stdin

Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/deb-gview-0.2.11/src/support.c
Examining data/deb-gview-0.2.11/src/dvpreview.c
Examining data/deb-gview-0.2.11/src/main.c
Examining data/deb-gview-0.2.11/src/dvarchive.c
Examining data/deb-gview-0.2.11/src/interface.h
Examining data/deb-gview-0.2.11/src/support.h
Examining data/deb-gview-0.2.11/src/callbacks.h
Examining data/deb-gview-0.2.11/src/dvpreview.h
Examining data/deb-gview-0.2.11/src/dvarchive.h
Examining data/deb-gview-0.2.11/src/callbacks.c
Examining data/deb-gview-0.2.11/src/interface.c

FINAL RESULTS:

data/deb-gview-0.2.11/src/dvpreview.c:254:9:  [3] (buffer) g_get_home_dir:
  This function is synonymous with 'getenv("HOME")';it returns untrustable
  input if the environment can beset by an attacker. It can have any content
  and length, and the same variable can be set more than once (CWE-807,
  CWE-20). Check environment variables carefully before using them.
	home = g_get_home_dir ();
data/deb-gview-0.2.11/src/dvarchive.c:416:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy (lintbuf, inh, len);
data/deb-gview-0.2.11/src/dvpreview.c:381:9:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
		tmp = fopen (temp_file, "wb");
data/deb-gview-0.2.11/src/dvpreview.c:389:9:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
		tmp = fopen (temp_file, "w");
data/deb-gview-0.2.11/src/interface.c:108:21:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	GtkWidget *dvnew, *open, *dvseparatorf;
data/deb-gview-0.2.11/src/interface.c:170:19:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	gtk_widget_show (open);
data/deb-gview-0.2.11/src/interface.c:171:54:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	gtk_container_add (GTK_CONTAINER (dvmenufile_menu), open);
data/deb-gview-0.2.11/src/interface.c:326:31:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	g_signal_connect ((gpointer) open, "activate",
data/deb-gview-0.2.11/src/interface.c:365:41:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	GLADE_HOOKUP_OBJECT (deb_gview_window, open, "open");
data/deb-gview-0.2.11/src/dvarchive.c:453:30:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	versionbuf = g_new0 (gchar, strlen(ARMAG) + 1);
data/deb-gview-0.2.11/src/dvarchive.c:454:60:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	bytesread = g_input_stream_read (deb->stream, versionbuf, strlen(ARMAG), NULL, &result);
data/deb-gview-0.2.11/src/dvarchive.c:460:36:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	vers_cmp = g_strndup (versionbuf, strlen(ARMAG));
data/deb-gview-0.2.11/src/dvpreview.c:390:28:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
		fwrite ((gchar*)content, strlen ((gchar*)content), 1, tmp);

ANALYSIS SUMMARY:

Hits = 13
Lines analyzed = 2908 in approximately 0.10 seconds (29361 lines/second)
Physical Source Lines of Code (SLOC) = 2273
Hits@level = [0]   1 [1]   4 [2]   8 [3]   1 [4]   0 [5]   0
Hits@level+ = [0+]  14 [1+]  13 [2+]   9 [3+]   1 [4+]   0 [5+]   0
Hits/KSLOC@level+ = [0+] 6.15926 [1+] 5.71931 [2+] 3.95952 [3+] 0.439947 [4+]   0 [5+]   0
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.