Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/cinnamon-4.6.7/src/cinnamon-app-private.h
Examining data/cinnamon-4.6.7/src/cinnamon-app-system-private.h
Examining data/cinnamon-4.6.7/src/cinnamon-app-system.c
Examining data/cinnamon-4.6.7/src/cinnamon-app-system.h
Examining data/cinnamon-4.6.7/src/cinnamon-app.c
Examining data/cinnamon-4.6.7/src/cinnamon-app.h
Examining data/cinnamon-4.6.7/src/cinnamon-doc-system.c
Examining data/cinnamon-4.6.7/src/cinnamon-doc-system.h
Examining data/cinnamon-4.6.7/src/cinnamon-embedded-window-private.h
Examining data/cinnamon-4.6.7/src/cinnamon-embedded-window.c
Examining data/cinnamon-4.6.7/src/cinnamon-embedded-window.h
Examining data/cinnamon-4.6.7/src/cinnamon-generic-container.c
Examining data/cinnamon-4.6.7/src/cinnamon-generic-container.h
Examining data/cinnamon-4.6.7/src/cinnamon-global-private.h
Examining data/cinnamon-4.6.7/src/cinnamon-global.h
Examining data/cinnamon-4.6.7/src/cinnamon-gtk-embed.c
Examining data/cinnamon-4.6.7/src/cinnamon-gtk-embed.h
Examining data/cinnamon-4.6.7/src/cinnamon-perf-helper.c
Examining data/cinnamon-4.6.7/src/cinnamon-perf-log.c
Examining data/cinnamon-4.6.7/src/cinnamon-perf-log.h
Examining data/cinnamon-4.6.7/src/cinnamon-plugin.c
Examining data/cinnamon-4.6.7/src/cinnamon-recorder-src.c
Examining data/cinnamon-4.6.7/src/cinnamon-recorder-src.h
Examining data/cinnamon-4.6.7/src/cinnamon-recorder.c
Examining data/cinnamon-4.6.7/src/cinnamon-recorder.h
Examining data/cinnamon-4.6.7/src/cinnamon-screenshot.c
Examining data/cinnamon-4.6.7/src/cinnamon-screenshot.h
Examining data/cinnamon-4.6.7/src/cinnamon-slicer.c
Examining data/cinnamon-4.6.7/src/cinnamon-slicer.h
Examining data/cinnamon-4.6.7/src/cinnamon-stack.c
Examining data/cinnamon-4.6.7/src/cinnamon-stack.h
Examining data/cinnamon-4.6.7/src/cinnamon-tray-icon.c
Examining data/cinnamon-4.6.7/src/cinnamon-tray-icon.h
Examining data/cinnamon-4.6.7/src/cinnamon-tray-manager.c
Examining data/cinnamon-4.6.7/src/cinnamon-tray-manager.h
Examining data/cinnamon-4.6.7/src/cinnamon-util.c
Examining data/cinnamon-4.6.7/src/cinnamon-util.h
Examining data/cinnamon-4.6.7/src/cinnamon-window-tracker-private.h
Examining data/cinnamon-4.6.7/src/cinnamon-window-tracker.c
Examining data/cinnamon-4.6.7/src/cinnamon-window-tracker.h
Examining data/cinnamon-4.6.7/src/cinnamon-wm-private.h
Examining data/cinnamon-4.6.7/src/cinnamon-wm.c
Examining data/cinnamon-4.6.7/src/cinnamon-wm.h
Examining data/cinnamon-4.6.7/src/cinnamon-xfixes-cursor.c
Examining data/cinnamon-4.6.7/src/cinnamon-xfixes-cursor.h
Examining data/cinnamon-4.6.7/src/hotplug-sniffer/cinnamon-mime-sniffer.c
Examining data/cinnamon-4.6.7/src/hotplug-sniffer/cinnamon-mime-sniffer.h
Examining data/cinnamon-4.6.7/src/hotplug-sniffer/hotplug-mimetypes.h
Examining data/cinnamon-4.6.7/src/hotplug-sniffer/hotplug-sniffer.c
Examining data/cinnamon-4.6.7/src/run-js-test.c
Examining data/cinnamon-4.6.7/src/st/st-adjustment.c
Examining data/cinnamon-4.6.7/src/st/st-adjustment.h
Examining data/cinnamon-4.6.7/src/st/st-background-effect.c
Examining data/cinnamon-4.6.7/src/st/st-background-effect.h
Examining data/cinnamon-4.6.7/src/st/st-bin.c
Examining data/cinnamon-4.6.7/src/st/st-bin.h
Examining data/cinnamon-4.6.7/src/st/st-border-image.c
Examining data/cinnamon-4.6.7/src/st/st-border-image.h
Examining data/cinnamon-4.6.7/src/st/st-box-layout-child.c
Examining data/cinnamon-4.6.7/src/st/st-box-layout-child.h
Examining data/cinnamon-4.6.7/src/st/st-box-layout.c
Examining data/cinnamon-4.6.7/src/st/st-box-layout.h
Examining data/cinnamon-4.6.7/src/st/st-button.c
Examining data/cinnamon-4.6.7/src/st/st-button.h
Examining data/cinnamon-4.6.7/src/st/st-clipboard.c
Examining data/cinnamon-4.6.7/src/st/st-clipboard.h
Examining data/cinnamon-4.6.7/src/st/st-cogl-wrapper.c
Examining data/cinnamon-4.6.7/src/st/st-cogl-wrapper.h
Examining data/cinnamon-4.6.7/src/st/st-drawing-area.c
Examining data/cinnamon-4.6.7/src/st/st-drawing-area.h
Examining data/cinnamon-4.6.7/src/st/st-entry.c
Examining data/cinnamon-4.6.7/src/st/st-entry.h
Examining data/cinnamon-4.6.7/src/st/st-focus-manager.c
Examining data/cinnamon-4.6.7/src/st/st-focus-manager.h
Examining data/cinnamon-4.6.7/src/st/st-group.c
Examining data/cinnamon-4.6.7/src/st/st-group.h
Examining data/cinnamon-4.6.7/src/st/st-icon-colors.c
Examining data/cinnamon-4.6.7/src/st/st-icon-colors.h
Examining data/cinnamon-4.6.7/src/st/st-icon.c
Examining data/cinnamon-4.6.7/src/st/st-icon.h
Examining data/cinnamon-4.6.7/src/st/st-im-text.c
Examining data/cinnamon-4.6.7/src/st/st-im-text.h
Examining data/cinnamon-4.6.7/src/st/st-label.c
Examining data/cinnamon-4.6.7/src/st/st-label.h
Examining data/cinnamon-4.6.7/src/st/st-polygon.c
Examining data/cinnamon-4.6.7/src/st/st-polygon.h
Examining data/cinnamon-4.6.7/src/st/st-private.c
Examining data/cinnamon-4.6.7/src/st/st-private.h
Examining data/cinnamon-4.6.7/src/st/st-scroll-bar.c
Examining data/cinnamon-4.6.7/src/st/st-scroll-bar.h
Examining data/cinnamon-4.6.7/src/st/st-scroll-view-fade.c
Examining data/cinnamon-4.6.7/src/st/st-scroll-view-fade.h
Examining data/cinnamon-4.6.7/src/st/st-scroll-view.c
Examining data/cinnamon-4.6.7/src/st/st-scroll-view.h
Examining data/cinnamon-4.6.7/src/st/st-scrollable.c
Examining data/cinnamon-4.6.7/src/st/st-scrollable.h
Examining data/cinnamon-4.6.7/src/st/st-settings.c
Examining data/cinnamon-4.6.7/src/st/st-settings.h
Examining data/cinnamon-4.6.7/src/st/st-shadow.c
Examining data/cinnamon-4.6.7/src/st/st-shadow.h
Examining data/cinnamon-4.6.7/src/st/st-table-child.c
Examining data/cinnamon-4.6.7/src/st/st-table-child.h
Examining data/cinnamon-4.6.7/src/st/st-table-private.h
Examining data/cinnamon-4.6.7/src/st/st-table.c
Examining data/cinnamon-4.6.7/src/st/st-table.h
Examining data/cinnamon-4.6.7/src/st/st-texture-cache.c
Examining data/cinnamon-4.6.7/src/st/st-texture-cache.h
Examining data/cinnamon-4.6.7/src/st/st-theme-context.c
Examining data/cinnamon-4.6.7/src/st/st-theme-context.h
Examining data/cinnamon-4.6.7/src/st/st-theme-node-drawing.c
Examining data/cinnamon-4.6.7/src/st/st-theme-node-private.h
Examining data/cinnamon-4.6.7/src/st/st-theme-node-transition.c
Examining data/cinnamon-4.6.7/src/st/st-theme-node-transition.h
Examining data/cinnamon-4.6.7/src/st/st-theme-node.c
Examining data/cinnamon-4.6.7/src/st/st-theme-node.h
Examining data/cinnamon-4.6.7/src/st/st-theme-private.h
Examining data/cinnamon-4.6.7/src/st/st-theme.c
Examining data/cinnamon-4.6.7/src/st/st-theme.h
Examining data/cinnamon-4.6.7/src/st/st-types.h
Examining data/cinnamon-4.6.7/src/st/st-widget-accessible.h
Examining data/cinnamon-4.6.7/src/st/st-widget.c
Examining data/cinnamon-4.6.7/src/st/st-widget.h
Examining data/cinnamon-4.6.7/src/st/test-theme.c
Examining data/cinnamon-4.6.7/src/test-recorder.c
Examining data/cinnamon-4.6.7/src/tray/na-tray-child.c
Examining data/cinnamon-4.6.7/src/tray/na-tray-child.h
Examining data/cinnamon-4.6.7/src/tray/na-tray-manager.c
Examining data/cinnamon-4.6.7/src/tray/na-tray-manager.h
Examining data/cinnamon-4.6.7/src/main.c
Examining data/cinnamon-4.6.7/src/cinnamon-global.c
FINAL RESULTS:
data/cinnamon-4.6.7/src/cinnamon-app-system.c:61:61: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
CinnamonApp * lookup_heuristic_basename (CinnamonAppSystem *system, const char *name);
data/cinnamon-4.6.7/src/cinnamon-app-system.c:810:47: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
lookup_heuristic_basename (CinnamonAppSystem *system,
data/cinnamon-4.6.7/src/cinnamon-app-system.c:816:44: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
result = cinnamon_app_system_lookup_app (system, name);
data/cinnamon-4.6.7/src/cinnamon-app-system.c:823:48: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
result = cinnamon_app_system_lookup_app (system, tmpid);
data/cinnamon-4.6.7/src/cinnamon-app-system.c:856:64: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
cinnamon_app_system_lookup_desktop_wmclass (CinnamonAppSystem *system,
data/cinnamon-4.6.7/src/cinnamon-app-system.c:877:36: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
app = lookup_heuristic_basename (system, desktop_file);
data/cinnamon-4.6.7/src/cinnamon-app-system.c:897:64: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
cinnamon_app_system_lookup_startup_wmclass (CinnamonAppSystem *system,
data/cinnamon-4.6.7/src/cinnamon-app-system.h:42:86: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
GMenuTree *cinnamon_app_system_get_tree (CinnamonAppSystem *system);
data/cinnamon-4.6.7/src/cinnamon-app-system.h:44:90: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
CinnamonApp *cinnamon_app_system_lookup_app (CinnamonAppSystem *system,
data/cinnamon-4.6.7/src/cinnamon-app-system.h:46:89: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
CinnamonApp *cinnamon_app_system_lookup_startup_wmclass (CinnamonAppSystem *system,
data/cinnamon-4.6.7/src/cinnamon-app-system.h:48:89: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
CinnamonApp *cinnamon_app_system_lookup_desktop_wmclass (CinnamonAppSystem *system,
data/cinnamon-4.6.7/src/cinnamon-app-system.h:52:84: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
GSList *cinnamon_app_system_get_all (CinnamonAppSystem *system);
data/cinnamon-4.6.7/src/cinnamon-doc-system.h:35:60: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
GSList *cinnamon_doc_system_get_all (CinnamonDocSystem *system);
data/cinnamon-4.6.7/src/cinnamon-util.c:87:34: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
compare = g_file_new_for_path (g_get_home_dir ());
data/cinnamon-4.6.7/src/cinnamon-util.c:217:23: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
if (strcmp (path, g_get_home_dir ()) == 0)
data/cinnamon-4.6.7/src/cinnamon-perf-log.c:385:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (block->buffer + pos, &time_delta, sizeof (guint32));
data/cinnamon-4.6.7/src/cinnamon-perf-log.c:387:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (block->buffer + pos, &event->id, sizeof (guint16));
data/cinnamon-4.6.7/src/cinnamon-perf-log.c:389:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (block->buffer + pos, bytes, bytes_len);
data/cinnamon-4.6.7/src/cinnamon-perf-log.c:720:11: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (&time_delta, block->buffer + pos, sizeof (guint32));
data/cinnamon-4.6.7/src/cinnamon-perf-log.c:722:11: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (&id, block->buffer + pos, sizeof (guint16));
data/cinnamon-4.6.7/src/cinnamon-perf-log.c:728:15: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (&event_time, block->buffer + pos, sizeof (gint64));
data/cinnamon-4.6.7/src/cinnamon-perf-log.c:748:15: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (&l, block->buffer + pos, sizeof (gint32));
data/cinnamon-4.6.7/src/cinnamon-perf-log.c:758:15: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (&l, block->buffer + pos, sizeof (gint64));
data/cinnamon-4.6.7/src/cinnamon-recorder.c:228:7: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
f = fopen("/proc/meminfo", "r");
data/cinnamon-4.6.7/src/cinnamon-recorder.c:1301:17: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
outfile = open (filename->str, flags, 0666);
data/cinnamon-4.6.7/src/st/st-im-text.c:349:7: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[6];
data/cinnamon-4.6.7/src/st/st-private.c:373:11: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (line, pixels_out + y_out * *rowstride_out, *rowstride_out);
data/cinnamon-4.6.7/src/tray/na-tray-manager.c:374:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy ((msg->str + msg->len - msg->remaining_len),
data/cinnamon-4.6.7/src/cinnamon-app-system.c:216:29: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t name_len = strlen (name);
data/cinnamon-4.6.7/src/cinnamon-app-system.c:217:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t id_len = strlen (id);
data/cinnamon-4.6.7/src/cinnamon-app-system.c:838:43: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
result = g_strndup (wm_class, strlen (wm_class) - 3);
data/cinnamon-4.6.7/src/cinnamon-perf-log.c:473:38: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
(const guchar *)arg, strlen (arg) + 1);
data/cinnamon-4.6.7/src/cinnamon-perf-log.c:768:22: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
pos += strlen ((char *)(block->buffer + pos)) + 1;
data/cinnamon-4.6.7/src/cinnamon-perf-log.c:803:47: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return g_output_stream_write_all (out, str, strlen (str),
data/cinnamon-4.6.7/src/cinnamon-util.c:213:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen (path);
data/cinnamon-4.6.7/src/cinnamon-util.c:672:50: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return g_output_stream_write_all (stream, str, strlen (str),
data/cinnamon-4.6.7/src/cinnamon-util.c:836:41: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
xmlDocPtr doc = xmlParseMemory (data, strlen (data));
data/cinnamon-4.6.7/src/run-js-test.c:112:11: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen (script);
data/cinnamon-4.6.7/src/run-js-test.c:116:11: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen (script);
data/cinnamon-4.6.7/src/st/st-clipboard.c:142:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen (clipboard->priv->clipboard_text));
data/cinnamon-4.6.7/src/st/st-entry.c:806:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (text && strlen (text))
data/cinnamon-4.6.7/src/st/st-entry.c:826:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (text && strlen (text))
data/cinnamon-4.6.7/src/st/st-theme.c:107:4: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
(strlen (str) != (lit_len) || memcmp (str, lit, lit_len))
data/cinnamon-4.6.7/src/st/st-widget.c:1048:14: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
gint len = strlen (class_name);
data/cinnamon-4.6.7/src/st/st-widget.c:1119:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
end = match + strlen (class_name);
ANALYSIS SUMMARY:
Hits = 45
Lines analyzed = 48963 in approximately 1.12 seconds (43904 lines/second)
Physical Source Lines of Code (SLOC) = 32930
Hits@level = [0] 1 [1] 17 [2] 13 [3] 2 [4] 13 [5] 0
Hits@level+ = [0+] 46 [1+] 45 [2+] 28 [3+] 15 [4+] 13 [5+] 0
Hits/KSLOC@level+ = [0+] 1.3969 [1+] 1.36654 [2+] 0.850288 [3+] 0.455512 [4+] 0.394777 [5+] 0
Dot directories skipped = 4 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.