Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/xfdesktop4-4.15.1/settings/xfdesktop-settings-appearance-frame-ui.h
Examining data/xfdesktop4-4.15.1/settings/main.c
Examining data/xfdesktop4-4.15.1/settings/xfdesktop-settings-ui.h
Examining data/xfdesktop4-4.15.1/common/xfdesktop-common.h
Examining data/xfdesktop4-4.15.1/common/xfdesktop-thumbnailer.h
Examining data/xfdesktop4-4.15.1/common/xfdesktop-thumbnailer.c
Examining data/xfdesktop4-4.15.1/common/tumbler.c
Examining data/xfdesktop4-4.15.1/common/xfdesktop-marshal.h
Examining data/xfdesktop4-4.15.1/common/xfdesktop-marshal.c
Examining data/xfdesktop4-4.15.1/common/tumbler.h
Examining data/xfdesktop4-4.15.1/common/xfdesktop-common.c
Examining data/xfdesktop4-4.15.1/src/xfce-workspace.h
Examining data/xfdesktop4-4.15.1/src/xfdesktop-file-manager-proxy.h
Examining data/xfdesktop4-4.15.1/src/xfdesktop-clipboard-manager.c
Examining data/xfdesktop4-4.15.1/src/xfdesktop-icon.h
Examining data/xfdesktop4-4.15.1/src/xfdesktop-file-icon-manager.h
Examining data/xfdesktop4-4.15.1/src/xfce-desktop-enum-types.c
Examining data/xfdesktop4-4.15.1/src/xfdesktop-regular-file-icon.c
Examining data/xfdesktop4-4.15.1/src/xfdesktop-clipboard-manager.h
Examining data/xfdesktop4-4.15.1/src/xfdesktop-notify.c
Examining data/xfdesktop4-4.15.1/src/xfdesktop-icon-view.h
Examining data/xfdesktop4-4.15.1/src/windowlist.h
Examining data/xfdesktop4-4.15.1/src/xfdesktop-icon.c
Examining data/xfdesktop4-4.15.1/src/xfce-desktop.c
Examining data/xfdesktop4-4.15.1/src/xfdesktop-icon-view-manager.h
Examining data/xfdesktop4-4.15.1/src/xfdesktop-window-icon-manager.c
Examining data/xfdesktop4-4.15.1/src/main.c
Examining data/xfdesktop4-4.15.1/src/xfdesktop-regular-file-icon.h
Examining data/xfdesktop4-4.15.1/src/xfdesktop-window-icon.c
Examining data/xfdesktop4-4.15.1/src/xfdesktop-volume-icon.c
Examining data/xfdesktop4-4.15.1/src/xfdesktop-file-utils.c
Examining data/xfdesktop4-4.15.1/src/xfce-workspace.c
Examining data/xfdesktop4-4.15.1/src/xfdesktop-icon-view.c
Examining data/xfdesktop4-4.15.1/src/xfdesktop-application.h
Examining data/xfdesktop4-4.15.1/src/xfce-backdrop.c
Examining data/xfdesktop4-4.15.1/src/xfdesktop-thunar-proxy.c
Examining data/xfdesktop4-4.15.1/src/menu.h
Examining data/xfdesktop4-4.15.1/src/menu.c
Examining data/xfdesktop4-4.15.1/src/xfdesktop-special-file-icon.c
Examining data/xfdesktop4-4.15.1/src/xfdesktop-notify.h
Examining data/xfdesktop4-4.15.1/src/xfdesktop-file-icon-manager.c
Examining data/xfdesktop4-4.15.1/src/xfdesktop-file-utils.h
Examining data/xfdesktop4-4.15.1/src/xfdesktop-file-manager-proxy.c
Examining data/xfdesktop4-4.15.1/src/windowlist.c
Examining data/xfdesktop4-4.15.1/src/xfce-backdrop.h
Examining data/xfdesktop4-4.15.1/src/xfdesktop-window-icon.h
Examining data/xfdesktop4-4.15.1/src/xfdesktop-icon-view-manager.c
Examining data/xfdesktop4-4.15.1/src/xfce-desktop-enum-types.h
Examining data/xfdesktop4-4.15.1/src/xfdesktop-special-file-icon.h
Examining data/xfdesktop4-4.15.1/src/xfdesktop-volume-icon.h
Examining data/xfdesktop4-4.15.1/src/xfdesktop-file-icon.c
Examining data/xfdesktop4-4.15.1/src/xfdesktop-file-icon.h
Examining data/xfdesktop4-4.15.1/src/xfdesktop-application.c
Examining data/xfdesktop4-4.15.1/src/xfdesktop-thunar-proxy.h
Examining data/xfdesktop4-4.15.1/src/xfce-desktop.h
Examining data/xfdesktop4-4.15.1/src/xfdesktop-trash-proxy.h
Examining data/xfdesktop4-4.15.1/src/xfdesktop-trash-proxy.c
Examining data/xfdesktop4-4.15.1/src/xfdesktop-window-icon-manager.h
FINAL RESULTS:
data/xfdesktop4-4.15.1/common/xfdesktop-common.c:308:5: [4] (format) vfprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
vfprintf(stdout, format, args);
data/xfdesktop4-4.15.1/common/xfdesktop-common.h:119:116: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
void xfdesktop_debug(const char *func, const char *file, int line, const char *format, ...) __attribute__((format (printf,4,5)));
data/xfdesktop4-4.15.1/common/xfdesktop-thumbnailer.c:545:56: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
thumbnail_location = g_build_path("/", g_get_home_dir(),
data/xfdesktop4-4.15.1/src/xfce-backdrop.c:606:20: [3] (random) g_random_int_range:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
cur_file = g_random_int_range(0, n_items);
data/xfdesktop4-4.15.1/src/windowlist.c:72:24: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
if(!ws_name || atoi(ws_name) == nworkspaces) {
data/xfdesktop4-4.15.1/src/windowlist.c:402:24: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
if(!ws_name || atoi(ws_name) == nworkspaces)
data/xfdesktop4-4.15.1/src/xfce-backdrop.c:1063:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(color, &backdrop->priv->color1, sizeof(GdkRGBA));
data/xfdesktop4-4.15.1/src/xfce-backdrop.c:1104:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(color, &backdrop->priv->color2, sizeof(GdkRGBA));
data/xfdesktop4-4.15.1/src/xfce-workspace.c:146:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[1024];
data/xfdesktop4-4.15.1/src/xfce-workspace.c:178:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[1024];
data/xfdesktop4-4.15.1/src/xfce-workspace.c:421:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[1024];
data/xfdesktop4-4.15.1/src/xfce-workspace.c:452:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[1024];
data/xfdesktop4-4.15.1/src/xfce-workspace.c:484:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[1024];
data/xfdesktop4-4.15.1/src/xfce-workspace.c:516:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[1024];
data/xfdesktop4-4.15.1/src/xfce-workspace.c:552:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[1024];
data/xfdesktop4-4.15.1/src/xfce-workspace.c:610:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[1024];
data/xfdesktop4-4.15.1/src/xfdesktop-file-utils.c:1346:54: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
gboolean open,
data/xfdesktop4-4.15.1/src/xfdesktop-file-utils.c:1367:65: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
uri, open,
data/xfdesktop4-4.15.1/src/xfdesktop-file-utils.h:102:59: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
gboolean open,
data/xfdesktop4-4.15.1/src/xfdesktop-icon-view.c:3557:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(data, data_p, tmp_size);
data/xfdesktop4-4.15.1/common/xfdesktop-common.c:186:23: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
for(curr=0; curr<=strlen(str); curr++) {
data/xfdesktop4-4.15.1/common/xfdesktop-thumbnailer.c:527:67: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
f_uri, strlen (f_uri));
data/xfdesktop4-4.15.1/settings/main.c:534:29: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
guint name_length = strlen(name);
data/xfdesktop4-4.15.1/src/windowlist.c:77:64: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
gchar *ws_name_esc = g_markup_escape_text(ws_name, strlen(ws_name));
data/xfdesktop4-4.15.1/src/windowlist.c:299:68: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
gchar *ws_name_esc = g_markup_escape_text(ws_name, strlen(ws_name));
data/xfdesktop4-4.15.1/src/windowlist.c:405:64: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
gchar *ws_name_esc = g_markup_escape_text(ws_name, strlen(ws_name));
data/xfdesktop4-4.15.1/src/xfce-backdrop.c:489:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(dir_name[strlen(dir_name)-1] == '/')
data/xfdesktop4-4.15.1/src/xfce-desktop.c:305:49: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
(guchar *)filename, strlen(filename)+1);
data/xfdesktop4-4.15.1/src/xfce-workspace.c:561:14: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
pp_len = strlen(buf);
data/xfdesktop4-4.15.1/src/xfce-workspace.c:628:14: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
pp_len = strlen(buf);
data/xfdesktop4-4.15.1/src/xfdesktop-clipboard-manager.c:493:31: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen (data));
data/xfdesktop4-4.15.1/src/xfdesktop-clipboard-manager.c:502:31: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen (string_list));
data/xfdesktop4-4.15.1/src/xfdesktop-file-icon-manager.c:3470:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen(uri));
data/xfdesktop4-4.15.1/src/xfdesktop-file-icon-manager.c:3829:89: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
gtk_selection_data_set(data, gtk_selection_data_get_target(data), 8, (guchar *)str, strlen(str));
ANALYSIS SUMMARY:
Hits = 34
Lines analyzed = 41032 in approximately 0.89 seconds (46242 lines/second)
Physical Source Lines of Code (SLOC) = 29722
Hits@level = [0] 9 [1] 14 [2] 16 [3] 2 [4] 2 [5] 0
Hits@level+ = [0+] 43 [1+] 34 [2+] 20 [3+] 4 [4+] 2 [5+] 0
Hits/KSLOC@level+ = [0+] 1.44674 [1+] 1.14393 [2+] 0.672902 [3+] 0.13458 [4+] 0.0672902 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.