On Thu, Sep 29, 2016 at 09:14:52AM -0700, Alan Coopersmith wrote: > On 09/29/16 07:48 AM, shirish शिरीष wrote: > >Flawfinder version 1.31, (C) 2001-2014 David A. Wheeler. > >Number of rules (primarily dangerous function names) in C/C++ ruleset: 169 > >./JSON/i-nex-edid.c:137: [2] (buffer) char: > > Statically-sized arrays can be improperly restricted, leading to potential > > overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use > > functions that limit length, or ensure that the size is larger than the > > maximum possible length. > > static char name[4]; [...]
If all this tool is doing is reporting static allocations and C functions that can be misused it doesn't seem particularly useful. Static array allocations are a fact of programming in C, and very nearly every API is unsafe when used incorrectly. That's just what C is. It might be nice to guide an audit but on its own it doesn't seem too revealing. I strongly recommend cppcheck instead. It's not perfect, but it is surprisingly good. Thanks
signature.asc
Description: PGP signature
_______________________________________________ [email protected]: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: https://lists.x.org/mailman/listinfo/xorg Your subscription address: %(user_address)s
