Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/pragha-1.3.4/plugins/acoustid/pragha-acoustid-plugin.c
Examining data/pragha-1.3.4/plugins/cdrom/pragha-cdrom-plugin.c
Examining data/pragha-1.3.4/plugins/cdrom/pragha-cdrom-plugin.h
Examining data/pragha-1.3.4/plugins/devices/pragha-device-client.c
Examining data/pragha-1.3.4/plugins/devices/pragha-device-client.h
Examining data/pragha-1.3.4/plugins/devices/pragha-devices-plugin.c
Examining data/pragha-1.3.4/plugins/devices/pragha-devices-plugin.h
Examining data/pragha-1.3.4/plugins/dlna-renderer/pragha-dlna-renderer-plugin.c
Examining data/pragha-1.3.4/plugins/dlna-renderer/pragha-dlna-renderer-plugin.h
Examining data/pragha-1.3.4/plugins/dlna/pragha-dlna-plugin.c
Examining data/pragha-1.3.4/plugins/dlna/pragha-dlna-plugin.h
Examining data/pragha-1.3.4/plugins/gnome-media-keys/pragha-gnome-media-keys-plugin.c
Examining data/pragha-1.3.4/plugins/gnome-media-keys/pragha-gnome-media-keys-plugin.h
Examining data/pragha-1.3.4/plugins/keybinder/pragha-keybinder-plugin.c
Examining data/pragha-1.3.4/plugins/keybinder/pragha-keybinder-plugin.h
Examining data/pragha-1.3.4/plugins/lastfm/pragha-lastfm-plugin.c
Examining data/pragha-1.3.4/plugins/mpris2/pragha-mpris2-plugin.c
Examining data/pragha-1.3.4/plugins/mpris2/pragha-mpris2-plugin.h
Examining data/pragha-1.3.4/plugins/mtp/pragha-devices-mtp.c
Examining data/pragha-1.3.4/plugins/mtp/pragha-mtp-musicobject.c
Examining data/pragha-1.3.4/plugins/mtp/pragha-mtp-musicobject.h
Examining data/pragha-1.3.4/plugins/notify/pragha-notify-plugin.c
Examining data/pragha-1.3.4/plugins/pragha-plugin-macros.h
Examining data/pragha-1.3.4/plugins/removable-media/pragha-devices-removable.c
Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-dialog.c
Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-dialog.h
Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-pane.c
Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-pane.h
Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-plugin.c
Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-plugin.h
Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-thread-albumart.c
Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-thread-albumart.h
Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-thread-dialog.c
Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-thread-dialog.h
Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-thread-pane.c
Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-thread-pane.h
Examining data/pragha-1.3.4/plugins/tunein/pragha-tunein-plugin.c
Examining data/pragha-1.3.4/src/gtkcellrendererbubble.c
Examining data/pragha-1.3.4/src/gtkcellrendererbubble.h
Examining data/pragha-1.3.4/src/info-bar-import-music.c
Examining data/pragha-1.3.4/src/pragha-album-art.c
Examining data/pragha-1.3.4/src/pragha-album-art.h
Examining data/pragha-1.3.4/src/pragha-art-cache.c
Examining data/pragha-1.3.4/src/pragha-art-cache.h
Examining data/pragha-1.3.4/src/pragha-backend.c
Examining data/pragha-1.3.4/src/pragha-backend.h
Examining data/pragha-1.3.4/src/pragha-cmdline.c
Examining data/pragha-1.3.4/src/pragha-database.c
Examining data/pragha-1.3.4/src/pragha-database.h
Examining data/pragha-1.3.4/src/pragha-debug.c
Examining data/pragha-1.3.4/src/pragha-debug.h
Examining data/pragha-1.3.4/src/pragha-dnd.c
Examining data/pragha-1.3.4/src/pragha-dnd.h
Examining data/pragha-1.3.4/src/pragha-equalizer-dialog.c
Examining data/pragha-1.3.4/src/pragha-equalizer-dialog.h
Examining data/pragha-1.3.4/src/pragha-file-utils.c
Examining data/pragha-1.3.4/src/pragha-file-utils.h
Examining data/pragha-1.3.4/src/pragha-filter-dialog.c
Examining data/pragha-1.3.4/src/pragha-filter-dialog.h
Examining data/pragha-1.3.4/src/pragha-hig.c
Examining data/pragha-1.3.4/src/pragha-hig.h
Examining data/pragha-1.3.4/src/pragha-library-pane.c
Examining data/pragha-1.3.4/src/pragha-library-pane.h
Examining data/pragha-1.3.4/src/pragha-menubar.c
Examining data/pragha-1.3.4/src/pragha-menubar.h
Examining data/pragha-1.3.4/src/pragha-music-enum.c
Examining data/pragha-1.3.4/src/pragha-music-enum.h
Examining data/pragha-1.3.4/src/pragha-musicobject-mgmt.c
Examining data/pragha-1.3.4/src/pragha-musicobject-mgmt.h
Examining data/pragha-1.3.4/src/pragha-musicobject.c
Examining data/pragha-1.3.4/src/pragha-musicobject.h
Examining data/pragha-1.3.4/src/pragha-playback.c
Examining data/pragha-1.3.4/src/pragha-playback.h
Examining data/pragha-1.3.4/src/pragha-playlist.c
Examining data/pragha-1.3.4/src/pragha-playlist.h
Examining data/pragha-1.3.4/src/pragha-playlists-mgmt.c
Examining data/pragha-1.3.4/src/pragha-playlists-mgmt.h
Examining data/pragha-1.3.4/src/pragha-plugins-engine.c
Examining data/pragha-1.3.4/src/pragha-plugins-engine.h
Examining data/pragha-1.3.4/src/pragha-preferences-dialog.c
Examining data/pragha-1.3.4/src/pragha-preferences-dialog.h
Examining data/pragha-1.3.4/src/pragha-preferences.c
Examining data/pragha-1.3.4/src/pragha-preferences.h
Examining data/pragha-1.3.4/src/pragha-prepared-statement-private.h
Examining data/pragha-1.3.4/src/pragha-prepared-statement.c
Examining data/pragha-1.3.4/src/pragha-prepared-statement.h
Examining data/pragha-1.3.4/src/pragha-scanner.c
Examining data/pragha-1.3.4/src/pragha-scanner.h
Examining data/pragha-1.3.4/src/pragha-search-entry.c
Examining data/pragha-1.3.4/src/pragha-search-entry.h
Examining data/pragha-1.3.4/src/pragha-session.c
Examining data/pragha-1.3.4/src/pragha-session.h
Examining data/pragha-1.3.4/src/pragha-sidebar.c
Examining data/pragha-1.3.4/src/pragha-sidebar.h
Examining data/pragha-1.3.4/src/pragha-simple-async.c
Examining data/pragha-1.3.4/src/pragha-simple-async.h
Examining data/pragha-1.3.4/src/pragha-simple-widgets.c
Examining data/pragha-1.3.4/src/pragha-simple-widgets.h
Examining data/pragha-1.3.4/src/pragha-statusbar.c
Examining data/pragha-1.3.4/src/pragha-statusbar.h
Examining data/pragha-1.3.4/src/pragha-statusicon.c
Examining data/pragha-1.3.4/src/pragha-statusicon.h
Examining data/pragha-1.3.4/src/pragha-tagger.c
Examining data/pragha-1.3.4/src/pragha-tagger.h
Examining data/pragha-1.3.4/src/pragha-tags-dialog.c
Examining data/pragha-1.3.4/src/pragha-tags-dialog.h
Examining data/pragha-1.3.4/src/pragha-tags-mgmt.c
Examining data/pragha-1.3.4/src/pragha-tags-mgmt.h
Examining data/pragha-1.3.4/src/pragha-toolbar.c
Examining data/pragha-1.3.4/src/pragha-toolbar.h
Examining data/pragha-1.3.4/src/pragha-utils.c
Examining data/pragha-1.3.4/src/pragha-utils.h
Examining data/pragha-1.3.4/src/pragha-window.c
Examining data/pragha-1.3.4/src/pragha-window.h
Examining data/pragha-1.3.4/src/pragha.c
Examining data/pragha-1.3.4/src/pragha.h
Examining data/pragha-1.3.4/src/xml_helper.c
Examining data/pragha-1.3.4/src/xml_helper.h
Examining data/pragha-1.3.4/win32/win32dep.c
Examining data/pragha-1.3.4/win32/win32dep.h
FINAL RESULTS:
data/pragha-1.3.4/src/pragha-utils.c:456:3: [4] (shell) ShellExecute:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
ShellExecute (0, "explore", url, NULL, NULL, SW_SHOWNORMAL);
data/pragha-1.3.4/src/pragha-utils.c:458:3: [4] (shell) ShellExecute:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
ShellExecute (0, "open", url, NULL, NULL, SW_SHOWNORMAL);
data/pragha-1.3.4/src/xml_helper.c:40:4: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf (cptr, "%s%s", HTML_ESCAPE[i+1], cptr+strlen(HTML_ESCAPE[i]));
data/pragha-1.3.4/src/pragha-playlist.c:951:9: [3] (random) g_rand_int_range:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
rnd = g_rand_int_range (playlist->rand,
data/pragha-1.3.4/src/pragha-playlist.c:977:9: [3] (random) g_rand_int_range:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
rnd = g_rand_int_range (playlist->rand,
data/pragha-1.3.4/src/pragha-playlist.c:1008:9: [3] (random) g_rand_int_range:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
rnd = g_rand_int_range (playlist->rand,
data/pragha-1.3.4/src/pragha-preferences.c:2637:23: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
g_get_home_dir(),
data/pragha-1.3.4/plugins/mtp/pragha-mtp-musicobject.c:155:9: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
return atoi(track_id);
data/pragha-1.3.4/src/pragha-debug.c:31:18: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
FILE* logfile = fopen ((const char*)user_data, "a");
data/pragha-1.3.4/src/pragha-dnd.c:59:18: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
location_id = atoi(uri + strlen("Location:/"));
data/pragha-1.3.4/src/pragha-library-pane.c:511:62: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
node_data = g_strconcat ((string_is_not_empty(year) && (atoi(year) > 0)) ? year : _("Unknown"),
data/pragha-1.3.4/src/pragha-library-pane.c:2423:41: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
pragha_musicobject_set_year(omobj, atoi (split_album[0]));
data/pragha-1.3.4/src/pragha-menubar.c:950:76: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
gchar *title = pragha_database_get_playlist_by_order(cdbase, atoi(name + strlen("playlist")));
data/pragha-1.3.4/src/pragha-menubar.c:991:76: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
gchar *title = pragha_database_get_playlist_by_order(cdbase, atoi(name + strlen("selection")));
data/pragha-1.3.4/src/xml_helper.c:151:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buffer,c,n-c-1);
data/pragha-1.3.4/plugins/mpris2/pragha-mpris2-plugin.c:184:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
sscanf(track_id + strlen(base), "%p", &mobj_request);
data/pragha-1.3.4/plugins/mtp/pragha-mtp-musicobject.c:153:20: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
track_id = file + strlen ("mtp://");
data/pragha-1.3.4/plugins/mtp/pragha-mtp-musicobject.c:164:20: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
track_id = file + strlen ("mtp://");
data/pragha-1.3.4/src/pragha-dnd.c:59:29: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
location_id = atoi(uri + strlen("Location:/"));
data/pragha-1.3.4/src/pragha-dnd.c:65:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
name = uri + strlen("Playlist:/");
data/pragha-1.3.4/src/pragha-dnd.c:69:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
name = uri + strlen("Radio:/");
data/pragha-1.3.4/src/pragha-library-pane.c:1776:68: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
filepath = pragha_prepared_statement_get_string(statement, 0) + strlen(list->data) + 1;
data/pragha-1.3.4/src/pragha-menubar.c:950:88: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
gchar *title = pragha_database_get_playlist_by_order(cdbase, atoi(name + strlen("playlist")));
data/pragha-1.3.4/src/pragha-menubar.c:991:88: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
gchar *title = pragha_database_get_playlist_by_order(cdbase, atoi(name + strlen("selection")));
data/pragha-1.3.4/src/pragha-menubar.c:1199:65: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
g_action_map_remove_action (G_ACTION_MAP (window), action + strlen ("win."));
data/pragha-1.3.4/src/pragha-menubar.c:1241:28: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (g_strcmp0 (action + strlen ("win."), action_name) == 0) {
data/pragha-1.3.4/src/pragha-playlist.c:3210:48: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
mobj = new_musicobject_from_location(file + strlen("Radio:/"), file + strlen("Radio:/"));
data/pragha-1.3.4/src/pragha-playlist.c:3210:74: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
mobj = new_musicobject_from_location(file + strlen("Radio:/"), file + strlen("Radio:/"));
data/pragha-1.3.4/src/xml_helper.c:40:50: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
sprintf (cptr, "%s%s", HTML_ESCAPE[i+1], cptr+strlen(HTML_ESCAPE[i]));
ANALYSIS SUMMARY:
Hits = 29
Lines analyzed = 43394 in approximately 0.87 seconds (50151 lines/second)
Physical Source Lines of Code (SLOC) = 30857
Hits@level = [0] 3 [1] 14 [2] 8 [3] 4 [4] 3 [5] 0
Hits@level+ = [0+] 32 [1+] 29 [2+] 15 [3+] 7 [4+] 3 [5+] 0
Hits/KSLOC@level+ = [0+] 1.03704 [1+] 0.939819 [2+] 0.486113 [3+] 0.226853 [4+] 0.0972227 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.