Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/xfce4-settings-4.15.2/common/edid.h
Examining data/xfce4-settings-4.15.2/common/xfce-randr.h
Examining data/xfce4-settings-4.15.2/common/display-name.c
Examining data/xfce4-settings-4.15.2/common/xfce-randr.c
Examining data/xfce4-settings-4.15.2/common/display-profiles.c
Examining data/xfce4-settings-4.15.2/common/edid-parse.c
Examining data/xfce4-settings-4.15.2/common/display-profiles.h
Examining data/xfce4-settings-4.15.2/xfce4-settings-editor/xfce-settings-prop-dialog.c
Examining data/xfce4-settings-4.15.2/xfce4-settings-editor/xfce-settings-cell-renderer.h
Examining data/xfce4-settings-4.15.2/xfce4-settings-editor/xfce-settings-marshal.c
Examining data/xfce4-settings-4.15.2/xfce4-settings-editor/xfce-settings-prop-dialog.h
Examining data/xfce4-settings-4.15.2/xfce4-settings-editor/xfce-settings-marshal.h
Examining data/xfce4-settings-4.15.2/xfce4-settings-editor/xfce-settings-editor-box.h
Examining data/xfce4-settings-4.15.2/xfce4-settings-editor/main.c
Examining data/xfce4-settings-4.15.2/xfce4-settings-editor/xfce-settings-editor-box.c
Examining data/xfce4-settings-4.15.2/xfce4-settings-editor/xfce-settings-cell-renderer.c
Examining data/xfce4-settings-4.15.2/xfsettingsd/gtk-decorations.c
Examining data/xfce4-settings-4.15.2/xfsettingsd/keyboard-shortcuts.h
Examining data/xfce4-settings-4.15.2/xfsettingsd/pointers-defines.h
Examining data/xfce4-settings-4.15.2/xfsettingsd/clipboard-manager.c
Examining data/xfce4-settings-4.15.2/xfsettingsd/displays.c
Examining data/xfce4-settings-4.15.2/xfsettingsd/accessibility.c
Examining data/xfce4-settings-4.15.2/xfsettingsd/displays.h
Examining data/xfce4-settings-4.15.2/xfsettingsd/keyboards.c
Examining data/xfce4-settings-4.15.2/xfsettingsd/gtk-decorations.h
Examining data/xfce4-settings-4.15.2/xfsettingsd/keyboard-shortcuts.c
Examining data/xfce4-settings-4.15.2/xfsettingsd/keyboards.h
Examining data/xfce4-settings-4.15.2/xfsettingsd/workspaces.h
Examining data/xfce4-settings-4.15.2/xfsettingsd/pointers.h
Examining data/xfce4-settings-4.15.2/xfsettingsd/debug.h
Examining data/xfce4-settings-4.15.2/xfsettingsd/accessibility.h
Examining data/xfce4-settings-4.15.2/xfsettingsd/xsettings.h
Examining data/xfce4-settings-4.15.2/xfsettingsd/displays-upower.h
Examining data/xfce4-settings-4.15.2/xfsettingsd/displays-upower.c
Examining data/xfce4-settings-4.15.2/xfsettingsd/keyboard-layout.h
Examining data/xfce4-settings-4.15.2/xfsettingsd/keyboard-layout.c
Examining data/xfce4-settings-4.15.2/xfsettingsd/pointers.c
Examining data/xfce4-settings-4.15.2/xfsettingsd/clipboard-manager.h
Examining data/xfce4-settings-4.15.2/xfsettingsd/debug.c
Examining data/xfce4-settings-4.15.2/xfsettingsd/xsettings.c
Examining data/xfce4-settings-4.15.2/xfsettingsd/main.c
Examining data/xfce4-settings-4.15.2/xfsettingsd/workspaces.c
Examining data/xfce4-settings-4.15.2/xfce4-settings-manager/xfce-settings-manager-dialog.c
Examining data/xfce4-settings-4.15.2/xfce4-settings-manager/main.c
Examining data/xfce4-settings-4.15.2/xfce4-settings-manager/xfce-settings-manager-dialog.h
Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper-chooser.c
Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper-launcher-dialog.c
Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-window.c
Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-chooser.c
Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper-main.c
Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper-utils.c
Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper-launcher-dialog.h
Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-chooser.h
Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper-enum-types.c
Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper-enum-types.h
Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper-utils.h
Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper-chooser.h
Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper.c
Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-window.h
Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper.h
Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/main.c
Examining data/xfce4-settings-4.15.2/dialogs/accessibility-settings/find-cursor.c
Examining data/xfce4-settings-4.15.2/dialogs/accessibility-settings/accessibility-dialog_ui.h
Examining data/xfce4-settings-4.15.2/dialogs/accessibility-settings/main.c
Examining data/xfce4-settings-4.15.2/dialogs/mouse-settings/mouse-dialog_ui.h
Examining data/xfce4-settings-4.15.2/dialogs/mouse-settings/main.c
Examining data/xfce4-settings-4.15.2/dialogs/appearance-settings/images.h
Examining data/xfce4-settings-4.15.2/dialogs/appearance-settings/appearance-dialog_ui.h
Examining data/xfce4-settings-4.15.2/dialogs/appearance-settings/main.c
Examining data/xfce4-settings-4.15.2/dialogs/display-settings/confirmation-dialog_ui.h
Examining data/xfce4-settings-4.15.2/dialogs/display-settings/display-dialog_ui.h
Examining data/xfce4-settings-4.15.2/dialogs/display-settings/minimal-display-dialog_ui.h
Examining data/xfce4-settings-4.15.2/dialogs/display-settings/foo-marshal.c
Examining data/xfce4-settings-4.15.2/dialogs/display-settings/identity-popup_ui.h
Examining data/xfce4-settings-4.15.2/dialogs/display-settings/scrollarea.c
Examining data/xfce4-settings-4.15.2/dialogs/display-settings/foo-marshal.h
Examining data/xfce4-settings-4.15.2/dialogs/display-settings/scrollarea.h
Examining data/xfce4-settings-4.15.2/dialogs/display-settings/main.c
Examining data/xfce4-settings-4.15.2/dialogs/display-settings/profile-changed-dialog_ui.h
Examining data/xfce4-settings-4.15.2/dialogs/keyboard-settings/xfce-keyboard-settings.c
Examining data/xfce4-settings-4.15.2/dialogs/keyboard-settings/keyboard-dialog_ui.h
Examining data/xfce4-settings-4.15.2/dialogs/keyboard-settings/command-dialog.h
Examining data/xfce4-settings-4.15.2/dialogs/keyboard-settings/command-dialog.c
Examining data/xfce4-settings-4.15.2/dialogs/keyboard-settings/xfce-keyboard-settings.h
Examining data/xfce4-settings-4.15.2/dialogs/keyboard-settings/main.c
Examining data/xfce4-settings-4.15.2/dialogs/color-settings/color-dialog_ui.h
Examining data/xfce4-settings-4.15.2/dialogs/color-settings/color-device.c
Examining data/xfce4-settings-4.15.2/dialogs/color-settings/color-device.h
Examining data/xfce4-settings-4.15.2/dialogs/color-settings/color-profile.h
Examining data/xfce4-settings-4.15.2/dialogs/color-settings/color-profile.c
Examining data/xfce4-settings-4.15.2/dialogs/color-settings/main.c
FINAL RESULTS:
data/xfce4-settings-4.15.2/dialogs/color-settings/main.c:133:68: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
gtk_file_chooser_set_current_folder (GTK_FILE_CHOOSER(dialog), g_get_home_dir ());
data/xfce4-settings-4.15.2/dialogs/mouse-settings/main.c:474:47: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
path = homedir = g_strconcat (g_get_home_dir (), basedirs[i] + 1, NULL);
data/xfce4-settings-4.15.2/common/display-name.c:43:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const char vendor_id[4];
data/xfce4-settings-4.15.2/common/display-name.c:44:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const char vendor_name[78];
data/xfce4-settings-4.15.2/common/edid.h:114:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char manufacturer_code[4];
data/xfce4-settings-4.15.2/common/edid.h:190:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char dsc_serial_number[14];
data/xfce4-settings-4.15.2/common/edid.h:191:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char dsc_product_name[14];
data/xfce4-settings-4.15.2/common/edid.h:192:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char dsc_string[14]; /* Unspecified ASCII data */
data/xfce4-settings-4.15.2/dialogs/mouse-settings/main.c:196:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (buffer, image->pixels, bsize);
data/xfce4-settings-4.15.2/xfsettingsd/clipboard-manager.c:394:25: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (tdata->data + tdata->length, data, length + 1);
data/xfce4-settings-4.15.2/xfsettingsd/xsettings.c:800:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (needle, name + 1 /* +1 for the xfconf slash */, name_len);
data/xfce4-settings-4.15.2/xfsettingsd/xsettings.c:828:17: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (needle, str, value_len);
data/xfce4-settings-4.15.2/dialogs/display-settings/main.c:2041:86: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
profile_hash = g_compute_checksum_for_string (G_CHECKSUM_SHA1, profile_name, strlen(profile_name));
data/xfce4-settings-4.15.2/dialogs/mouse-settings/main.c:1606:34: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
string = g_string_sized_new (strlen (name));
data/xfce4-settings-4.15.2/xfsettingsd/gtk-decorations.c:101:11: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen (value);
data/xfce4-settings-4.15.2/xfsettingsd/keyboard-layout.c:346:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen (option_value) != 0)
data/xfce4-settings-4.15.2/xfsettingsd/pointers.c:710:34: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
string = g_string_sized_new (strlen (name));
data/xfce4-settings-4.15.2/xfsettingsd/pointers.c:1024:42: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
pointer_data.prop_name_len = strlen (prop) + 1;
data/xfce4-settings-4.15.2/xfsettingsd/workspaces.c:240:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
i += strlen (p) + 1;
data/xfce4-settings-4.15.2/xfsettingsd/workspaces.c:328:55: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
g_string_append_len (names_str, name, strlen (name) + 1);
data/xfce4-settings-4.15.2/xfsettingsd/workspaces.c:335:59: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
g_string_append_len (names_str, new_name, strlen (new_name) + 1);
data/xfce4-settings-4.15.2/xfsettingsd/xsettings.c:732:16: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
name_len = strlen (name) - 1 /* -1 for the xfconf slash */;
data/xfce4-settings-4.15.2/xfsettingsd/xsettings.c:753:29: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
value_len = strlen (str);
ANALYSIS SUMMARY:
Hits = 23
Lines analyzed = 41880 in approximately 1.13 seconds (36912 lines/second)
Physical Source Lines of Code (SLOC) = 31153
Hits@level = [0] 0 [1] 11 [2] 10 [3] 2 [4] 0 [5] 0
Hits@level+ = [0+] 23 [1+] 23 [2+] 12 [3+] 2 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 0.738292 [1+] 0.738292 [2+] 0.385196 [3+] 0.0641993 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.