Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/cinnamon-4.6.7/src/cinnamon-app-private.h Examining data/cinnamon-4.6.7/src/cinnamon-app-system-private.h Examining data/cinnamon-4.6.7/src/cinnamon-app-system.c Examining data/cinnamon-4.6.7/src/cinnamon-app-system.h Examining data/cinnamon-4.6.7/src/cinnamon-app.c Examining data/cinnamon-4.6.7/src/cinnamon-app.h Examining data/cinnamon-4.6.7/src/cinnamon-doc-system.c Examining data/cinnamon-4.6.7/src/cinnamon-doc-system.h Examining data/cinnamon-4.6.7/src/cinnamon-embedded-window-private.h Examining data/cinnamon-4.6.7/src/cinnamon-embedded-window.c Examining data/cinnamon-4.6.7/src/cinnamon-embedded-window.h Examining data/cinnamon-4.6.7/src/cinnamon-generic-container.c Examining data/cinnamon-4.6.7/src/cinnamon-generic-container.h Examining data/cinnamon-4.6.7/src/cinnamon-global-private.h Examining data/cinnamon-4.6.7/src/cinnamon-global.h Examining data/cinnamon-4.6.7/src/cinnamon-gtk-embed.c Examining data/cinnamon-4.6.7/src/cinnamon-gtk-embed.h Examining data/cinnamon-4.6.7/src/cinnamon-perf-helper.c Examining data/cinnamon-4.6.7/src/cinnamon-perf-log.c Examining data/cinnamon-4.6.7/src/cinnamon-perf-log.h Examining data/cinnamon-4.6.7/src/cinnamon-plugin.c Examining data/cinnamon-4.6.7/src/cinnamon-recorder-src.c Examining data/cinnamon-4.6.7/src/cinnamon-recorder-src.h Examining data/cinnamon-4.6.7/src/cinnamon-recorder.c Examining data/cinnamon-4.6.7/src/cinnamon-recorder.h Examining data/cinnamon-4.6.7/src/cinnamon-screenshot.c Examining data/cinnamon-4.6.7/src/cinnamon-screenshot.h Examining data/cinnamon-4.6.7/src/cinnamon-slicer.c Examining data/cinnamon-4.6.7/src/cinnamon-slicer.h Examining data/cinnamon-4.6.7/src/cinnamon-stack.c Examining data/cinnamon-4.6.7/src/cinnamon-stack.h Examining data/cinnamon-4.6.7/src/cinnamon-tray-icon.c Examining data/cinnamon-4.6.7/src/cinnamon-tray-icon.h Examining data/cinnamon-4.6.7/src/cinnamon-tray-manager.c Examining data/cinnamon-4.6.7/src/cinnamon-tray-manager.h Examining data/cinnamon-4.6.7/src/cinnamon-util.c Examining data/cinnamon-4.6.7/src/cinnamon-util.h Examining data/cinnamon-4.6.7/src/cinnamon-window-tracker-private.h Examining data/cinnamon-4.6.7/src/cinnamon-window-tracker.c Examining data/cinnamon-4.6.7/src/cinnamon-window-tracker.h Examining data/cinnamon-4.6.7/src/cinnamon-wm-private.h Examining data/cinnamon-4.6.7/src/cinnamon-wm.c Examining data/cinnamon-4.6.7/src/cinnamon-wm.h Examining data/cinnamon-4.6.7/src/cinnamon-xfixes-cursor.c Examining data/cinnamon-4.6.7/src/cinnamon-xfixes-cursor.h Examining data/cinnamon-4.6.7/src/hotplug-sniffer/cinnamon-mime-sniffer.c Examining data/cinnamon-4.6.7/src/hotplug-sniffer/cinnamon-mime-sniffer.h Examining data/cinnamon-4.6.7/src/hotplug-sniffer/hotplug-mimetypes.h Examining data/cinnamon-4.6.7/src/hotplug-sniffer/hotplug-sniffer.c Examining data/cinnamon-4.6.7/src/run-js-test.c Examining data/cinnamon-4.6.7/src/st/st-adjustment.c Examining data/cinnamon-4.6.7/src/st/st-adjustment.h Examining data/cinnamon-4.6.7/src/st/st-background-effect.c Examining data/cinnamon-4.6.7/src/st/st-background-effect.h Examining data/cinnamon-4.6.7/src/st/st-bin.c Examining data/cinnamon-4.6.7/src/st/st-bin.h Examining data/cinnamon-4.6.7/src/st/st-border-image.c Examining data/cinnamon-4.6.7/src/st/st-border-image.h Examining data/cinnamon-4.6.7/src/st/st-box-layout-child.c Examining data/cinnamon-4.6.7/src/st/st-box-layout-child.h Examining data/cinnamon-4.6.7/src/st/st-box-layout.c Examining data/cinnamon-4.6.7/src/st/st-box-layout.h Examining data/cinnamon-4.6.7/src/st/st-button.c Examining data/cinnamon-4.6.7/src/st/st-button.h Examining data/cinnamon-4.6.7/src/st/st-clipboard.c Examining data/cinnamon-4.6.7/src/st/st-clipboard.h Examining data/cinnamon-4.6.7/src/st/st-cogl-wrapper.c Examining data/cinnamon-4.6.7/src/st/st-cogl-wrapper.h Examining data/cinnamon-4.6.7/src/st/st-drawing-area.c Examining data/cinnamon-4.6.7/src/st/st-drawing-area.h Examining data/cinnamon-4.6.7/src/st/st-entry.c Examining data/cinnamon-4.6.7/src/st/st-entry.h Examining data/cinnamon-4.6.7/src/st/st-focus-manager.c Examining data/cinnamon-4.6.7/src/st/st-focus-manager.h Examining data/cinnamon-4.6.7/src/st/st-group.c Examining data/cinnamon-4.6.7/src/st/st-group.h Examining data/cinnamon-4.6.7/src/st/st-icon-colors.c Examining data/cinnamon-4.6.7/src/st/st-icon-colors.h Examining data/cinnamon-4.6.7/src/st/st-icon.c Examining data/cinnamon-4.6.7/src/st/st-icon.h Examining data/cinnamon-4.6.7/src/st/st-im-text.c Examining data/cinnamon-4.6.7/src/st/st-im-text.h Examining data/cinnamon-4.6.7/src/st/st-label.c Examining data/cinnamon-4.6.7/src/st/st-label.h Examining data/cinnamon-4.6.7/src/st/st-polygon.c Examining data/cinnamon-4.6.7/src/st/st-polygon.h Examining data/cinnamon-4.6.7/src/st/st-private.c Examining data/cinnamon-4.6.7/src/st/st-private.h Examining data/cinnamon-4.6.7/src/st/st-scroll-bar.c Examining data/cinnamon-4.6.7/src/st/st-scroll-bar.h Examining data/cinnamon-4.6.7/src/st/st-scroll-view-fade.c Examining data/cinnamon-4.6.7/src/st/st-scroll-view-fade.h Examining data/cinnamon-4.6.7/src/st/st-scroll-view.c Examining data/cinnamon-4.6.7/src/st/st-scroll-view.h Examining data/cinnamon-4.6.7/src/st/st-scrollable.c Examining data/cinnamon-4.6.7/src/st/st-scrollable.h Examining data/cinnamon-4.6.7/src/st/st-settings.c Examining data/cinnamon-4.6.7/src/st/st-settings.h Examining data/cinnamon-4.6.7/src/st/st-shadow.c Examining data/cinnamon-4.6.7/src/st/st-shadow.h Examining data/cinnamon-4.6.7/src/st/st-table-child.c Examining data/cinnamon-4.6.7/src/st/st-table-child.h Examining data/cinnamon-4.6.7/src/st/st-table-private.h Examining data/cinnamon-4.6.7/src/st/st-table.c Examining data/cinnamon-4.6.7/src/st/st-table.h Examining data/cinnamon-4.6.7/src/st/st-texture-cache.c Examining data/cinnamon-4.6.7/src/st/st-texture-cache.h Examining data/cinnamon-4.6.7/src/st/st-theme-context.c Examining data/cinnamon-4.6.7/src/st/st-theme-context.h Examining data/cinnamon-4.6.7/src/st/st-theme-node-drawing.c Examining data/cinnamon-4.6.7/src/st/st-theme-node-private.h Examining data/cinnamon-4.6.7/src/st/st-theme-node-transition.c Examining data/cinnamon-4.6.7/src/st/st-theme-node-transition.h Examining data/cinnamon-4.6.7/src/st/st-theme-node.c Examining data/cinnamon-4.6.7/src/st/st-theme-node.h Examining data/cinnamon-4.6.7/src/st/st-theme-private.h Examining data/cinnamon-4.6.7/src/st/st-theme.c Examining data/cinnamon-4.6.7/src/st/st-theme.h Examining data/cinnamon-4.6.7/src/st/st-types.h Examining data/cinnamon-4.6.7/src/st/st-widget-accessible.h Examining data/cinnamon-4.6.7/src/st/st-widget.c Examining data/cinnamon-4.6.7/src/st/st-widget.h Examining data/cinnamon-4.6.7/src/st/test-theme.c Examining data/cinnamon-4.6.7/src/test-recorder.c Examining data/cinnamon-4.6.7/src/tray/na-tray-child.c Examining data/cinnamon-4.6.7/src/tray/na-tray-child.h Examining data/cinnamon-4.6.7/src/tray/na-tray-manager.c Examining data/cinnamon-4.6.7/src/tray/na-tray-manager.h Examining data/cinnamon-4.6.7/src/main.c Examining data/cinnamon-4.6.7/src/cinnamon-global.c FINAL RESULTS: data/cinnamon-4.6.7/src/cinnamon-app-system.c:61:61: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. CinnamonApp * lookup_heuristic_basename (CinnamonAppSystem *system, const char *name); data/cinnamon-4.6.7/src/cinnamon-app-system.c:810:47: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. lookup_heuristic_basename (CinnamonAppSystem *system, data/cinnamon-4.6.7/src/cinnamon-app-system.c:816:44: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. result = cinnamon_app_system_lookup_app (system, name); data/cinnamon-4.6.7/src/cinnamon-app-system.c:823:48: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. result = cinnamon_app_system_lookup_app (system, tmpid); data/cinnamon-4.6.7/src/cinnamon-app-system.c:856:64: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. cinnamon_app_system_lookup_desktop_wmclass (CinnamonAppSystem *system, data/cinnamon-4.6.7/src/cinnamon-app-system.c:877:36: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. app = lookup_heuristic_basename (system, desktop_file); data/cinnamon-4.6.7/src/cinnamon-app-system.c:897:64: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. cinnamon_app_system_lookup_startup_wmclass (CinnamonAppSystem *system, data/cinnamon-4.6.7/src/cinnamon-app-system.h:42:86: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. GMenuTree *cinnamon_app_system_get_tree (CinnamonAppSystem *system); data/cinnamon-4.6.7/src/cinnamon-app-system.h:44:90: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. CinnamonApp *cinnamon_app_system_lookup_app (CinnamonAppSystem *system, data/cinnamon-4.6.7/src/cinnamon-app-system.h:46:89: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. CinnamonApp *cinnamon_app_system_lookup_startup_wmclass (CinnamonAppSystem *system, data/cinnamon-4.6.7/src/cinnamon-app-system.h:48:89: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. CinnamonApp *cinnamon_app_system_lookup_desktop_wmclass (CinnamonAppSystem *system, data/cinnamon-4.6.7/src/cinnamon-app-system.h:52:84: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. GSList *cinnamon_app_system_get_all (CinnamonAppSystem *system); data/cinnamon-4.6.7/src/cinnamon-doc-system.h:35:60: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. GSList *cinnamon_doc_system_get_all (CinnamonDocSystem *system); data/cinnamon-4.6.7/src/cinnamon-util.c:87:34: [3] (buffer) g_get_home_dir: This function is synonymous with 'getenv("HOME")';it returns untrustable input if the environment can beset by an attacker. It can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. compare = g_file_new_for_path (g_get_home_dir ()); data/cinnamon-4.6.7/src/cinnamon-util.c:217:23: [3] (buffer) g_get_home_dir: This function is synonymous with 'getenv("HOME")';it returns untrustable input if the environment can beset by an attacker. It can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. if (strcmp (path, g_get_home_dir ()) == 0) data/cinnamon-4.6.7/src/cinnamon-perf-log.c:385:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (block->buffer + pos, &time_delta, sizeof (guint32)); data/cinnamon-4.6.7/src/cinnamon-perf-log.c:387:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (block->buffer + pos, &event->id, sizeof (guint16)); data/cinnamon-4.6.7/src/cinnamon-perf-log.c:389:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (block->buffer + pos, bytes, bytes_len); data/cinnamon-4.6.7/src/cinnamon-perf-log.c:720:11: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (&time_delta, block->buffer + pos, sizeof (guint32)); data/cinnamon-4.6.7/src/cinnamon-perf-log.c:722:11: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (&id, block->buffer + pos, sizeof (guint16)); data/cinnamon-4.6.7/src/cinnamon-perf-log.c:728:15: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (&event_time, block->buffer + pos, sizeof (gint64)); data/cinnamon-4.6.7/src/cinnamon-perf-log.c:748:15: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (&l, block->buffer + pos, sizeof (gint32)); data/cinnamon-4.6.7/src/cinnamon-perf-log.c:758:15: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (&l, block->buffer + pos, sizeof (gint64)); data/cinnamon-4.6.7/src/cinnamon-recorder.c:228:7: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). f = fopen("/proc/meminfo", "r"); data/cinnamon-4.6.7/src/cinnamon-recorder.c:1301:17: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). outfile = open (filename->str, flags, 0666); data/cinnamon-4.6.7/src/st/st-im-text.c:349:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[6]; data/cinnamon-4.6.7/src/st/st-private.c:373:11: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (line, pixels_out + y_out * *rowstride_out, *rowstride_out); data/cinnamon-4.6.7/src/tray/na-tray-manager.c:374:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy ((msg->str + msg->len - msg->remaining_len), data/cinnamon-4.6.7/src/cinnamon-app-system.c:216:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t name_len = strlen (name); data/cinnamon-4.6.7/src/cinnamon-app-system.c:217:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t id_len = strlen (id); data/cinnamon-4.6.7/src/cinnamon-app-system.c:838:43: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). result = g_strndup (wm_class, strlen (wm_class) - 3); data/cinnamon-4.6.7/src/cinnamon-perf-log.c:473:38: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (const guchar *)arg, strlen (arg) + 1); data/cinnamon-4.6.7/src/cinnamon-perf-log.c:768:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). pos += strlen ((char *)(block->buffer + pos)) + 1; data/cinnamon-4.6.7/src/cinnamon-perf-log.c:803:47: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). return g_output_stream_write_all (out, str, strlen (str), data/cinnamon-4.6.7/src/cinnamon-util.c:213:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen (path); data/cinnamon-4.6.7/src/cinnamon-util.c:672:50: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). return g_output_stream_write_all (stream, str, strlen (str), data/cinnamon-4.6.7/src/cinnamon-util.c:836:41: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). xmlDocPtr doc = xmlParseMemory (data, strlen (data)); data/cinnamon-4.6.7/src/run-js-test.c:112:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen (script); data/cinnamon-4.6.7/src/run-js-test.c:116:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen (script); data/cinnamon-4.6.7/src/st/st-clipboard.c:142:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen (clipboard->priv->clipboard_text)); data/cinnamon-4.6.7/src/st/st-entry.c:806:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (text && strlen (text)) data/cinnamon-4.6.7/src/st/st-entry.c:826:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (text && strlen (text)) data/cinnamon-4.6.7/src/st/st-theme.c:107:4: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (strlen (str) != (lit_len) || memcmp (str, lit, lit_len)) data/cinnamon-4.6.7/src/st/st-widget.c:1048:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gint len = strlen (class_name); data/cinnamon-4.6.7/src/st/st-widget.c:1119:17: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). end = match + strlen (class_name); ANALYSIS SUMMARY: Hits = 45 Lines analyzed = 48963 in approximately 1.12 seconds (43904 lines/second) Physical Source Lines of Code (SLOC) = 32930 Hits@level = [0] 1 [1] 17 [2] 13 [3] 2 [4] 13 [5] 0 Hits@level+ = [0+] 46 [1+] 45 [2+] 28 [3+] 15 [4+] 13 [5+] 0 Hits/KSLOC@level+ = [0+] 1.3969 [1+] 1.36654 [2+] 0.850288 [3+] 0.455512 [4+] 0.394777 [5+] 0 Dot directories skipped = 4 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.