static void loadFile(void* buffer, const char* fileName, size_t fileSize)
{
    FILE* const f = fopen(fileName, "rb");
    if (isDirectory(fileName)) {
        fprintf(stderr, "Ignoring %s directory \n", fileName);
        exit(2);
    }
    if (f==NULL) {

Reported by FlawFinder.

src/third_party/zlib-1.2.11/inflate.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 640 Column: 14 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                  unsigned len;               /* length to copy for repeats, bits to drop */
    int ret;                    /* return code */
#ifdef GUNZIP
    unsigned char hbuf[4];      /* buffer for gzip header crc calculation */
#endif
    static const unsigned short order[19] = /* permutation of code lengths */
        {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15};

    if (inflateStateCheck(strm) || strm->next_out == Z_NULL ||

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 1405 Column: 14 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              {
    unsigned len;               /* number of bytes to look at or looked at */
    unsigned long in, out;      /* temporary to save total_in and total_out */
    unsigned char buf[4];       /* to restore bit buffer to byte string */
    struct inflate_state FAR *state;

    /* check parameters */
    if (inflateStateCheck(strm)) return Z_STREAM_ERROR;
    state = (struct inflate_state FAR *)strm->state;

Reported by FlawFinder.

src/third_party/wiredtiger/test/windows/windows_shim.h
2 issues
snprintf - If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate
Security

Line: 38 Column: 9 CWE codes: 134
Suggestion: Use a constant for the format specification 

              
/* snprintf does not exist on <= VS 2013 */
#if _MSC_VER < 1900
#define snprintf __wt_snprintf
#endif

#define strcasecmp stricmp

/*

Reported by FlawFinder.

usleep - This C routine is considered obsolete (as opposed to the shell command by the same name). The interaction of this function with SIGALRM and other timer functions such as sleep(), alarm(), setitimer(), and nanosleep() is unspecified
Security

Line: 64 Column: 5 CWE codes: 676
Suggestion: Use nanosleep(2) or setitimer(2) instead 

              typedef uint32_t useconds_t;

int sleep(int seconds);
int usleep(useconds_t useconds);

#define lseek(fd, offset, origin) _lseek(fd, (long)(offset), origin)
#define write(fd, buffer, count) _write(fd, buffer, (unsigned int)(count))

/*

Reported by FlawFinder.

src/third_party/zstandard-1.4.4/zstd/zlibWrapper/examples/fitblk.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 81 Column: 14 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              local int partcompress(FILE *in, z_streamp def)
{
    int ret, flush;
    unsigned char raw[RAWLEN];

    flush = Z_SYNC_FLUSH;
    do {
        def->avail_in = (uInt)fread(raw, 1, RAWLEN, in);
        if (ferror(in))

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 106 Column: 14 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              local int recompress(z_streamp inf, z_streamp def)
{
    int ret, flush;
    unsigned char raw[RAWLEN];

    flush = Z_NO_FLUSH;
    LOG_FITBLK("recompress start\n");
    do {
        /* decompress */

Reported by FlawFinder.

src/third_party/zstandard-1.4.4/zstd/zlibWrapper/examples/fitblk_original.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 76 Column: 14 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              local int partcompress(FILE *in, z_streamp def)
{
    int ret, flush;
    unsigned char raw[RAWLEN];

    flush = Z_NO_FLUSH;
    do {
        def->avail_in = fread(raw, 1, RAWLEN, in);
        if (ferror(in))

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 99 Column: 14 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              local int recompress(z_streamp inf, z_streamp def)
{
    int ret, flush;
    unsigned char raw[RAWLEN];

    flush = Z_NO_FLUSH;
    do {
        /* decompress */
        inf->avail_out = RAWLEN;

Reported by FlawFinder.

src/third_party/wiredtiger/test/thread/stats.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 43 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                  WT_SESSION *session;
    uint64_t v;
    int ret;
    char name[64];
    const char *desc, *pval;

    testutil_check(conn->open_session(conn, NULL, NULL, &session));

    if ((fp = fopen(FNAME_STAT, "w")) == NULL)

Reported by FlawFinder.

fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 48 Column: 15 CWE codes: 362 

              
    testutil_check(conn->open_session(conn, NULL, NULL, &session));

    if ((fp = fopen(FNAME_STAT, "w")) == NULL)
        testutil_die(errno, "fopen " FNAME_STAT);

    /* Connection statistics. */
    testutil_check(session->open_cursor(session, "statistics:", NULL, NULL, &cursor));

Reported by FlawFinder.

src/third_party/zstandard-1.4.4/zstd/examples/streaming_decompression.c
2 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 36 Column: 12 CWE codes: 120 20 

                   * and doesn't consume input after the frame.
     */
    size_t const toRead = buffInSize;
    size_t read;
    size_t lastRet = 0;
    int isEmpty = 1;
    while ( (read = fread_orDie(buffIn, toRead, fin)) ) {
        isEmpty = 0;
        ZSTD_inBuffer input = { buffIn, read, 0 };

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 41 Column: 41 CWE codes: 120 20 

                  int isEmpty = 1;
    while ( (read = fread_orDie(buffIn, toRead, fin)) ) {
        isEmpty = 0;
        ZSTD_inBuffer input = { buffIn, read, 0 };
        /* Given a valid frame, zstd won't consume the last byte of the frame
         * until it has flushed all of the decompressed data of the frame.
         * Therefore, instead of checking if the return code is 0, we can
         * decompress just check if input.pos < input.size.
         */

Reported by FlawFinder.

src/mongo/util/tcmalloc_set_parameter.cpp
2 issues
Syntax Error: AST broken, 'if' doesn't have two operands.
Error

Line: 130 

              (InitializerContext*) {
    // Before processing the command line options, if the user has not specified a value in via
    // the environment, set tcmalloc.max_total_thread_cache_bytes to its default value.
    if (getenv("TCMALLOC_MAX_TOTAL_THREAD_CACHE_BYTES")) {
        return;
    }

    ProcessInfo pi;
    size_t systemMemorySizeMB = pi.getMemSizeMB();

Reported by Cppcheck.

getenv - Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once
Security

Line: 130 Column: 9 CWE codes: 807 20
Suggestion: Check environment variables carefully before using them 

              (InitializerContext*) {
    // Before processing the command line options, if the user has not specified a value in via
    // the environment, set tcmalloc.max_total_thread_cache_bytes to its default value.
    if (getenv("TCMALLOC_MAX_TOTAL_THREAD_CACHE_BYTES")) {
        return;
    }

    ProcessInfo pi;
    size_t systemMemorySizeMB = pi.getMemSizeMB();

Reported by FlawFinder.

src/mongo/util/decorable_test.cpp
2 issues
syntax error
Error

Line: 81 

              class MyDecorable : public Decorable<MyDecorable> {};
class MyCopyableDecorable : public DecorableCopyable<MyCopyableDecorable> {};

TEST(DecorableTest, DecorableType) {
    const auto dd1 = MyDecorable::declareDecoration<A>();
    const auto dd2 = MyDecorable::declareDecoration<A>();
    const auto dd3 = MyDecorable::declareDecoration<int>();
    numConstructedAs = 0;
    numDestructedAs = 0;

Reported by Cppcheck.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 213 Column: 11 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              }

struct DecoratedOwnerChecker : public Decorable<DecoratedOwnerChecker> {
    const char answer[100] = "The answer to life the universe and everything is 42";
};

// Test all 4 variations of the owner back reference: const pointer, non-const pointer, const
// reference, non-const reference.
struct DecorationWithOwner {

Reported by FlawFinder.