Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/gnomekiss-2.0/src/main.c
Examining data/gnomekiss-2.0/src/support.h
Examining data/gnomekiss-2.0/src/cell.c
Examining data/gnomekiss-2.0/src/cnf.c
Examining data/gnomekiss-2.0/src/collision.c
Examining data/gnomekiss-2.0/src/errors.c
Examining data/gnomekiss-2.0/src/event.c
Examining data/gnomekiss-2.0/src/french.c
Examining data/gnomekiss-2.0/src/lzh.c
Examining data/gnomekiss-2.0/src/timer.c
Examining data/gnomekiss-2.0/src/util.c
Examining data/gnomekiss-2.0/src/support.c
Examining data/gnomekiss-2.0/src/variable.c
Examining data/gnomekiss-2.0/src/callbacks.h
Examining data/gnomekiss-2.0/src/interface.h
Examining data/gnomekiss-2.0/src/callbacks.c
Examining data/gnomekiss-2.0/src/interface.c
Examining data/gnomekiss-2.0/src/kiss.h
FINAL RESULTS:
data/gnomekiss-2.0/src/event.c:162:5: [4] (shell) execvp:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
execvp(args[0], args);
data/gnomekiss-2.0/src/lzh.c:48:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(temp, TEMPLATE); /* Must be replaced each time */
data/gnomekiss-2.0/src/lzh.c:49:3: [4] (tmpfile) mktemp:
Temporary file race condition (CWE-377).
mktemp(temp); /* safe in this context */
data/gnomekiss-2.0/src/lzh.c:73:5: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
snprintf(options, sizeof(options), PREFIX "%s", temp);
data/gnomekiss-2.0/src/lzh.c:74:5: [4] (shell) execlp:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
execlp("lha", "lha", options, filename, NULL);
data/gnomekiss-2.0/src/lzh.c:102:5: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
snprintf(options, sizeof(options), PREFIX "%s", temp);
data/gnomekiss-2.0/src/lzh.c:103:5: [4] (shell) execlp:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
execlp("lha", "lha", options, filename, NULL);
data/gnomekiss-2.0/src/util.c:141:7: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(filename, dirent->d_name);
data/gnomekiss-2.0/src/main.c:46:27: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
file = g_build_filename(g_get_home_dir(), ".gnome2", "GnomeKiss", NULL);
data/gnomekiss-2.0/src/callbacks.c:91:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buffer, global_start, config.row_stride);
data/gnomekiss-2.0/src/cell.c:240:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy( dst, src, 3 * sizeof( *src ) );
data/gnomekiss-2.0/src/cell.c:310:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy( dst, src, 3 * sizeof( *src ) );
data/gnomekiss-2.0/src/cnf.c:139:7: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fp= fopen(filename, "r");
data/gnomekiss-2.0/src/cnf.c:302:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char across[6], down[6];
data/gnomekiss-2.0/src/cnf.c:313:13: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
pal = atoi(entry + 1);
data/gnomekiss-2.0/src/cnf.c:329:10: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
x= atoi(across);
data/gnomekiss-2.0/src/cnf.c:330:10: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
y= atoi(down);
data/gnomekiss-2.0/src/cnf.c:376:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(palette, magic_palette, 256 * 3);
data/gnomekiss-2.0/src/cnf.c:382:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char filename[32];
data/gnomekiss-2.0/src/cnf.c:430:11: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(palette, palettes[numpal * COLS], cols * 3);
data/gnomekiss-2.0/src/cnf.c:445:11: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(palette, palettes[numpal * COLS], cols * 3);
data/gnomekiss-2.0/src/cnf.c:464:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char pair[16], filename[32], *next;
data/gnomekiss-2.0/src/errors.c:58:7: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(line, "N/A");
data/gnomekiss-2.0/src/errors.c:81:7: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(line, "N/A");
data/gnomekiss-2.0/src/event.c:145:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *string, *args[13]; /* 1 command, 10 parameters, 1 song, 1 NULL */
data/gnomekiss-2.0/src/lzh.c:145:7: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(filename + length - 3, "cnf");
data/gnomekiss-2.0/src/util.c:188:7: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fp= fopen(temp, mode);
data/gnomekiss-2.0/src/util.c:190:9: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fp= fopen(temp, mode);
data/gnomekiss-2.0/src/util.c:194:9: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fp= fopen(temp, mode);
data/gnomekiss-2.0/src/util.c:365:10: [2] (integer) atol:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
value= atol(integer);
data/gnomekiss-2.0/src/cnf.c:114:8: [1] (buffer) fgetc:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
c= fgetc(stream);
data/gnomekiss-2.0/src/cnf.c:116:10: [1] (buffer) fgetc:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
c= fgetc(stream); /* next character instead */
data/gnomekiss-2.0/src/cnf.c:179:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(line) > 256) {
data/gnomekiss-2.0/src/cnf.c:337:16: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
token += strlen(across) + strlen(down);
data/gnomekiss-2.0/src/cnf.c:337:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
token += strlen(across) + strlen(down);
data/gnomekiss-2.0/src/cnf.c:393:3: [1] (buffer) sscanf:
It's unclear if the %s limit in the format string is small enough
(CWE-120). Check that the limit is sufficiently small, or use a different
input function.
sscanf(entry, "%% %20s ", filename);
data/gnomekiss-2.0/src/french.c:65:7: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(argv[count], args + start, end - start);
data/gnomekiss-2.0/src/french.c:93:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(argv[count], args + start, end - start);
data/gnomekiss-2.0/src/lzh.c:142:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
length= strlen(dirent->d_name);
data/gnomekiss-2.0/src/util.c:309:8: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len= strlen(filename);
ANALYSIS SUMMARY:
Hits = 40
Lines analyzed = 7029 in approximately 0.31 seconds (22847 lines/second)
Physical Source Lines of Code (SLOC) = 5665
Hits@level = [0] 194 [1] 10 [2] 21 [3] 1 [4] 8 [5] 0
Hits@level+ = [0+] 234 [1+] 40 [2+] 30 [3+] 9 [4+] 8 [5+] 0
Hits/KSLOC@level+ = [0+] 41.3063 [1+] 7.0609 [2+] 5.29568 [3+] 1.5887 [4+] 1.41218 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.