Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/kiconthemes-5.74.0/autotests/kicontheme_unittest.cpp
Examining data/kiconthemes-5.74.0/autotests/kiconloader_benchmark.cpp
Examining data/kiconthemes-5.74.0/autotests/kiconloader_unittest.cpp
Examining data/kiconthemes-5.74.0/autotests/kiconloader_rcctest.cpp
Examining data/kiconthemes-5.74.0/autotests/kicondialog_unittest.cpp
Examining data/kiconthemes-5.74.0/autotests/kiconengine_unittest.cpp
Examining data/kiconthemes-5.74.0/autotests/kiconloader_resourcethemetest.cpp
Examining data/kiconthemes-5.74.0/tests/kicondialogtest.cpp
Examining data/kiconthemes-5.74.0/tests/kiconbuttontest.cpp
Examining data/kiconthemes-5.74.0/tests/kiconeffecttest.cpp
Examining data/kiconthemes-5.74.0/tests/kiconloadertest.cpp
Examining data/kiconthemes-5.74.0/tests/kiconeffecttest.h
Examining data/kiconthemes-5.74.0/src/kicontheme.h
Examining data/kiconthemes-5.74.0/src/kiconengineplugin.cpp
Examining data/kiconthemes-5.74.0/src/kiconloader.cpp
Examining data/kiconthemes-5.74.0/src/kiconeffect.cpp
Examining data/kiconthemes-5.74.0/src/kiconbutton.h
Examining data/kiconthemes-5.74.0/src/kiconeffect.h
Examining data/kiconthemes-5.74.0/src/kicontheme.cpp
Examining data/kiconthemes-5.74.0/src/kicondialog_p.h
Examining data/kiconthemes-5.74.0/src/kiconloader.h
Examining data/kiconthemes-5.74.0/src/kicondialog.h
Examining data/kiconthemes-5.74.0/src/tools/kiconfinder/kiconfinder.cpp
Examining data/kiconthemes-5.74.0/src/tools/ksvg2icns/ksvg2icns.cpp
Examining data/kiconthemes-5.74.0/src/kicondialog.cpp
Examining data/kiconthemes-5.74.0/src/kiconengine.h
Examining data/kiconthemes-5.74.0/src/kiconbutton.cpp
Examining data/kiconthemes-5.74.0/src/kiconengine.cpp
FINAL RESULTS:
data/kiconthemes-5.74.0/src/kiconloader.cpp:775:27: [5] (race) readlink:
This accepts filename arguments; if an attacker can move those files or
change the link content, a race condition results. Also, it does not
terminate with ASCII NUL. (CWE-362, CWE-20). Reconsider approach.
const int r = readlink(QFile::encodeName(*it + *it2), buf, sizeof(buf) - 1);
data/kiconthemes-5.74.0/src/tools/ksvg2icns/ksvg2icns.cpp:27:13: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf(stderr, __VA_ARGS__); \
data/kiconthemes-5.74.0/src/kiconeffect.cpp:601:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(dst.scanLine(y * 2 + 1), l2, dst.bytesPerLine());
data/kiconthemes-5.74.0/src/kiconeffect.cpp:617:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(dst.scanLine(y * 2 + 1), l2, dst.bytesPerLine());
data/kiconthemes-5.74.0/src/kiconloader.cpp:440:14: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (file.open(QIODevice::ReadOnly)) {
data/kiconthemes-5.74.0/src/kiconloader.cpp:761:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[1000];
data/kiconthemes-5.74.0/src/kiconloader.cpp:885:18: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!device->open(QIODevice::ReadOnly)) {
data/kiconthemes-5.74.0/src/kiconloader.cpp:903:12: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
buffer.open(QIODevice::WriteOnly);
data/kiconthemes-5.74.0/src/kiconloader.cpp:959:12: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
output.open(QIODevice::WriteOnly);
data/kiconthemes-5.74.0/src/kiconloader.cpp:1005:12: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
buffer.open(QIODevice::ReadOnly);
data/kiconthemes-5.74.0/src/kiconengine.cpp:145:19: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
bool KIconEngine::read(QDataStream &in)
data/kiconthemes-5.74.0/src/kiconengine.h:69:10: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
bool read(QDataStream &in) override;
data/kiconthemes-5.74.0/src/kiconloader.cpp:946:19: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
return reader.read();
ANALYSIS SUMMARY:
Hits = 13
Lines analyzed = 7689 in approximately 0.27 seconds (27987 lines/second)
Physical Source Lines of Code (SLOC) = 4880
Hits@level = [0] 3 [1] 3 [2] 8 [3] 0 [4] 1 [5] 1
Hits@level+ = [0+] 16 [1+] 13 [2+] 10 [3+] 2 [4+] 2 [5+] 1
Hits/KSLOC@level+ = [0+] 3.27869 [1+] 2.66393 [2+] 2.04918 [3+] 0.409836 [4+] 0.409836 [5+] 0.204918
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.