The following issues were found

Modules/_bz2module.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 534 Column: 9 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                                  d->bzs_avail_in_real);
            bzs->next_in = d->input_buffer;
        }
        memcpy((void*)(bzs->next_in + d->bzs_avail_in_real), data, len);
        d->bzs_avail_in_real += len;
        input_buffer_in_use = 1;
    }
    else {
        bzs->next_in = data;

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 590 Column: 13 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                          }

            /* Copy tail */
            memcpy(d->input_buffer, bzs->next_in, d->bzs_avail_in_real);
            bzs->next_in = d->input_buffer;
        }
    }

    return result;

Reported by FlawFinder.

Python/dynamic_annotations.c
2 issues
getenv - Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once
Security

Line: 123 Column: 41 CWE codes: 807 20
Suggestion: Check environment variables carefully before using them 

              #endif

#ifndef _MSC_VER
  const char *running_on_valgrind_str = getenv("RUNNING_ON_VALGRIND");
  if (running_on_valgrind_str) {
    return strcmp(running_on_valgrind_str, "0") != 0;
  }
#else
  /* Visual Studio issues warnings if we use getenv,

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 131 Column: 3 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                /* Visual Studio issues warnings if we use getenv,
   * so we use GetEnvironmentVariableA instead.
   */
  char value[100] = "1";
  int res = GetEnvironmentVariableA("RUNNING_ON_VALGRIND",
                                    value, sizeof(value));
  /* value will remain "1" if res == 0 or res >= sizeof(value). The latter
   * can happen only if the given value is long, in this case it can't be "0".
   */

Reported by FlawFinder.

Python/dynload_hpux.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 36 Column: 9 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                      if (verbose) {
            perror(pathname);
        }
        char buf[256];
        PyOS_snprintf(buf, sizeof(buf), "Failed to load %.200s",
                      pathname);
        PyObject *buf_ob = PyUnicode_DecodeFSDefault(buf);
        if (buf_ob == NULL)
            return NULL;

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 60 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                      return NULL;
    }

    char funcname[258];
    PyOS_snprintf(funcname, sizeof(funcname), FUNCNAME_PATTERN,
                  prefix, shortname);
    if (verbose) {
        printf("shl_findsym %s\n", funcname);
    }

Reported by FlawFinder.

Python/dynload_shlib.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 59 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              {
    dl_funcptr p;
    void *handle;
    char funcname[258];
    char pathbuf[260];
    int dlopenflags=0;

    if (strchr(pathname, '/') == NULL) {
        /* Prefix bare filename with "./" */

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 60 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                  dl_funcptr p;
    void *handle;
    char funcname[258];
    char pathbuf[260];
    int dlopenflags=0;

    if (strchr(pathname, '/') == NULL) {
        /* Prefix bare filename with "./" */
        PyOS_snprintf(pathbuf, sizeof(pathbuf), "./%-.255s", pathname);

Reported by FlawFinder.

Modules/addrinfo.h
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 156 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              #else
    unsigned short ss_family;           /* address family */
#endif /* HAVE_SOCKADDR_SA_LEN */
    char        __ss_pad1[_SS_PAD1SIZE];
    long long __ss_align;            /* force desired structure storage alignment */
    char        __ss_pad2[_SS_PAD2SIZE];
};
#endif /* !HAVE_SOCKADDR_STORAGE */

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 158 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              #endif /* HAVE_SOCKADDR_SA_LEN */
    char        __ss_pad1[_SS_PAD1SIZE];
    long long __ss_align;            /* force desired structure storage alignment */
    char        __ss_pad2[_SS_PAD2SIZE];
};
#endif /* !HAVE_SOCKADDR_STORAGE */

#ifdef __cplusplus
extern "C" {

Reported by FlawFinder.

Python/preconfig.c
2 issues
getenv - Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once
Security

Line: 536 Column: 23 CWE codes: 807 20
Suggestion: Check environment variables carefully before using them 

                      return NULL;
    }

    const char *var = getenv(name);
    if (var && var[0] != '\0') {
        return var;
    }
    else {
        return NULL;

Reported by FlawFinder.

wcslen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 593 Column: 19 CWE codes: 126 

                          len = (sep - option);
        }
        else {
            len = wcslen(option);
        }
        if (wcsncmp(option, name, len) == 0 && name[len] == L'\0') {
            return option;
        }
    }

Reported by FlawFinder.

Python/pyctype.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 145 Column: 16 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              };


const unsigned char _Py_ctype_tolower[256] = {
    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
    0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
    0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
    0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 180 Column: 16 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                  0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff,
};

const unsigned char _Py_ctype_toupper[256] = {
    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
    0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
    0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
    0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,

Reported by FlawFinder.

Lib/test/tf_inherit_check.py
2 issues
Catching too general exception Exception
Error

Line: 24 Column: 12 

                              sys.stderr.write("fd %d is open in child" % fd)
            sys.exit(1)

    except Exception:
        if verbose:
            raise
        sys.exit(1)

Reported by Pylint.

Missing module docstring
Error

Line: 1 Column: 1 

              # Helper script for test_tempfile.py.  argv[2] is the number of a file
# descriptor which should _not_ be open.  Check this by attempting to
# write to it -- if we succeed, something is wrong.

import sys
import os
from test.support import SuppressCrashReport

with SuppressCrashReport():

Reported by Pylint.

Lib/test/test_peg_generator/__init__.py
2 issues
Missing module docstring
Error

Line: 1 Column: 1 

              import os

from test.support import load_package_tests

# Load all tests in package
def load_tests(*args):
    return load_package_tests(os.path.dirname(__file__), *args)

Reported by Pylint.

Missing function or method docstring
Error

Line: 6 Column: 1 

              from test.support import load_package_tests

# Load all tests in package
def load_tests(*args):
    return load_package_tests(os.path.dirname(__file__), *args)

Reported by Pylint.

Tools/c-analyzer/c-analyzer.py
2 issues
Missing module docstring
Error

Line: 1 Column: 1 

              from cpython.__main__ import parse_args, main, configure_logger


cmd, cmd_kwargs, verbosity, traceback_cm = parse_args()
configure_logger(verbosity)
with traceback_cm:
    main(cmd, cmd_kwargs)

Reported by Pylint.

Module name "c-analyzer" doesn't conform to snake_case naming style
Error

Line: 1 Column: 1 

              from cpython.__main__ import parse_args, main, configure_logger


cmd, cmd_kwargs, verbosity, traceback_cm = parse_args()
configure_logger(verbosity)
with traceback_cm:
    main(cmd, cmd_kwargs)

Reported by Pylint.