Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/emerald-0.8.18/include/titlebar.h
Examining data/emerald-0.8.18/include/emerald.h
Examining data/emerald-0.8.18/include/libengine.h
Examining data/emerald-0.8.18/include/engine.h
Examining data/emerald-0.8.18/themer/main.c
Examining data/emerald-0.8.18/engines/oxygen_icon.h
Examining data/emerald-0.8.18/engines/legacy.c
Examining data/emerald-0.8.18/engines/zootreeves_icon.h
Examining data/emerald-0.8.18/engines/oxygen.c
Examining data/emerald-0.8.18/engines/truglass_icon.h
Examining data/emerald-0.8.18/engines/legacy_icon.h
Examining data/emerald-0.8.18/engines/zootreeves.c
Examining data/emerald-0.8.18/engines/vrunner.c
Examining data/emerald-0.8.18/engines/pixmap.c
Examining data/emerald-0.8.18/engines/truglass.c
Examining data/emerald-0.8.18/engines/pixmap_icon.h
Examining data/emerald-0.8.18/engines/vrunner_icon.h
Examining data/emerald-0.8.18/engines/line.c
Examining data/emerald-0.8.18/libengine/emerald.c
Examining data/emerald-0.8.18/libengine/themer.c
Examining data/emerald-0.8.18/src/main.c
Examining data/emerald-0.8.18/src/engine_loader.c
FINAL RESULTS:
data/emerald-0.8.18/libengine/emerald.c:25:57: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
gchar * opath = g_strdup_printf("%s/.emerald/theme",g_get_home_dir());
data/emerald-0.8.18/libengine/emerald.c:30:56: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
opath = g_strdup_printf("%s/.emerald/settings.ini",g_get_home_dir());
data/emerald-0.8.18/libengine/emerald.c:40:59: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
opath = g_strdup_printf("%s/.emerald/theme/theme.ini",g_get_home_dir());
data/emerald-0.8.18/libengine/emerald.c:51:72: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
gchar * npath = g_strdup_printf("%s/.emerald/theme/%s",g_get_home_dir(),n);
data/emerald-0.8.18/libengine/emerald.c:68:57: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
return g_strdup_printf("%s/.emerald/theme/%s.%s.%s",g_get_home_dir(),sect,key,ext);
data/emerald-0.8.18/libengine/themer.c:351:34: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
gchar * file = g_strjoin("/",g_get_home_dir(),".emerald/theme/theme.ini",NULL);
data/emerald-0.8.18/libengine/themer.c:352:34: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
gchar * path = g_strjoin("/",g_get_home_dir(),".emerald/theme/",NULL);
data/emerald-0.8.18/libengine/themer.c:438:75: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
gchar * s = g_strdup_printf("%s/.emerald/theme/%s.%s.png",g_get_home_dir(),item->section,item->key);
data/emerald-0.8.18/libengine/themer.c:492:34: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
gchar * file = g_strjoin("/",g_get_home_dir(),".emerald/settings.ini",NULL);
data/emerald-0.8.18/libengine/themer.c:493:34: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
gchar * path = g_strjoin("/",g_get_home_dir(),".emerald/",NULL);
data/emerald-0.8.18/libengine/themer.c:825:63: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
s = g_strdup_printf("%s/.emerald/theme/%s.%s.png",g_get_home_dir(),item->section,item->key);
data/emerald-0.8.18/libengine/themer.c:871:34: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
gchar * file = g_strjoin("/",g_get_home_dir(),".emerald/theme/theme.ini",NULL);
data/emerald-0.8.18/libengine/themer.c:874:26: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
file = g_strjoin("/",g_get_home_dir(),".emerald/settings.ini",NULL);
data/emerald-0.8.18/libengine/themer.c:1037:46: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
gchar * local_engine_dir = g_strjoin("/",g_get_home_dir(),".emerald/engines",NULL);
data/emerald-0.8.18/src/engine_loader.c:24:26: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
#define LOCAL_ENGINE_DIR g_get_home_dir(),".emerald/engines"
data/emerald-0.8.18/src/main.c:5720:17: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
g_strjoin("/", g_get_home_dir(), ".emerald/settings.ini", NULL);
data/emerald-0.8.18/src/main.c:5786:27: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
path = g_strjoin("/", g_get_home_dir(), ".emerald/theme/theme.ini", NULL);
data/emerald-0.8.18/themer/main.c:290:50: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
path = g_strdup_printf("%s/.emerald/themes/",g_get_home_dir());
data/emerald-0.8.18/themer/main.c:382:47: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
xt = g_strdup_printf("%s/.emerald/theme/",g_get_home_dir());
data/emerald-0.8.18/themer/main.c:400:64: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
fn = g_strdup_printf("%s/.emerald/themes/%s/theme.ini",g_get_home_dir(),mt);
data/emerald-0.8.18/themer/main.c:401:55: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
at = g_strdup_printf("%s/.emerald/themes/%s/",g_get_home_dir(),mt);
data/emerald-0.8.18/themer/main.c:471:51: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
fn = g_strdup_printf("%s/.emerald/themes/%s/",g_get_home_dir(),ot);
data/emerald-0.8.18/themer/main.c:511:47: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
fn = g_strdup_printf("%s/.emerald/theme/",g_get_home_dir());
data/emerald-0.8.18/themer/main.c:548:50: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
fn = g_strdup_printf("%s/.emerald/themes/%s",g_get_home_dir(),at);
data/emerald-0.8.18/themer/main.c:551:60: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
fn = g_strdup_printf("%s/.emerald/themes/%s/theme.ini",g_get_home_dir(),at);
data/emerald-0.8.18/themer/main.c:567:56: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
fn = g_strdup_printf("%s/.emerald/theme/theme.ini",g_get_home_dir());
data/emerald-0.8.18/themer/main.c:580:55: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
xt = g_strdup_printf("%s/.emerald/themes/%s/",g_get_home_dir(),mt);
data/emerald-0.8.18/themer/main.c:591:51: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
at = g_strdup_printf("%s/.emerald/theme/",g_get_home_dir());
data/emerald-0.8.18/themer/main.c:644:60: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
fn = g_strdup_printf("%s/.emerald/themes/%s/theme.ini",g_get_home_dir(),at);
data/emerald-0.8.18/themer/main.c:657:59: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
pt = g_strdup_printf("%s/.emerald/themes/%s/",g_get_home_dir(),at);
data/emerald-0.8.18/themer/main.c:974:49: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
gchar * pth = g_strdup_printf("%s/Desktop/",g_get_home_dir());
data/emerald-0.8.18/themer/main.c:1433:49: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
gchar * pth = g_strdup_printf("%s/Desktop/",g_get_home_dir());
data/emerald-0.8.18/themer/main.c:1773:63: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
g_mkdir_with_parents(g_strdup_printf("%s/.emerald/theme/",g_get_home_dir()),00755);
data/emerald-0.8.18/themer/main.c:1774:64: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
g_mkdir_with_parents(g_strdup_printf("%s/.emerald/themes/",g_get_home_dir()),00755);
data/emerald-0.8.18/libengine/themer.c:639:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(inf,&(fe.d->meta),sizeof(EngineMetaInfo));
data/emerald-0.8.18/src/main.c:396:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ws->pos, newpos, sizeof(pos_t) * 9);
data/emerald-0.8.18/src/main.c:1764:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(button_region_inact, button_region, sizeof(button_region_t));
data/emerald-0.8.18/src/main.c:3213:6: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(d->name + name_length - 3, "...");
data/emerald-0.8.18/src/main.c:3303:6: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&a, data, sizeof(Atom));
data/emerald-0.8.18/src/main.c:3580:4: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(d->name + name_length - 3, "...");
data/emerald-0.8.18/libengine/themer.c:583:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(s))
data/emerald-0.8.18/libengine/themer.c:673:14: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (!strlen(s))
data/emerald-0.8.18/src/main.c:2462:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
text_len = strlen(text);
data/emerald-0.8.18/src/main.c:2970:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
for (i = 0; i < strlen(ws->tobj_layout); i++)
data/emerald-0.8.18/src/main.c:3003:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
for (i = 0; i < strlen(ws->tobj_layout); i++)
data/emerald-0.8.18/src/main.c:3160:44: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
pango_layout_set_text(d->layout, name, strlen(name));
data/emerald-0.8.18/src/main.c:3164:44: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
pango_layout_set_text(d->layout, d->name, strlen(d->name));
data/emerald-0.8.18/src/main.c:3184:32: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (name && (name_length = strlen(name)))
data/emerald-0.8.18/src/main.c:3552:29: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (name && (name_length = strlen(name)))
data/emerald-0.8.18/themer/main.c:188:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (creator && !strlen(creator))
data/emerald-0.8.18/themer/main.c:194:22: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (tver && !strlen(tver))
data/emerald-0.8.18/themer/main.c:200:22: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (rwid && !strlen(rwid))
data/emerald-0.8.18/themer/main.c:206:22: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (desc && !strlen(desc))
data/emerald-0.8.18/themer/main.c:361:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(at)>=1 && at[0] == '*')
data/emerald-0.8.18/themer/main.c:363:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(at)>=2)
data/emerald-0.8.18/themer/main.c:375:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(mt)==0)
data/emerald-0.8.18/themer/main.c:462:8: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ot[strlen(ot)-strlen(".emerald")]='\0';
data/emerald-0.8.18/themer/main.c:462:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ot[strlen(ot)-strlen(".emerald")]='\0';
data/emerald-0.8.18/themer/main.c:498:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (!themename || !strlen(themename) ||
data/emerald-0.8.18/themer/main.c:538:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(at)>=1 && at[0] == '*')
data/emerald-0.8.18/themer/main.c:543:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(at)==0 || strchr(at,'/'))
data/emerald-0.8.18/themer/main.c:632:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(at)>=1 && at[0] == '*')
data/emerald-0.8.18/themer/main.c:638:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(at)==0)
data/emerald-0.8.18/themer/main.c:1392:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(ch=gtk_entry_get_text(e))==0)
data/emerald-0.8.18/themer/main.c:1400:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(at) && strstr(at,ch))
ANALYSIS SUMMARY:
Hits = 65
Lines analyzed = 18172 in approximately 0.61 seconds (29958 lines/second)
Physical Source Lines of Code (SLOC) = 15361
Hits@level = [0] 0 [1] 25 [2] 6 [3] 34 [4] 0 [5] 0
Hits@level+ = [0+] 65 [1+] 65 [2+] 40 [3+] 34 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 4.2315 [1+] 4.2315 [2+] 2.604 [3+] 2.2134 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.