Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/default-input-sources.h
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-bg-crossfade.c
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-bg-crossfade.h
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-bg-slide-show.c
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-bg-slide-show.h
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-bg.c
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-bg.h
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-datetime-source.c
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-datetime-source.h
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-desktop-thumbnail-script.c
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-desktop-thumbnail-script.h
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-desktop-thumbnail.c
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-desktop-thumbnail.h
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-idle-monitor.c
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-idle-monitor.h
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-languages.c
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-languages.h
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-pnp-ids.c
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-pnp-ids.h
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-rr-config.c
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-rr-config.h
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-rr-debug.c
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-rr-output-info.c
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-rr-private.h
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-rr.c
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-rr.h
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-systemd.c
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-systemd.h
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-wall-clock.c
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-wall-clock.h
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-xkb-info.h
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/meta-xrandr-shared.h
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/test-desktop-thumbnail.c
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/test-idle-monitor.c
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/test-languages.c
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/test-pnp-ids.c
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/test-wall-clock.c
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/test-xkb-info.c
Examining data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-xkb-info.c
Examining data/gnome-desktop3-3.38.2/tests/wall-clock.c
Examining data/gnome-desktop3-3.38.2/tests/wallclock-reftest.c
FINAL RESULTS:
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-desktop-thumbnail-script.c:301:16: [4] (format) syslog:
If syslog's format strings can be influenced by an attacker, they can be
exploited (CWE-134). Use a constant format string for syslog.
{SCMP_SYS (syslog)},
data/gnome-desktop3-3.38.2/tests/wallclock-reftest.c:53:27: [3] (buffer) g_get_tmp_dir:
This function is synonymous with 'getenv("TMP")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
result = g_strconcat (g_get_tmp_dir (), G_DIR_SEPARATOR_S, base, extension, NULL);
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-bg-slide-show.c:293:47: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
size->width = atoi (attr_values[i]);
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-bg-slide-show.c:295:48: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
size->height = atoi (attr_values[i]);
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-bg.c:2042:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (d, gradient, copy_bytes_per_row);
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-desktop-thumbnail.c:1113:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char mtime_str[21];
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-desktop-thumbnail.c:1294:17: [2] (integer) atol:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
thumb_mtime = atol (thumb_mtime_str);
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-languages.c:684:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char first[8] = { 0 };
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-bg.c:532:89: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
md5_filename = g_compute_checksum_for_data (G_CHECKSUM_MD5, (const guchar *) filename, strlen (filename));
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-desktop-thumbnail-script.c:179:7: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen (m) == 4 && m[0] == 'i' && m[2] == '8' && m[3] == '6')
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-desktop-thumbnail.c:743:54: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
g_checksum_update (checksum, (const guchar *) uri, strlen (uri));
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-languages.c:448:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen (old_locale->name) > strlen (locale->name)) {
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-languages.c:448:49: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen (old_locale->name) > strlen (locale->name)) {
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-languages.c:653:15: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen (code);
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-languages.c:742:15: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen (code);
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-languages.c:819:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen (*attr_values) != 2) {
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-languages.c:827:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen (*attr_values) != 3) {
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-languages.c:835:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen (*attr_values) != 3) {
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-languages.c:843:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen (*attr_values) != 2 &&
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-languages.c:844:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen (*attr_values) != 3) {
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-languages.c:920:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen (*attr_values) != 2) {
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-languages.c:928:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen (*attr_values) != 3) {
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-languages.c:936:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen (*attr_values) != 3) {
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-systemd.c:150:45: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
GString * const str = g_string_sized_new (strlen (in));
data/gnome-desktop3-3.38.2/libgnome-desktop/gnome-systemd.c:228:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
name_tmp = g_strndup (name, strlen (name) - 8);
data/gnome-desktop3-3.38.2/tests/wallclock-reftest.c:48:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
base[strlen (base) - strlen (".ui")] = '\0';
data/gnome-desktop3-3.38.2/tests/wallclock-reftest.c:48:26: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
base[strlen (base) - strlen (".ui")] = '\0';
data/gnome-desktop3-3.38.2/tests/wallclock-reftest.c:67:43: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
g_string_append_len (file, test_file, strlen (test_file) - strlen (".ui"));
data/gnome-desktop3-3.38.2/tests/wallclock-reftest.c:67:64: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
g_string_append_len (file, test_file, strlen (test_file) - strlen (".ui"));
ANALYSIS SUMMARY:
Hits = 29
Lines analyzed = 17335 in approximately 0.43 seconds (40278 lines/second)
Physical Source Lines of Code (SLOC) = 12043
Hits@level = [0] 0 [1] 21 [2] 6 [3] 1 [4] 1 [5] 0
Hits@level+ = [0+] 29 [1+] 29 [2+] 8 [3+] 2 [4+] 1 [5+] 0
Hits/KSLOC@level+ = [0+] 2.40804 [1+] 2.40804 [2+] 0.664286 [3+] 0.166072 [4+] 0.0830358 [5+] 0
Dot directories skipped = 2 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.