The following issues were found

src/third_party/wiredtiger/src/conn/conn_capacity.c
2 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 311 Column: 25 CWE codes: 120 20 

                      WT_STAT_CONN_INCRV(session, capacity_bytes_written, bytes);
        break;
    case WT_THROTTLE_READ:
        capacity = cap->read;
        reservation = &cap->reservation_read;
        WT_STAT_CONN_INCRV(session, capacity_bytes_read, bytes);
        break;
    }
    total_capacity = cap->total;

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 371 Column: 35 CWE codes: 120 20 

                      }
        if (type != WT_THROTTLE_READ && (this_res = cap->reservation_read) < best_res) {
            steal = &cap->reservation_read;
            steal_capacity = cap->read;
            best_res = this_res;
        }

        if (steal != NULL) {
            /*

Reported by FlawFinder.

src/third_party/wiredtiger/src/conn/conn_reconfig.c
2 issues
sscanf - The scanf() family's %s operation, without a limit specification, permits buffer overflows
Security

Line: 26 Column: 9 CWE codes: 120 20
Suggestion: Specify a limit to %s, or use a different input function 

                   * the patch value, but allow it in the string.
     */
    /* NOLINTNEXTLINE(cert-err34-c) */
    if (sscanf(cvalp->str, "%" SCNu16 ".%" SCNu16, majorp, minorp) != 2 &&
      /* NOLINTNEXTLINE(cert-err34-c) */
      sscanf(cvalp->str, "%" SCNu16 ".%" SCNu16 ".%" SCNu16, majorp, minorp, &unused_patch) != 3)
        WT_RET_MSG(session, EINVAL, "illegal compatibility release");
    if (*majorp > WIREDTIGER_VERSION_MAJOR)
        WT_RET_MSG(session, ENOTSUP, WT_COMPAT_MSG_PREFIX "unsupported major version");

Reported by FlawFinder.

sscanf - The scanf() family's %s operation, without a limit specification, permits buffer overflows
Security

Line: 28 Column: 7 CWE codes: 120 20
Suggestion: Specify a limit to %s, or use a different input function 

                  /* NOLINTNEXTLINE(cert-err34-c) */
    if (sscanf(cvalp->str, "%" SCNu16 ".%" SCNu16, majorp, minorp) != 2 &&
      /* NOLINTNEXTLINE(cert-err34-c) */
      sscanf(cvalp->str, "%" SCNu16 ".%" SCNu16 ".%" SCNu16, majorp, minorp, &unused_patch) != 3)
        WT_RET_MSG(session, EINVAL, "illegal compatibility release");
    if (*majorp > WIREDTIGER_VERSION_MAJOR)
        WT_RET_MSG(session, ENOTSUP, WT_COMPAT_MSG_PREFIX "unsupported major version");
    if (*majorp == WIREDTIGER_VERSION_MAJOR && *minorp > WIREDTIGER_VERSION_MINOR)
        WT_RET_MSG(session, ENOTSUP, WT_COMPAT_MSG_PREFIX "unsupported minor version");

Reported by FlawFinder.

src/third_party/wiredtiger/src/cursor/cur_metadata.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 76 Column: 11 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                  WT_CURSOR *c;
    WT_DECL_ITEM(buf);
    WT_DECL_RET;
    const char *_cfg[5] = {NULL, NULL, NULL, value, NULL};
    const char **cfg, **firstcfg, **lastcfg, *v;

    lastcfg = cfg = &_cfg[3]; /* position on value */
    c = NULL;
    if (key != NULL && WT_PREFIX_SKIP(key, "table:")) {

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 152 Column: 56 CWE codes: 126 

                  c->key.size = fc->key.size;
    if (F_ISSET(mdc, WT_MDC_CREATEONLY)) {
        WT_ERR(__schema_create_collapse(session, mdc, fc->key.data, fc->value.data, &value));
        WT_ERR(__wt_buf_set(session, &c->value, value, strlen(value) + 1));
    } else {
        c->value.data = fc->value.data;
        c->value.size = fc->value.size;
    }

Reported by FlawFinder.

src/third_party/unwind/dist/tests/Gtest-bt.c
2 issues
fprintf - If format strings can be influenced by an attacker, they can be exploited
Security

Line: 45 Column: 4 CWE codes: 134
Suggestion: Use a constant for the format specification 

              #include <libunwind.h>

#define panic(args...)				\
	{ fprintf (stderr, args); exit (-1); }

#define SIG_STACK_SIZE 0x100000

int verbose;
int num_errors;

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 54 Column: 1 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
/* These variables are global because they
 * cause the signal stack to overflow */
char buf[512], name[256];
unw_cursor_t cursor;
unw_context_t uc;

static void
do_backtrace (void)

Reported by FlawFinder.

src/third_party/wiredtiger/src/include/block.h
2 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 329 Column: 11 CWE codes: 362 

              struct __wt_block_file_opener {
    /* An id to be used with the open call to reference the current object. */
#define WT_TIERED_CURRENT_ID UINT32_MAX
    int (*open)(
      WT_BLOCK_FILE_OPENER *, WT_SESSION_IMPL *, uint32_t, WT_FS_OPEN_FILE_TYPE, u_int, WT_FH **);
    uint32_t (*current_object_id)(WT_BLOCK_FILE_OPENER *);
    void *cookie; /* Used in open call */
};

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 192 Column: 11 CWE codes: 120 20 

                  bool (*is_mapped)(WT_BM *, WT_SESSION_IMPL *);
    int (*map_discard)(WT_BM *, WT_SESSION_IMPL *, void *, size_t);
    int (*preload)(WT_BM *, WT_SESSION_IMPL *, const uint8_t *, size_t);
    int (*read)(WT_BM *, WT_SESSION_IMPL *, WT_ITEM *, const uint8_t *, size_t);
    int (*salvage_end)(WT_BM *, WT_SESSION_IMPL *);
    int (*salvage_next)(WT_BM *, WT_SESSION_IMPL *, uint8_t *, size_t *, bool *);
    int (*salvage_start)(WT_BM *, WT_SESSION_IMPL *);
    int (*salvage_valid)(WT_BM *, WT_SESSION_IMPL *, uint8_t *, size_t, bool);
    int (*size)(WT_BM *, WT_SESSION_IMPL *, wt_off_t *);

Reported by FlawFinder.

src/third_party/wiredtiger/src/lsm/lsm_work_unit.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 48 Column: 9 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  if (cookie->chunk_alloc < alloc)
        WT_ERR(__wt_realloc(session, &cookie->chunk_alloc, alloc, &cookie->chunk_array));
    if (nchunks > 0)
        memcpy(cookie->chunk_array, old_chunks ? lsm_tree->old_chunks : lsm_tree->chunk,
          nchunks * sizeof(*cookie->chunk_array));

    /*
     * Mark each chunk as active, so we don't drop it until after we know it's safe.
     */

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 638 Column: 45 CWE codes: 126 

                  WT_WITH_SCHEMA_LOCK(session, ret = __wt_schema_drop(session, uri, drop_cfg));

    if (ret == 0)
        ret = __wt_fs_remove(session, uri + strlen("file:"), false);
    __wt_verbose(session, WT_VERB_LSM, "Dropped %s", uri);

    if (ret == EBUSY || ret == ENOENT)
        __wt_verbose(session, WT_VERB_LSM, "LSM worker drop of %s failed with %d", uri, ret);

Reported by FlawFinder.

src/third_party/wiredtiger/src/os_common/filename.c
2 issues
strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 18 Column: 43 CWE codes: 126 

              int
__wt_filename(WT_SESSION_IMPL *session, const char *name, char **path)
{
    return (__wt_nfilename(session, name, strlen(name), path));
}

/*
 * __wt_nfilename --
 *     Build a file name in a scratch buffer. If the name is already an absolute path duplicate it,

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 42 Column: 11 CWE codes: 126 

                  if (session == NULL || __wt_absolute_path(name))
        return (__wt_strndup(session, name, namelen, path));

    len = strlen(S2C(session)->home) + 1 + namelen + 1;
    WT_RET(__wt_calloc(session, 1, len, &buf));
    WT_ERR(__wt_snprintf(
      buf, len, "%s%s%.*s", S2C(session)->home, __wt_path_separator(), (int)namelen, name));
    *path = buf;
    return (0);

Reported by FlawFinder.

src/third_party/wiredtiger/src/os_posix/os_getenv.c
2 issues
getenv - Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once
Security

Line: 23 Column: 18 CWE codes: 807 20
Suggestion: Check environment variables carefully before using them 

              
    *envp = NULL;

    if (((temp = getenv(variable)) != NULL) && strlen(temp) > 0)
        return (__wt_strdup(session, temp, envp));

    return (0);
}

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 23 Column: 48 CWE codes: 126 

              
    *envp = NULL;

    if (((temp = getenv(variable)) != NULL) && strlen(temp) > 0)
        return (__wt_strdup(session, temp, envp));

    return (0);
}

Reported by FlawFinder.

src/third_party/wiredtiger/src/os_win/os_dir.c
2 issues
strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 42 Column: 15 CWE codes: 126 

                  entries = NULL;

    WT_ERR(__wt_strdup(session, directory, &dir_copy));
    pathlen = strlen(dir_copy);
    if (dir_copy[pathlen - 1] == '\\')
        dir_copy[pathlen - 1] = '\0';
    WT_ERR(__wt_scr_alloc(session, pathlen + 3, &pathbuf));
    WT_ERR(__wt_buf_fmt(session, pathbuf, "%s\\*", dir_copy));

Reported by FlawFinder.

wcslen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 50 Column: 22 CWE codes: 126 

              
    WT_ERR(__wt_to_utf16_string(session, pathbuf->data, &pathbuf_wide));
    WT_ERR(__wt_to_utf16_string(session, prefix, &prefix_wide));
    prefix_widelen = wcslen(prefix_wide->data);

    findhandle = FindFirstFileW(pathbuf_wide->data, &finddata);
    if (findhandle == INVALID_HANDLE_VALUE) {
        windows_error = __wt_getlasterror();
        ret = __wt_map_windows_error(windows_error);

Reported by FlawFinder.

src/third_party/wiredtiger/src/os_win/os_utf8.c
2 issues
MultiByteToWideChar - Requires maximum length in CHARACTERS, not bytes
Security

Line: 22 Column: 18 CWE codes: 120 

                  DWORD windows_error;
    int bufferSize;

    bufferSize = MultiByteToWideChar(CP_UTF8, 0, utf8, -1, NULL, 0);
    windows_error = __wt_getlasterror();

    if (bufferSize == 0 && windows_error != ERROR_INSUFFICIENT_BUFFER) {
        ret = __wt_map_windows_error(windows_error);
        __wt_err(

Reported by FlawFinder.

MultiByteToWideChar - Requires maximum length in CHARACTERS, not bytes
Security

Line: 33 Column: 18 CWE codes: 120 

                  }

    WT_RET(__wt_scr_alloc(session, bufferSize * sizeof(wchar_t), outbuf));
    bufferSize = MultiByteToWideChar(CP_UTF8, 0, utf8, -1, (*outbuf)->mem, bufferSize);

    if (bufferSize == 0) {
        windows_error = __wt_getlasterror();
        __wt_scr_free(session, outbuf);
        ret = __wt_map_windows_error(windows_error);

Reported by FlawFinder.