Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/fcitx-ui-light-0.1.3/src/InputWindow.c
Examining data/fcitx-ui-light-0.1.3/src/InputWindow.h
Examining data/fcitx-ui-light-0.1.3/src/MainWindow.c
Examining data/fcitx-ui-light-0.1.3/src/MainWindow.h
Examining data/fcitx-ui-light-0.1.3/src/MenuWindow.c
Examining data/fcitx-ui-light-0.1.3/src/MenuWindow.h
Examining data/fcitx-ui-light-0.1.3/src/TrayWindow.c
Examining data/fcitx-ui-light-0.1.3/src/TrayWindow.h
Examining data/fcitx-ui-light-0.1.3/src/draw.c
Examining data/fcitx-ui-light-0.1.3/src/draw.h
Examining data/fcitx-ui-light-0.1.3/src/font.c
Examining data/fcitx-ui-light-0.1.3/src/font.h
Examining data/fcitx-ui-light-0.1.3/src/lightui.c
Examining data/fcitx-ui-light-0.1.3/src/lightui.h
Examining data/fcitx-ui-light-0.1.3/src/lightuiconfig.c
Examining data/fcitx-ui-light-0.1.3/src/tray.c
Examining data/fcitx-ui-light-0.1.3/src/tray.h

FINAL RESULTS:

data/fcitx-ui-light-0.1.3/src/font.c:40:9:  [4] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf.
        sprintf((char*)strpat, ":lang=%s", locale);
data/fcitx-ui-light-0.1.3/src/lightui.c:380:17:  [4] (shell) execl:
  This causes a new program to execute and is difficult to use safely
  (CWE-78). try using a library call that implements the same functionality
  if available.
                execl(BINDIR "/fcitx-configtool", "fcitx-configtool", NULL);
data/fcitx-ui-light-0.1.3/src/draw.c:167:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char *strUp[MAX_MESSAGE_COUNT];
data/fcitx-ui-light-0.1.3/src/draw.c:168:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char *strDown[MAX_MESSAGE_COUNT];
data/fcitx-ui-light-0.1.3/src/draw.c:208:21:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
                    char strTemp[MESSAGE_MAX_LENGTH];
data/fcitx-ui-light-0.1.3/src/font.c:29:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char locale[3];
data/fcitx-ui-light-0.1.3/src/font.c:34:9:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
        strcpy(locale, "zh");
data/fcitx-ui-light-0.1.3/src/draw.c:203:26:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            int length = strlen(FcitxMessagesGetMessageString(msgup, i));
data/fcitx-ui-light-0.1.3/src/draw.c:210:21:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120).
                    strncpy(strTemp, strUp[i], iChar);
data/fcitx-ui-light-0.1.3/src/draw.c:349:10:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    if ( strlen(name) > 0 )
data/fcitx-ui-light-0.1.3/src/draw.c:378:63:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        HASH_ADD_KEYPTR(hh, lightui->imageTable, image->name, strlen(image->name), image);
data/fcitx-ui-light-0.1.3/src/font.c:32:9:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120).
        strncpy(locale, strUserLocale, 2);
data/fcitx-ui-light-0.1.3/src/font.c:76:9:  [1] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant character.
        strcpy(*font, "");
data/fcitx-ui-light-0.1.3/src/font.c:122:73:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    XftDrawStringUtf8 (xftDraw, &xftColor, font, x, y, (FcChar8 *) str, strlen (str));
data/fcitx-ui-light-0.1.3/src/font.c:135:53:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    XftTextExtentsUtf8 (dpy, font, (FcChar8 *) str, strlen (str), &extents);
data/fcitx-ui-light-0.1.3/src/font.c:148:53:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    XftTextExtentsUtf8 (dpy, font, (FcChar8 *) str, strlen (str), &extents);

ANALYSIS SUMMARY:

Hits = 16
Lines analyzed = 3242 in approximately 0.11 seconds (29185 lines/second)
Physical Source Lines of Code (SLOC) = 2438
Hits@level = [0]   0 [1]   9 [2]   5 [3]   0 [4]   2 [5]   0
Hits@level+ = [0+]  16 [1+]  16 [2+]   7 [3+]   2 [4+]   2 [5+]   0
Hits/KSLOC@level+ = [0+] 6.56276 [1+] 6.56276 [2+] 2.87121 [3+] 0.820345 [4+] 0.820345 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.