Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/gnome-twitch-0.4.1/include/gnome-twitch/gt-log.h Examining data/gnome-twitch-0.4.1/include/gnome-twitch/gt-player-backend.h Examining data/gnome-twitch-0.4.1/player-backends/player-backend-gstreamer-cairo/gt-player-backend-gstreamer-cairo.c Examining data/gnome-twitch-0.4.1/player-backends/player-backend-gstreamer-cairo/gt-player-backend-gstreamer-cairo.h Examining data/gnome-twitch-0.4.1/player-backends/player-backend-gstreamer-clutter/gt-player-backend-gstreamer-clutter.c Examining data/gnome-twitch-0.4.1/player-backends/player-backend-gstreamer-clutter/gt-player-backend-gstreamer-clutter.h Examining data/gnome-twitch-0.4.1/player-backends/player-backend-gstreamer-opengl/gt-player-backend-gstreamer-opengl.c Examining data/gnome-twitch-0.4.1/player-backends/player-backend-gstreamer-opengl/gt-player-backend-gstreamer-opengl.h Examining data/gnome-twitch-0.4.1/player-backends/player-backend-mpv-opengl/gt-player-backend-mpv-opengl.c Examining data/gnome-twitch-0.4.1/player-backends/player-backend-mpv-opengl/gt-player-backend-mpv-opengl.h Examining data/gnome-twitch-0.4.1/src/gt-app.c Examining data/gnome-twitch-0.4.1/src/gt-app.h Examining data/gnome-twitch-0.4.1/src/gt-browse-header-bar.c Examining data/gnome-twitch-0.4.1/src/gt-browse-header-bar.h Examining data/gnome-twitch-0.4.1/src/gt-channel-container-view.c Examining data/gnome-twitch-0.4.1/src/gt-channel-container-view.h Examining data/gnome-twitch-0.4.1/src/gt-channel.c Examining data/gnome-twitch-0.4.1/src/gt-channel.h Examining data/gnome-twitch-0.4.1/src/gt-channels-container-child.c Examining data/gnome-twitch-0.4.1/src/gt-channels-container-child.h Examining data/gnome-twitch-0.4.1/src/gt-chat.c Examining data/gnome-twitch-0.4.1/src/gt-chat.h Examining data/gnome-twitch-0.4.1/src/gt-container-view.c Examining data/gnome-twitch-0.4.1/src/gt-container-view.h Examining data/gnome-twitch-0.4.1/src/gt-enums.c Examining data/gnome-twitch-0.4.1/src/gt-enums.h Examining data/gnome-twitch-0.4.1/src/gt-followed-channel-container.c Examining data/gnome-twitch-0.4.1/src/gt-followed-channel-container.h Examining data/gnome-twitch-0.4.1/src/gt-followed-container-view.c Examining data/gnome-twitch-0.4.1/src/gt-followed-container-view.h Examining data/gnome-twitch-0.4.1/src/gt-follows-manager.c Examining data/gnome-twitch-0.4.1/src/gt-follows-manager.h Examining data/gnome-twitch-0.4.1/src/gt-game-channel-container.c Examining data/gnome-twitch-0.4.1/src/gt-game-channel-container.h Examining data/gnome-twitch-0.4.1/src/gt-game-container-view.c Examining data/gnome-twitch-0.4.1/src/gt-game-container-view.h Examining data/gnome-twitch-0.4.1/src/gt-game.c Examining data/gnome-twitch-0.4.1/src/gt-game.h Examining data/gnome-twitch-0.4.1/src/gt-games-container-child.c Examining data/gnome-twitch-0.4.1/src/gt-games-container-child.h Examining data/gnome-twitch-0.4.1/src/gt-irc.c Examining data/gnome-twitch-0.4.1/src/gt-irc.h Examining data/gnome-twitch-0.4.1/src/gt-item-container.c Examining data/gnome-twitch-0.4.1/src/gt-item-container.h Examining data/gnome-twitch-0.4.1/src/gt-player-backend.c Examining data/gnome-twitch-0.4.1/src/gt-player-header-bar.c Examining data/gnome-twitch-0.4.1/src/gt-player-header-bar.h Examining data/gnome-twitch-0.4.1/src/gt-player.c Examining data/gnome-twitch-0.4.1/src/gt-player.h Examining data/gnome-twitch-0.4.1/src/gt-resource-downloader.c Examining data/gnome-twitch-0.4.1/src/gt-resource-downloader.h Examining data/gnome-twitch-0.4.1/src/gt-search-channel-container.c Examining data/gnome-twitch-0.4.1/src/gt-search-channel-container.h Examining data/gnome-twitch-0.4.1/src/gt-search-game-container.c Examining data/gnome-twitch-0.4.1/src/gt-search-game-container.h Examining data/gnome-twitch-0.4.1/src/gt-settings-dlg.c Examining data/gnome-twitch-0.4.1/src/gt-settings-dlg.h Examining data/gnome-twitch-0.4.1/src/gt-top-channel-container.c Examining data/gnome-twitch-0.4.1/src/gt-top-channel-container.h Examining data/gnome-twitch-0.4.1/src/gt-top-game-container.c Examining data/gnome-twitch-0.4.1/src/gt-top-game-container.h Examining data/gnome-twitch-0.4.1/src/gt-twitch-channel-info-dlg.c Examining data/gnome-twitch-0.4.1/src/gt-twitch-channel-info-dlg.h Examining data/gnome-twitch-0.4.1/src/gt-twitch-login-dlg.c Examining data/gnome-twitch-0.4.1/src/gt-twitch-login-dlg.h Examining data/gnome-twitch-0.4.1/src/gt-twitch.h Examining data/gnome-twitch-0.4.1/src/gt-win.c Examining data/gnome-twitch-0.4.1/src/gt-win.h Examining data/gnome-twitch-0.4.1/src/main.c Examining data/gnome-twitch-0.4.1/src/utils.c Examining data/gnome-twitch-0.4.1/src/utils.h Examining data/gnome-twitch-0.4.1/src/gt-twitch.c FINAL RESULTS: data/gnome-twitch-0.4.1/src/gt-irc.c:912:55: [3] (random) g_random_int_range: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. gchar* _nick = g_strdup_printf("justinfan%d", g_random_int_range(1, 9999999)); data/gnome-twitch-0.4.1/src/gt-irc.c:1090:11: [3] (random) g_random_int: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. pos = g_random_int() % g_list_length(servers); data/gnome-twitch-0.4.1/src/gt-twitch.c:627:35: [3] (random) g_random_int_range: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. token->token, token->sig, g_random_int_range(0, 999999)); data/gnome-twitch-0.4.1/src/gt-irc.c:458:17: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). if (atoi(utils_search_key_value_strv(msg->tags, "subscriber"))) data/gnome-twitch-0.4.1/src/gt-irc.c:460:17: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). if (atoi(utils_search_key_value_strv(msg->tags, "turbo"))) data/gnome-twitch-0.4.1/src/gt-irc.c:527:22: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). id = atoi(strsep(&e, ":")); data/gnome-twitch-0.4.1/src/gt-irc.c:534:34: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). emp->start = atoi(strsep(&i, "-")); data/gnome-twitch-0.4.1/src/gt-irc.c:535:32: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). emp->end = atoi(strsep(&i, "-")); data/gnome-twitch-0.4.1/src/gt-twitch.c:432:41: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). stream->bandwidth = atol(*(split+1)); data/gnome-twitch-0.4.1/src/gt-twitch.c:438:37: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). stream->width = atoi(*res); data/gnome-twitch-0.4.1/src/gt-twitch.c:439:38: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). stream->height = atoi(*(res+1)); data/gnome-twitch-0.4.1/src/gt-twitch.c:2494:26: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). emote->set = atoi(*c); data/gnome-twitch-0.4.1/src/gt-chat.c:145:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(text) == 0 || text[strlen(text) - 1] == ' ') data/gnome-twitch-0.4.1/src/gt-chat.c:145:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(text) == 0 || text[strlen(text) - 1] == ' ') data/gnome-twitch-0.4.1/src/gt-chat.c:288:33: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!privmsg->colour || strlen(privmsg->colour) < 1) data/gnome-twitch-0.4.1/src/gt-irc.c:448:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). line[strlen(line) - 1] = '\0'; data/gnome-twitch-0.4.1/src/gt-irc.c:712:70: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). for (gchar* line = g_data_input_stream_read_line(data->istream, &read, NULL, &err); !err; data/gnome-twitch-0.4.1/src/gt-irc.c:713:63: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). line = g_data_input_stream_read_line(data->istream, &read, NULL, &err)) data/gnome-twitch-0.4.1/src/gt-twitch-channel-info-dlg.c:323:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (panel->link && strlen(panel->link) > 0) data/gnome-twitch-0.4.1/src/gt-twitch-channel-info-dlg.c:347:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (panel->title && strlen(panel->title) > 0) data/gnome-twitch-0.4.1/src/gt-twitch-login-dlg.c:160:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (uri == NULL || strlen(uri) == 0) return FALSE; data/gnome-twitch-0.4.1/src/gt-twitch.c:420:38: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strncmp(*l, STREAM_INFO, strlen(STREAM_INFO)) == 0) data/gnome-twitch-0.4.1/src/gt-twitch.c:452:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). quality[strlen(quality) - 1] = '\0'; data/gnome-twitch-0.4.1/src/utils.c:224:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). return !(str && strlen(str) > 0); ANALYSIS SUMMARY: Hits = 24 Lines analyzed = 18493 in approximately 0.50 seconds (36800 lines/second) Physical Source Lines of Code (SLOC) = 13206 Hits@level = [0] 3 [1] 12 [2] 9 [3] 3 [4] 0 [5] 0 Hits@level+ = [0+] 27 [1+] 24 [2+] 12 [3+] 3 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 2.04453 [1+] 1.81736 [2+] 0.908678 [3+] 0.227169 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.