Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/rgtk2-2.20.36/inst/include/RGtk2/pangoUserFuncs.h
Examining data/rgtk2-2.20.36/inst/include/RGtk2/atkUserFuncs.h
Examining data/rgtk2-2.20.36/inst/include/RGtk2/cairoUserFuncImports.c
Examining data/rgtk2-2.20.36/inst/include/RGtk2/gdkImports.c
Examining data/rgtk2-2.20.36/inst/include/RGtk2/gdkUserFuncImports.c
Examining data/rgtk2-2.20.36/inst/include/RGtk2/RSCommon.h
Examining data/rgtk2-2.20.36/inst/include/RGtk2/gioUserFuncImports.c
Examining data/rgtk2-2.20.36/inst/include/RGtk2/atk.h
Examining data/rgtk2-2.20.36/inst/include/RGtk2/pangoImports.c
Examining data/rgtk2-2.20.36/inst/include/RGtk2/gtkImports.c
Examining data/rgtk2-2.20.36/inst/include/RGtk2/cairoImports.c
Examining data/rgtk2-2.20.36/inst/include/RGtk2/gdkClasses.h
Examining data/rgtk2-2.20.36/inst/include/RGtk2/atkUserFuncImports.c
Examining data/rgtk2-2.20.36/inst/include/RGtk2/gtkClasses.h
Examining data/rgtk2-2.20.36/inst/include/RGtk2/pango.h
Examining data/rgtk2-2.20.36/inst/include/RGtk2/pangoClasses.h
Examining data/rgtk2-2.20.36/inst/include/RGtk2/gtkUserFuncImports.c
Examining data/rgtk2-2.20.36/inst/include/RGtk2/gtkClassImports.c
Examining data/rgtk2-2.20.36/inst/include/RGtk2/gioUserFuncs.h
Examining data/rgtk2-2.20.36/inst/include/RGtk2/gio.h
Examining data/rgtk2-2.20.36/inst/include/RGtk2/gobjectImports.c
Examining data/rgtk2-2.20.36/inst/include/RGtk2/gdk.h
Examining data/rgtk2-2.20.36/inst/include/RGtk2/gioClassImports.c
Examining data/rgtk2-2.20.36/inst/include/RGtk2/gdkUserFuncs.h
Examining data/rgtk2-2.20.36/inst/include/RGtk2/gtk.h
Examining data/rgtk2-2.20.36/inst/include/RGtk2/gioImports.c
Examining data/rgtk2-2.20.36/inst/include/RGtk2/gobject.h
Examining data/rgtk2-2.20.36/inst/include/RGtk2/atkClasses.h
Examining data/rgtk2-2.20.36/inst/include/RGtk2/pangoClassImports.c
Examining data/rgtk2-2.20.36/inst/include/RGtk2/atkClassImports.c
Examining data/rgtk2-2.20.36/inst/include/RGtk2/gioClasses.h
Examining data/rgtk2-2.20.36/inst/include/RGtk2/cairo-enums.h
Examining data/rgtk2-2.20.36/inst/include/RGtk2/cairo.h
Examining data/rgtk2-2.20.36/inst/include/RGtk2/cairoUserFuncs.h
Examining data/rgtk2-2.20.36/inst/include/RGtk2/atkImports.c
Examining data/rgtk2-2.20.36/inst/include/RGtk2/gdkClassImports.c
Examining data/rgtk2-2.20.36/inst/include/RGtk2/gtkUserFuncs.h
Examining data/rgtk2-2.20.36/inst/include/RGtk2/pangoUserFuncImports.c
Examining data/rgtk2-2.20.36/src/gdkAccessors.c
Examining data/rgtk2-2.20.36/src/gtkAccessors.c
Examining data/rgtk2-2.20.36/src/pangoFuncs.h
Examining data/rgtk2-2.20.36/src/pangoAccessors.c
Examining data/rgtk2-2.20.36/src/gioClasses.c
Examining data/rgtk2-2.20.36/src/gdkUserFuncs.c
Examining data/rgtk2-2.20.36/src/conversion.c
Examining data/rgtk2-2.20.36/src/cairoConversion.c
Examining data/rgtk2-2.20.36/src/gdkClasses.c
Examining data/rgtk2-2.20.36/src/RSCommon.h
Examining data/rgtk2-2.20.36/src/gdkFuncs.c
Examining data/rgtk2-2.20.36/src/utils.c
Examining data/rgtk2-2.20.36/src/pangoClasses.c
Examining data/rgtk2-2.20.36/src/RGtk2/pangoUserFuncs.h
Examining data/rgtk2-2.20.36/src/RGtk2/atkUserFuncs.h
Examining data/rgtk2-2.20.36/src/RGtk2/cairoUserFuncImports.c
Examining data/rgtk2-2.20.36/src/RGtk2/gdkImports.c
Examining data/rgtk2-2.20.36/src/RGtk2/gdkUserFuncImports.c
Examining data/rgtk2-2.20.36/src/RGtk2/RSCommon.h
Examining data/rgtk2-2.20.36/src/RGtk2/gioUserFuncImports.c
Examining data/rgtk2-2.20.36/src/RGtk2/atk.h
Examining data/rgtk2-2.20.36/src/RGtk2/pangoImports.c
Examining data/rgtk2-2.20.36/src/RGtk2/gtkImports.c
Examining data/rgtk2-2.20.36/src/RGtk2/cairoImports.c
Examining data/rgtk2-2.20.36/src/RGtk2/gdkClasses.h
Examining data/rgtk2-2.20.36/src/RGtk2/atkUserFuncImports.c
Examining data/rgtk2-2.20.36/src/RGtk2/gtkClasses.h
Examining data/rgtk2-2.20.36/src/RGtk2/pango.h
Examining data/rgtk2-2.20.36/src/RGtk2/pangoClasses.h
Examining data/rgtk2-2.20.36/src/RGtk2/gtkUserFuncImports.c
Examining data/rgtk2-2.20.36/src/RGtk2/gtkClassImports.c
Examining data/rgtk2-2.20.36/src/RGtk2/gioUserFuncs.h
Examining data/rgtk2-2.20.36/src/RGtk2/gio.h
Examining data/rgtk2-2.20.36/src/RGtk2/gobjectImports.c
Examining data/rgtk2-2.20.36/src/RGtk2/gdk.h
Examining data/rgtk2-2.20.36/src/RGtk2/gioClassImports.c
Examining data/rgtk2-2.20.36/src/RGtk2/gdkUserFuncs.h
Examining data/rgtk2-2.20.36/src/RGtk2/gtk.h
Examining data/rgtk2-2.20.36/src/RGtk2/gioImports.c
Examining data/rgtk2-2.20.36/src/RGtk2/gobject.h
Examining data/rgtk2-2.20.36/src/RGtk2/atkClasses.h
Examining data/rgtk2-2.20.36/src/RGtk2/pangoClassImports.c
Examining data/rgtk2-2.20.36/src/RGtk2/atkClassImports.c
Examining data/rgtk2-2.20.36/src/RGtk2/gioClasses.h
Examining data/rgtk2-2.20.36/src/RGtk2/cairo-enums.h
Examining data/rgtk2-2.20.36/src/RGtk2/cairo.h
Examining data/rgtk2-2.20.36/src/RGtk2/cairoUserFuncs.h
Examining data/rgtk2-2.20.36/src/RGtk2/atkImports.c
Examining data/rgtk2-2.20.36/src/RGtk2/gdkClassImports.c
Examining data/rgtk2-2.20.36/src/RGtk2/gtkUserFuncs.h
Examining data/rgtk2-2.20.36/src/RGtk2/pangoUserFuncImports.c
Examining data/rgtk2-2.20.36/src/atkUserFuncs.c
Examining data/rgtk2-2.20.36/src/gtkFuncs.c
Examining data/rgtk2-2.20.36/src/gioConversion.c
Examining data/rgtk2-2.20.36/src/eventLoop.c
Examining data/rgtk2-2.20.36/src/gdkManuals.c
Examining data/rgtk2-2.20.36/src/gtkFuncs.h
Examining data/rgtk2-2.20.36/src/atkFuncs.c
Examining data/rgtk2-2.20.36/src/cairoManuals.c
Examining data/rgtk2-2.20.36/src/cairo-enums.c
Examining data/rgtk2-2.20.36/src/classes.c
Examining data/rgtk2-2.20.36/src/atkManuals.c
Examining data/rgtk2-2.20.36/src/gobject.c
Examining data/rgtk2-2.20.36/src/pangoConversion.c
Examining data/rgtk2-2.20.36/src/pangoUserFuncs.c
Examining data/rgtk2-2.20.36/src/atkConversion.c
Examining data/rgtk2-2.20.36/src/atkClasses.c
Examining data/rgtk2-2.20.36/src/gtkUserFuncs.c
Examining data/rgtk2-2.20.36/src/cairoFuncs.h
Examining data/rgtk2-2.20.36/src/gdkConversion.c
Examining data/rgtk2-2.20.36/src/cairoFuncs.c
Examining data/rgtk2-2.20.36/src/atkAccessors.c
Examining data/rgtk2-2.20.36/src/gioUserFuncs.c
Examining data/rgtk2-2.20.36/src/Reventloop.h
Examining data/rgtk2-2.20.36/src/gtkConversion.c
Examining data/rgtk2-2.20.36/src/atkFuncs.h
Examining data/rgtk2-2.20.36/src/pangoFuncs.c
Examining data/rgtk2-2.20.36/src/gdkFuncs.h
Examining data/rgtk2-2.20.36/src/gtkClasses.c
Examining data/rgtk2-2.20.36/src/gioFuncs.c
Examining data/rgtk2-2.20.36/src/gioAccessors.c
Examining data/rgtk2-2.20.36/src/connections.c
Examining data/rgtk2-2.20.36/src/cairoUserFuncs.c
Examining data/rgtk2-2.20.36/src/zcompat.c
Examining data/rgtk2-2.20.36/src/cairo-enums.h
Examining data/rgtk2-2.20.36/src/Rgtk.c
Examining data/rgtk2-2.20.36/src/RGtkDataFrame.h
Examining data/rgtk2-2.20.36/src/pangoManuals.c
Examining data/rgtk2-2.20.36/src/RGtkDataFrame.c
Examining data/rgtk2-2.20.36/src/gioManuals.c
Examining data/rgtk2-2.20.36/src/cairoAccessors.c
Examining data/rgtk2-2.20.36/src/exports/cairoExports.c
Examining data/rgtk2-2.20.36/src/exports/gtkExports.c
Examining data/rgtk2-2.20.36/src/exports/gtkClassExports.c
Examining data/rgtk2-2.20.36/src/exports/atkClassExports.c
Examining data/rgtk2-2.20.36/src/exports/gobjectExports.c
Examining data/rgtk2-2.20.36/src/exports/cairoUserFuncExports.c
Examining data/rgtk2-2.20.36/src/exports/gtkUserFuncExports.c
Examining data/rgtk2-2.20.36/src/exports/atkUserFuncExports.c
Examining data/rgtk2-2.20.36/src/exports/gioClassExports.c
Examining data/rgtk2-2.20.36/src/exports/pangoExports.c
Examining data/rgtk2-2.20.36/src/exports/gdkUserFuncExports.c
Examining data/rgtk2-2.20.36/src/exports/gioUserFuncExports.c
Examining data/rgtk2-2.20.36/src/exports/pangoUserFuncExports.c
Examining data/rgtk2-2.20.36/src/exports/gdkExports.c
Examining data/rgtk2-2.20.36/src/exports/gdkClassExports.c
Examining data/rgtk2-2.20.36/src/exports/gioExports.c
Examining data/rgtk2-2.20.36/src/exports/pangoClassExports.c
Examining data/rgtk2-2.20.36/src/exports/atkExports.c
Examining data/rgtk2-2.20.36/src/gtkManuals.c
Examining data/rgtk2-2.20.36/src/glib.c
Examining data/rgtk2-2.20.36/src/gioFuncs.h
FINAL RESULTS:
data/rgtk2-2.20.36/inst/include/RGtk2/RSCommon.h:149:19: [4] (format) sprintf:
Potential format string problem (CWE-134). Make format string constant.
#define PROBLEM sprintf(error_buf,
data/rgtk2-2.20.36/src/RGtk2/RSCommon.h:149:19: [4] (format) sprintf:
Potential format string problem (CWE-134). Make format string constant.
#define PROBLEM sprintf(error_buf,
data/rgtk2-2.20.36/src/RSCommon.h:149:19: [4] (format) sprintf:
Potential format string problem (CWE-134). Make format string constant.
#define PROBLEM sprintf(error_buf,
data/rgtk2-2.20.36/src/RGtkDataFrame.c:198:23: [3] (random) g_random_int:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
data_frame->stamp = g_random_int ();
data/rgtk2-2.20.36/inst/include/RGtk2/gobject.h:257:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ptr, array+i, sizeof(typeof(array[i]))); \
data/rgtk2-2.20.36/src/RGtk2/gobject.h:257:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ptr, array+i, sizeof(typeof(array[i]))); \
data/rgtk2-2.20.36/src/conversion.c:290:28: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
if (!fvalue && atoi(fname) <= fclass->mask) {
data/rgtk2-2.20.36/src/conversion.c:291:26: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
flags |= atoi(fname);
data/rgtk2-2.20.36/src/gobject.c:1439:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char tmp[2] = "a";
data/rgtk2-2.20.36/src/gobject.c:1450:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char tmp[2] = "a";
data/rgtk2-2.20.36/src/gtkManuals.c:1226:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ans, RAW(s_ans), *s_length);
data/rgtk2-2.20.36/src/Rgtk.c:99:8: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if (!read(ifd, buf, 16))
data/rgtk2-2.20.36/src/atkManuals.c:14:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
gint length = strlen(string);
data/rgtk2-2.20.36/src/gioClasses.c:5880:23: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
ans = object_class->equal(object, appinfo2);
data/rgtk2-2.20.36/src/gioClasses.c:10735:23: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
ans = object_class->equal(object, file2);
data/rgtk2-2.20.36/src/gioClasses.c:12901:23: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
ans = object_class->equal(object, icon2);
data/rgtk2-2.20.36/src/gtkManuals.c:948:26: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
gint new_text_length = strlen(new_text);
data/rgtk2-2.20.36/src/pangoManuals.c:8:23: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
int length = strlen(text);
data/rgtk2-2.20.36/src/pangoManuals.c:52:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
length = strlen(text);
ANALYSIS SUMMARY:
Hits = 19
Lines analyzed = 200988 in approximately 3.68 seconds (54679 lines/second)
Physical Source Lines of Code (SLOC) = 142734
Hits@level = [0] 0 [1] 8 [2] 7 [3] 1 [4] 3 [5] 0
Hits@level+ = [0+] 19 [1+] 19 [2+] 11 [3+] 4 [4+] 3 [5+] 0
Hits/KSLOC@level+ = [0+] 0.133115 [1+] 0.133115 [2+] 0.0770664 [3+] 0.0280242 [4+] 0.0210181 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.