Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/gtkpool-0.5.0/gtkpool/moving.cpp Examining data/gtkpool-0.5.0/gtkpool/game.cpp Examining data/gtkpool-0.5.0/gtkpool/indentify_ball.cpp Examining data/gtkpool-0.5.0/gtkpool/support.cpp Examining data/gtkpool-0.5.0/gtkpool/ball.cpp Examining data/gtkpool-0.5.0/gtkpool/circle.cpp Examining data/gtkpool-0.5.0/gtkpool/point2d.cpp Examining data/gtkpool-0.5.0/gtkpool/vec2d.cpp Examining data/gtkpool-0.5.0/gtkpool/options.cpp Examining data/gtkpool-0.5.0/gtkpool/sound.cpp Examining data/gtkpool-0.5.0/gtkpool/check_pocket.cpp Examining data/gtkpool-0.5.0/gtkpool/pointer_selects.cpp Examining data/gtkpool-0.5.0/gtkpool/draw_ball.cpp Examining data/gtkpool-0.5.0/gtkpool/apply_friction.cpp Examining data/gtkpool-0.5.0/gtkpool/move_balls.cpp Examining data/gtkpool-0.5.0/gtkpool/check_table_collision.cpp Examining data/gtkpool-0.5.0/gtkpool/connectdialog.cpp Examining data/gtkpool-0.5.0/gtkpool/application.cpp Examining data/gtkpool-0.5.0/gtkpool/main.cpp Examining data/gtkpool-0.5.0/gtkpool/application.h Examining data/gtkpool-0.5.0/gtkpool/connectdialog.h Examining data/gtkpool-0.5.0/gtkpool/check_table_collision.h Examining data/gtkpool-0.5.0/gtkpool/move_balls.h Examining data/gtkpool-0.5.0/gtkpool/apply_friction.h Examining data/gtkpool-0.5.0/gtkpool/draw_ball.h Examining data/gtkpool-0.5.0/gtkpool/pointer_selects.h Examining data/gtkpool-0.5.0/gtkpool/check_pocket.h Examining data/gtkpool-0.5.0/gtkpool/sound.h Examining data/gtkpool-0.5.0/gtkpool/options.h Examining data/gtkpool-0.5.0/gtkpool/vec2d.h Examining data/gtkpool-0.5.0/gtkpool/point2d.h Examining data/gtkpool-0.5.0/gtkpool/circle.h Examining data/gtkpool-0.5.0/gtkpool/ball.h Examining data/gtkpool-0.5.0/gtkpool/support.h Examining data/gtkpool-0.5.0/gtkpool/indentify_ball.h Examining data/gtkpool-0.5.0/gtkpool/game.h Examining data/gtkpool-0.5.0/gtkpool/moving.h FINAL RESULTS: data/gtkpool-0.5.0/gtkpool/application.cpp:675:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy (full_filename, directory); data/gtkpool-0.5.0/gtkpool/application.cpp:676:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat (full_filename, G_DIR_SEPARATOR_S); data/gtkpool-0.5.0/gtkpool/application.cpp:677:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat (full_filename, filename); data/gtkpool-0.5.0/gtkpool/main.cpp:443:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(p1_name, app.thegame->player_1.player_name); data/gtkpool-0.5.0/gtkpool/main.cpp:444:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(p2_name, app.thegame->player_2.player_name); data/gtkpool-0.5.0/gtkpool/main.cpp:453:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(app.s1, g_strdup_printf("-%d-", app.thegame->player_1.score)); data/gtkpool-0.5.0/gtkpool/main.cpp:454:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(app.s2, g_strdup_printf("-%d-", app.thegame->player_2.score)); data/gtkpool-0.5.0/gtkpool/support.cpp:152:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy (full_filename, directory); data/gtkpool-0.5.0/gtkpool/support.cpp:153:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat (full_filename, G_DIR_SEPARATOR_S); data/gtkpool-0.5.0/gtkpool/support.cpp:154:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat (full_filename, filename); data/gtkpool-0.5.0/gtkpool/application.cpp:226:7: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(thegame->comment, "Nice Shot!\n"); data/gtkpool-0.5.0/gtkpool/application.cpp:762:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char filename[20] = "ball_hit.raw"; data/gtkpool-0.5.0/gtkpool/application.cpp:777:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char filename2[20] = "ball_drop.raw"; data/gtkpool-0.5.0/gtkpool/application.h:67:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char coll_snd[12000]; data/gtkpool-0.5.0/gtkpool/application.h:69:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char bnc_snd[1025]; data/gtkpool-0.5.0/gtkpool/application.h:71:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char pock_snd[194000]; data/gtkpool-0.5.0/gtkpool/game.cpp:30:2: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(this->player_1.player_name, "Player 1"); data/gtkpool-0.5.0/gtkpool/game.cpp:31:2: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(this->player_2.player_name, "Player 2"); data/gtkpool-0.5.0/gtkpool/game.cpp:65:4: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(this->comment, "Awww, so close, but you blew it.\n"); data/gtkpool-0.5.0/gtkpool/game.cpp:70:4: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(this->comment, "Oops, you scratched\n"); data/gtkpool-0.5.0/gtkpool/game.cpp:79:4: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(this->comment, "You shouldn't play with other peoples balls.\n"); data/gtkpool-0.5.0/gtkpool/game.cpp:81:4: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(this->comment, "That's not the lowest ball.\n"); data/gtkpool-0.5.0/gtkpool/game.cpp:86:3: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(this->comment, "Missed them all!\n"); data/gtkpool-0.5.0/gtkpool/game.cpp:158:5: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(this->comment, "Nice Shot!\n"); data/gtkpool-0.5.0/gtkpool/game.cpp:170:5: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(this->comment, "Hey! Wrong ball.\n"); data/gtkpool-0.5.0/gtkpool/game.cpp:186:5: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(this->comment, "Nice Shot!\n"); data/gtkpool-0.5.0/gtkpool/game.cpp:198:5: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(this->comment, "Hey! Wrong ball.\n"); data/gtkpool-0.5.0/gtkpool/game.cpp:215:4: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(this->comment, "Nice Shot!\n"); data/gtkpool-0.5.0/gtkpool/game.cpp:225:4: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(this->comment, "Nice Shot!\n"); data/gtkpool-0.5.0/gtkpool/game.cpp:240:5: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(this->comment, "Nice Shot!\n"); data/gtkpool-0.5.0/gtkpool/game.cpp:253:5: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(this->comment, "Nice Shot!\n"); data/gtkpool-0.5.0/gtkpool/game.h:39:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char player_name [30]; // Player's name data/gtkpool-0.5.0/gtkpool/game.h:51:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char comment [100]; // Place a message in here to display data/gtkpool-0.5.0/gtkpool/main.cpp:386:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char p1_name [31]; data/gtkpool-0.5.0/gtkpool/main.cpp:387:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char p2_name [31]; data/gtkpool-0.5.0/gtkpool/sound.cpp:75:11: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int fd = open(file, O_RDONLY); data/gtkpool-0.5.0/gtkpool/sound.cpp:83:18: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((audio_fd = open("/dev/dsp", O_WRONLY, 0)) == -1) { data/gtkpool-0.5.0/gtkpool/application.cpp:43:3: [1] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant character. strcpy(s1, "0"); data/gtkpool-0.5.0/gtkpool/application.cpp:44:3: [1] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant character. strcpy(s2, "0"); data/gtkpool-0.5.0/gtkpool/application.cpp:673:38: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). full_filename = (gchar*) g_malloc (strlen (directory) + 1 data/gtkpool-0.5.0/gtkpool/application.cpp:674:40: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). + strlen (filename) + 1); data/gtkpool-0.5.0/gtkpool/main.cpp:411:4: [1] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant character. strcpy(p1_name, "*"); data/gtkpool-0.5.0/gtkpool/main.cpp:412:4: [1] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant character. strcpy(p2_name, " "); data/gtkpool-0.5.0/gtkpool/main.cpp:418:4: [1] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant character. strcpy(p1_name, " "); data/gtkpool-0.5.0/gtkpool/main.cpp:419:4: [1] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant character. strcpy(p2_name, "*"); data/gtkpool-0.5.0/gtkpool/main.cpp:575:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if(!strlen(gtk_entry_get_text(GTK_ENTRY(app->connect_dialog->host_entry)))) data/gtkpool-0.5.0/gtkpool/main.cpp:579:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). else if(!strlen(gtk_entry_get_text(GTK_ENTRY(app->connect_dialog->port_entry)))) data/gtkpool-0.5.0/gtkpool/main.cpp:583:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). else if(!strlen(gtk_entry_get_text(GTK_ENTRY(app->connect_dialog->handle_entry)))) data/gtkpool-0.5.0/gtkpool/sound.cpp:76:11: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). *count = read(fd, buffer, *count); data/gtkpool-0.5.0/gtkpool/support.cpp:150:38: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). full_filename = (gchar*) g_malloc (strlen (directory) + 1 data/gtkpool-0.5.0/gtkpool/support.cpp:151:40: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). + strlen (filename) + 1); ANALYSIS SUMMARY: Hits = 51 Lines analyzed = 4122 in approximately 0.18 seconds (23216 lines/second) Physical Source Lines of Code (SLOC) = 2805 Hits@level = [0] 0 [1] 14 [2] 27 [3] 0 [4] 10 [5] 0 Hits@level+ = [0+] 51 [1+] 51 [2+] 37 [3+] 10 [4+] 10 [5+] 0 Hits/KSLOC@level+ = [0+] 18.1818 [1+] 18.1818 [2+] 13.1907 [3+] 3.56506 [4+] 3.56506 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.