Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/kgoldrunner-20.04.2/src/kgrgame.cpp
Examining data/kgoldrunner-20.04.2/src/kgrdebug.h
Parsing failed to find end of parameter list in (
#define dbo1 if(dbgLevel>=1)printf(
#define dbo2 if(dbgLevel>=2)printf(
#define dbo3 if(dbgLevel>=3)printf(
#define dbe fprintf(stderr,
#define dbe1 if(dbgLevel>=1)fprintf(stderr,
#define dbe2 if(
Parsing failed to find end of parameter list in (
#define dbo2 if(dbgLevel>=2)printf(
#define dbo3 if(dbgLevel>=3)printf(
#define dbe fprintf(stderr,
#define dbe1 if(dbgLevel>=1)fprintf(stderr,
#define dbe2 if(dbgLevel>=2)fprintf(stderr,
#define
Parsing failed to find end of parameter list in (
#define dbo3 if(dbgLevel>=3)printf(
#define dbe fprintf(stderr,
#define dbe1 if(dbgLevel>=1)fprintf(stderr,
#define dbe2 if(dbgLevel>=2)fprintf(stderr,
#define dbe3 if(dbgLevel>=3)fprintf(stderr,
Parsing failed to find end of parameter list in (
#define dbe fprintf(stderr,
#define dbe1 if(dbgLevel>=1)fprintf(stderr,
#define dbe2 if(dbgLevel>=2)fprintf(stderr,
#define dbe3 if(dbgLevel>=3)fprintf(stderr,
#endif
Parsing failed to find end of parameter list in (stderr,
#define dbe1 if(dbgLevel>=1)fprintf(stderr,
#define dbe2 if(dbgLevel>=2)fprintf(stderr,
#define dbe3 if(dbgLevel>=3)fprintf(stderr,
#endif
Parsing failed to find end of parameter list in (stderr,
#define dbe2 if(dbgLevel>=2)fprintf(stderr,
#define dbe3 if(dbgLevel>=3)fprintf(stderr,
#endif
Parsing failed to find end of parameter list in (stderr,
#define dbe3 if(dbgLevel>=3)fprintf(stderr,
#endif
Parsing failed to find end of parameter list in (stderr,
#endif
Examining data/kgoldrunner-20.04.2/src/kgrsounds.cpp
Examining data/kgoldrunner-20.04.2/src/kgrview.cpp
Examining data/kgoldrunner-20.04.2/src/kgrrunner.h
Examining data/kgoldrunner-20.04.2/src/kgrrenderer.h
Examining data/kgoldrunner-20.04.2/src/kgrsprite.cpp
Examining data/kgoldrunner-20.04.2/src/kgrlevelgrid.h
Examining data/kgoldrunner-20.04.2/src/kgrlevelgrid.cpp
Examining data/kgoldrunner-20.04.2/src/kgrlevelplayer.cpp
Examining data/kgoldrunner-20.04.2/src/kgrsounds.h
Examining data/kgoldrunner-20.04.2/src/kgrtimer.h
Examining data/kgoldrunner-20.04.2/src/kgrrenderer.cpp
Examining data/kgoldrunner-20.04.2/src/kgreditor.h
Examining data/kgoldrunner-20.04.2/src/kgrgameio.h
Examining data/kgoldrunner-20.04.2/src/kgrrulebook.cpp
Examining data/kgoldrunner-20.04.2/src/kgrview.h
Examining data/kgoldrunner-20.04.2/src/kgrthemetypes.cpp
Examining data/kgoldrunner-20.04.2/src/kgoldrunner.h
Examining data/kgoldrunner-20.04.2/src/kgrglobals.h
Examining data/kgoldrunner-20.04.2/src/kgrtimer.cpp
Examining data/kgoldrunner-20.04.2/src/main.cpp
Examining data/kgoldrunner-20.04.2/src/kgrdialog.cpp
Examining data/kgoldrunner-20.04.2/src/kgrrulebook.h
Examining data/kgoldrunner-20.04.2/src/kgrlevelplayer.h
Examining data/kgoldrunner-20.04.2/src/kgrthemetypes.h
Examining data/kgoldrunner-20.04.2/src/kgrscene.cpp
Examining data/kgoldrunner-20.04.2/src/kgoldrunner.cpp
Examining data/kgoldrunner-20.04.2/src/kgrgameio.cpp
Examining data/kgoldrunner-20.04.2/src/kgreditor.cpp
Examining data/kgoldrunner-20.04.2/src/kgrselector.h
Examining data/kgoldrunner-20.04.2/src/kgrdialog.h
Examining data/kgoldrunner-20.04.2/src/kgrsprite.h
Examining data/kgoldrunner-20.04.2/src/kgrgame.h
Examining data/kgoldrunner-20.04.2/src/kgrscene.h
Examining data/kgoldrunner-20.04.2/src/kgrselector.cpp
Examining data/kgoldrunner-20.04.2/src/kgrrunner.cpp
FINAL RESULTS:
data/kgoldrunner-20.04.2/src/kgrdebug.h:28:14: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
#define dbo printf(
data/kgoldrunner-20.04.2/src/kgrdebug.h:29:29: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
#define dbo1 if(dbgLevel>=1)printf(
data/kgoldrunner-20.04.2/src/kgrdebug.h:30:29: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
#define dbo2 if(dbgLevel>=2)printf(
data/kgoldrunner-20.04.2/src/kgrdebug.h:31:29: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
#define dbo3 if(dbgLevel>=3)printf(
data/kgoldrunner-20.04.2/src/kgrdebug.h:33:14: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
#define dbe fprintf(stderr,
data/kgoldrunner-20.04.2/src/kgrdebug.h:34:29: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
#define dbe1 if(dbgLevel>=1)fprintf(stderr,
data/kgoldrunner-20.04.2/src/kgrdebug.h:35:29: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
#define dbe2 if(dbgLevel>=2)fprintf(stderr,
data/kgoldrunner-20.04.2/src/kgrdebug.h:36:29: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
#define dbe3 if(dbgLevel>=3)fprintf(stderr,
data/kgoldrunner-20.04.2/src/kgrlevelgrid.cpp:143:12: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
if (! (access & ENTERABLE) && (here != FBRICK)) {
data/kgoldrunner-20.04.2/src/kgrlevelgrid.cpp:149:2: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
access |= (dFlag [STAND] | dFlag [DOWN] |
data/kgoldrunner-20.04.2/src/kgrlevelgrid.cpp:155:2: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
access |= (dFlag [DOWN] | dFlag [LEFT] | dFlag [RIGHT]);
data/kgoldrunner-20.04.2/src/kgrlevelgrid.cpp:159:2: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
access |= dFlag [UP];
data/kgoldrunner-20.04.2/src/kgrlevelgrid.cpp:164:9: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
if (access != 0) {
data/kgoldrunner-20.04.2/src/kgrlevelgrid.cpp:166:36: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
access = ~dFlag [UP] & access; // Cannot go up.
data/kgoldrunner-20.04.2/src/kgrlevelgrid.cpp:169:38: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
access = ~dFlag [LEFT] & access; // Cannot go left.
data/kgoldrunner-20.04.2/src/kgrlevelgrid.cpp:172:39: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
access = ~dFlag [RIGHT] & access; // Cannot go right.
data/kgoldrunner-20.04.2/src/kgrlevelgrid.cpp:176:42: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
access = ~dFlag [DOWN] & access; // Cannot go down.
data/kgoldrunner-20.04.2/src/kgrlevelgrid.cpp:181:34: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
heroAccess [index (i, j)] = access;
data/kgoldrunner-20.04.2/src/kgrlevelplayer.cpp:1213:22: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
int enter = (access & ENTERABLE) ? 1 : 0;
data/kgoldrunner-20.04.2/src/kgrlevelplayer.cpp:1214:22: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
int stand = (access & dFlag [STAND]) ? 1 : 0;
data/kgoldrunner-20.04.2/src/kgrlevelplayer.cpp:1215:22: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
int u = (access & dFlag [UP]) ? 1 : 0;
data/kgoldrunner-20.04.2/src/kgrlevelplayer.cpp:1216:22: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
int d = (access & dFlag [DOWN]) ? 1 : 0;
data/kgoldrunner-20.04.2/src/kgrlevelplayer.cpp:1217:22: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
int l = (access & dFlag [LEFT]) ? 1 : 0;
data/kgoldrunner-20.04.2/src/kgrlevelplayer.cpp:1218:22: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
int r = (access & dFlag [RIGHT]) ? 1 : 0;
data/kgoldrunner-20.04.2/src/kgrlevelplayer.cpp:1221:19: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
i, j, here, access, enter, stand, u, d, l, r, enemyId);
data/kgoldrunner-20.04.2/src/kgrlevelplayer.cpp:1224:20: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
if (eAccess != access) {
data/kgoldrunner-20.04.2/src/kgrlevelplayer.cpp:1226:22: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
enter = (access & ENTERABLE) ? 1 : 0;
data/kgoldrunner-20.04.2/src/kgrlevelplayer.cpp:1227:22: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
stand = (access & dFlag [STAND]) ? 1 : 0;
data/kgoldrunner-20.04.2/src/kgrlevelplayer.cpp:1228:22: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
u = (access & dFlag [UP]) ? 1 : 0;
data/kgoldrunner-20.04.2/src/kgrlevelplayer.cpp:1229:22: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
d = (access & dFlag [DOWN]) ? 1 : 0;
data/kgoldrunner-20.04.2/src/kgrlevelplayer.cpp:1230:22: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
l = (access & dFlag [LEFT]) ? 1 : 0;
data/kgoldrunner-20.04.2/src/kgrlevelplayer.cpp:1231:22: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
r = (access & dFlag [RIGHT]) ? 1 : 0;
data/kgoldrunner-20.04.2/src/kgrlevelplayer.cpp:1234:19: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
i, j, here, access, enter, stand, u, d, l, r);
data/kgoldrunner-20.04.2/src/kgrrunner.cpp:559:11: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
uchar random;
data/kgoldrunner-20.04.2/src/kgrrunner.cpp:564:33: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
dbk3 << "Random" << random << "at NUGGET" << gridI << gridJ;
data/kgoldrunner-20.04.2/src/kgrrunner.cpp:565:24: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
collect = (random >= 80);
data/kgoldrunner-20.04.2/src/kgrrunner.cpp:579:33: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
dbk3 << "Random" << random << "for DROP " << gridI << gridJ;
data/kgoldrunner-20.04.2/src/kgrrunner.cpp:580:17: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if (random >= 93) {
data/kgoldrunner-20.04.2/src/kgreditor.cpp:270:21: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (! levelFile.open (QIODevice::WriteOnly)) {
data/kgoldrunner-20.04.2/src/kgreditor.cpp:788:13: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (! c.open (QIODevice::WriteOnly)) {
data/kgoldrunner-20.04.2/src/kgrgame.cpp:1497:17: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (! file2.open (QIODevice::WriteOnly)) {
data/kgoldrunner-20.04.2/src/kgrgame.cpp:1507:21: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (! file1.open (QIODevice::ReadOnly)) {
data/kgoldrunner-20.04.2/src/kgrgame.cpp:1551:22: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (! savedGames.open (QIODevice::ReadOnly)) {
data/kgoldrunner-20.04.2/src/kgrgame.cpp:1665:21: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (! high1.open (QIODevice::ReadOnly)) {
data/kgoldrunner-20.04.2/src/kgrgame.cpp:1705:17: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (! high2.open (QIODevice::WriteOnly)) {
data/kgoldrunner-20.04.2/src/kgrgame.cpp:1868:17: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (! high1.open (QIODevice::ReadOnly)) {
data/kgoldrunner-20.04.2/src/kgrgameio.cpp:68:24: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (! openFile.open (QIODevice::ReadOnly)) {
data/kgoldrunner-20.04.2/src/kgrgameio.cpp:216:20: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (! openFile.open (QIODevice::ReadOnly)) {
data/kgoldrunner-20.04.2/src/kgrscene.cpp:593:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char type[2] = {HERO, ENEMY};
ANALYSIS SUMMARY:
Hits = 49
Lines analyzed = 13375 in approximately 0.36 seconds (36884 lines/second)
Physical Source Lines of Code (SLOC) = 8920
Hits@level = [0] 13 [1] 0 [2] 11 [3] 5 [4] 33 [5] 0
Hits@level+ = [0+] 62 [1+] 49 [2+] 49 [3+] 38 [4+] 33 [5+] 0
Hits/KSLOC@level+ = [0+] 6.95067 [1+] 5.49327 [2+] 5.49327 [3+] 4.26009 [4+] 3.69955 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.