stdin

Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/obconf-2.0.4+git20150213/src/mouse.h
Examining data/obconf-2.0.4+git20150213/src/main.h
Examining data/obconf-2.0.4+git20150213/src/theme.h
Examining data/obconf-2.0.4+git20150213/src/windows.h
Examining data/obconf-2.0.4+git20150213/src/dock.c
Examining data/obconf-2.0.4+git20150213/src/main.c
Examining data/obconf-2.0.4+git20150213/src/moveresize.c
Examining data/obconf-2.0.4+git20150213/src/strings.c
Examining data/obconf-2.0.4+git20150213/src/margins.h
Examining data/obconf-2.0.4+git20150213/src/mouse.c
Examining data/obconf-2.0.4+git20150213/src/preview_update.h
Examining data/obconf-2.0.4+git20150213/src/preview.h
Examining data/obconf-2.0.4+git20150213/src/theme.c
Examining data/obconf-2.0.4+git20150213/src/about.c
Examining data/obconf-2.0.4+git20150213/src/gettext.h
Examining data/obconf-2.0.4+git20150213/src/windows.c
Examining data/obconf-2.0.4+git20150213/src/desktops.c
Examining data/obconf-2.0.4+git20150213/src/dock.h
Examining data/obconf-2.0.4+git20150213/src/appearance.h
Examining data/obconf-2.0.4+git20150213/src/archive.h
Examining data/obconf-2.0.4+git20150213/src/margins.c
Examining data/obconf-2.0.4+git20150213/src/preview.c
Examining data/obconf-2.0.4+git20150213/src/tree.h
Examining data/obconf-2.0.4+git20150213/src/appearance.c
Examining data/obconf-2.0.4+git20150213/src/preview_update.c
Examining data/obconf-2.0.4+git20150213/src/moveresize.h
Examining data/obconf-2.0.4+git20150213/src/desktops.h
Examining data/obconf-2.0.4+git20150213/src/archive.c
Examining data/obconf-2.0.4+git20150213/src/tree.c

FINAL RESULTS:

data/obconf-2.0.4+git20150213/src/archive.c:122:43:  [3] (buffer) g_get_home_dir:
  This function is synonymous with 'getenv("HOME")';it returns untrustable
  input if the environment can beset by an attacker. It can have any content
  and length, and the same variable can be set more than once (CWE-807,
  CWE-20). Check environment variables carefully before using them.
    dir = g_build_path(G_DIR_SEPARATOR_S, g_get_home_dir(), ".themes", NULL);
data/obconf-2.0.4+git20150213/src/theme.c:190:26:  [3] (buffer) g_get_home_dir:
  This function is synonymous with 'getenv("HOME")';it returns untrustable
  input if the environment can beset by an attacker. It can have any content
  and length, and the same variable can be set more than once (CWE-807,
  CWE-20). Check environment variables carefully before using them.
    p = g_build_filename(g_get_home_dir(), ".themes", NULL);
data/obconf-2.0.4+git20150213/src/appearance.c:267:37:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
    font = RrFontOpen(rrinst, name, atoi(size), rr_weight, rr_slant);
data/obconf-2.0.4+git20150213/src/appearance.c:294:42:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
        if (!bold && !italic && !size && atoi(c+1))
data/obconf-2.0.4+git20150213/src/appearance.c:327:37:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
    return RrFontOpen(rrinst, font, atoi(size), weight, slant);
data/obconf-2.0.4+git20150213/src/main.c:135:27:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
                obc_tab = atoi(argv[++i]) - 1;
data/obconf-2.0.4+git20150213/src/moveresize.c:109:55:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
    gtk_spin_button_set_value(GTK_SPIN_BUTTON(w), MAX(atoi(s), 0));
data/obconf-2.0.4+git20150213/src/moveresize.c:121:55:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
    gtk_spin_button_set_value(GTK_SPIN_BUTTON(w), MAX(atoi(s), 0));
data/obconf-2.0.4+git20150213/src/preview.c:526:23:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    gint numbuttons = strlen(titlelayout);

ANALYSIS SUMMARY:

Hits = 9
Lines analyzed = 4148 in approximately 0.14 seconds (30230 lines/second)
Physical Source Lines of Code (SLOC) = 2940
Hits@level = [0]   0 [1]   1 [2]   6 [3]   2 [4]   0 [5]   0
Hits@level+ = [0+]   9 [1+]   9 [2+]   8 [3+]   2 [4+]   0 [5+]   0
Hits/KSLOC@level+ = [0+] 3.06122 [1+] 3.06122 [2+] 2.72109 [3+] 0.680272 [4+]   0 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.