Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/kiconthemes-5.74.0/autotests/kicontheme_unittest.cpp Examining data/kiconthemes-5.74.0/autotests/kiconloader_benchmark.cpp Examining data/kiconthemes-5.74.0/autotests/kiconloader_unittest.cpp Examining data/kiconthemes-5.74.0/autotests/kiconloader_rcctest.cpp Examining data/kiconthemes-5.74.0/autotests/kicondialog_unittest.cpp Examining data/kiconthemes-5.74.0/autotests/kiconengine_unittest.cpp Examining data/kiconthemes-5.74.0/autotests/kiconloader_resourcethemetest.cpp Examining data/kiconthemes-5.74.0/tests/kicondialogtest.cpp Examining data/kiconthemes-5.74.0/tests/kiconbuttontest.cpp Examining data/kiconthemes-5.74.0/tests/kiconeffecttest.cpp Examining data/kiconthemes-5.74.0/tests/kiconloadertest.cpp Examining data/kiconthemes-5.74.0/tests/kiconeffecttest.h Examining data/kiconthemes-5.74.0/src/kicontheme.h Examining data/kiconthemes-5.74.0/src/kiconengineplugin.cpp Examining data/kiconthemes-5.74.0/src/kiconloader.cpp Examining data/kiconthemes-5.74.0/src/kiconeffect.cpp Examining data/kiconthemes-5.74.0/src/kiconbutton.h Examining data/kiconthemes-5.74.0/src/kiconeffect.h Examining data/kiconthemes-5.74.0/src/kicontheme.cpp Examining data/kiconthemes-5.74.0/src/kicondialog_p.h Examining data/kiconthemes-5.74.0/src/kiconloader.h Examining data/kiconthemes-5.74.0/src/kicondialog.h Examining data/kiconthemes-5.74.0/src/tools/kiconfinder/kiconfinder.cpp Examining data/kiconthemes-5.74.0/src/tools/ksvg2icns/ksvg2icns.cpp Examining data/kiconthemes-5.74.0/src/kicondialog.cpp Examining data/kiconthemes-5.74.0/src/kiconengine.h Examining data/kiconthemes-5.74.0/src/kiconbutton.cpp Examining data/kiconthemes-5.74.0/src/kiconengine.cpp FINAL RESULTS: data/kiconthemes-5.74.0/src/kiconloader.cpp:775:27: [5] (race) readlink: This accepts filename arguments; if an attacker can move those files or change the link content, a race condition results. Also, it does not terminate with ASCII NUL. (CWE-362, CWE-20). Reconsider approach. const int r = readlink(QFile::encodeName(*it + *it2), buf, sizeof(buf) - 1); data/kiconthemes-5.74.0/src/tools/ksvg2icns/ksvg2icns.cpp:27:13: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(stderr, __VA_ARGS__); \ data/kiconthemes-5.74.0/src/kiconeffect.cpp:601:13: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst.scanLine(y * 2 + 1), l2, dst.bytesPerLine()); data/kiconthemes-5.74.0/src/kiconeffect.cpp:617:13: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst.scanLine(y * 2 + 1), l2, dst.bytesPerLine()); data/kiconthemes-5.74.0/src/kiconloader.cpp:440:14: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (file.open(QIODevice::ReadOnly)) { data/kiconthemes-5.74.0/src/kiconloader.cpp:761:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1000]; data/kiconthemes-5.74.0/src/kiconloader.cpp:885:18: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!device->open(QIODevice::ReadOnly)) { data/kiconthemes-5.74.0/src/kiconloader.cpp:903:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). buffer.open(QIODevice::WriteOnly); data/kiconthemes-5.74.0/src/kiconloader.cpp:959:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). output.open(QIODevice::WriteOnly); data/kiconthemes-5.74.0/src/kiconloader.cpp:1005:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). buffer.open(QIODevice::ReadOnly); data/kiconthemes-5.74.0/src/kiconengine.cpp:145:19: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). bool KIconEngine::read(QDataStream &in) data/kiconthemes-5.74.0/src/kiconengine.h:69:10: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). bool read(QDataStream &in) override; data/kiconthemes-5.74.0/src/kiconloader.cpp:946:19: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). return reader.read(); ANALYSIS SUMMARY: Hits = 13 Lines analyzed = 7689 in approximately 0.27 seconds (27987 lines/second) Physical Source Lines of Code (SLOC) = 4880 Hits@level = [0] 3 [1] 3 [2] 8 [3] 0 [4] 1 [5] 1 Hits@level+ = [0+] 16 [1+] 13 [2+] 10 [3+] 2 [4+] 2 [5+] 1 Hits/KSLOC@level+ = [0+] 3.27869 [1+] 2.66393 [2+] 2.04918 [3+] 0.409836 [4+] 0.409836 [5+] 0.204918 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.