Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/xfce4-settings-4.15.2/common/edid.h Examining data/xfce4-settings-4.15.2/common/xfce-randr.h Examining data/xfce4-settings-4.15.2/common/display-name.c Examining data/xfce4-settings-4.15.2/common/xfce-randr.c Examining data/xfce4-settings-4.15.2/common/display-profiles.c Examining data/xfce4-settings-4.15.2/common/edid-parse.c Examining data/xfce4-settings-4.15.2/common/display-profiles.h Examining data/xfce4-settings-4.15.2/xfce4-settings-editor/xfce-settings-prop-dialog.c Examining data/xfce4-settings-4.15.2/xfce4-settings-editor/xfce-settings-cell-renderer.h Examining data/xfce4-settings-4.15.2/xfce4-settings-editor/xfce-settings-marshal.c Examining data/xfce4-settings-4.15.2/xfce4-settings-editor/xfce-settings-prop-dialog.h Examining data/xfce4-settings-4.15.2/xfce4-settings-editor/xfce-settings-marshal.h Examining data/xfce4-settings-4.15.2/xfce4-settings-editor/xfce-settings-editor-box.h Examining data/xfce4-settings-4.15.2/xfce4-settings-editor/main.c Examining data/xfce4-settings-4.15.2/xfce4-settings-editor/xfce-settings-editor-box.c Examining data/xfce4-settings-4.15.2/xfce4-settings-editor/xfce-settings-cell-renderer.c Examining data/xfce4-settings-4.15.2/xfsettingsd/gtk-decorations.c Examining data/xfce4-settings-4.15.2/xfsettingsd/keyboard-shortcuts.h Examining data/xfce4-settings-4.15.2/xfsettingsd/pointers-defines.h Examining data/xfce4-settings-4.15.2/xfsettingsd/clipboard-manager.c Examining data/xfce4-settings-4.15.2/xfsettingsd/displays.c Examining data/xfce4-settings-4.15.2/xfsettingsd/accessibility.c Examining data/xfce4-settings-4.15.2/xfsettingsd/displays.h Examining data/xfce4-settings-4.15.2/xfsettingsd/keyboards.c Examining data/xfce4-settings-4.15.2/xfsettingsd/gtk-decorations.h Examining data/xfce4-settings-4.15.2/xfsettingsd/keyboard-shortcuts.c Examining data/xfce4-settings-4.15.2/xfsettingsd/keyboards.h Examining data/xfce4-settings-4.15.2/xfsettingsd/workspaces.h Examining data/xfce4-settings-4.15.2/xfsettingsd/pointers.h Examining data/xfce4-settings-4.15.2/xfsettingsd/debug.h Examining data/xfce4-settings-4.15.2/xfsettingsd/accessibility.h Examining data/xfce4-settings-4.15.2/xfsettingsd/xsettings.h Examining data/xfce4-settings-4.15.2/xfsettingsd/displays-upower.h Examining data/xfce4-settings-4.15.2/xfsettingsd/displays-upower.c Examining data/xfce4-settings-4.15.2/xfsettingsd/keyboard-layout.h Examining data/xfce4-settings-4.15.2/xfsettingsd/keyboard-layout.c Examining data/xfce4-settings-4.15.2/xfsettingsd/pointers.c Examining data/xfce4-settings-4.15.2/xfsettingsd/clipboard-manager.h Examining data/xfce4-settings-4.15.2/xfsettingsd/debug.c Examining data/xfce4-settings-4.15.2/xfsettingsd/xsettings.c Examining data/xfce4-settings-4.15.2/xfsettingsd/main.c Examining data/xfce4-settings-4.15.2/xfsettingsd/workspaces.c Examining data/xfce4-settings-4.15.2/xfce4-settings-manager/xfce-settings-manager-dialog.c Examining data/xfce4-settings-4.15.2/xfce4-settings-manager/main.c Examining data/xfce4-settings-4.15.2/xfce4-settings-manager/xfce-settings-manager-dialog.h Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper-chooser.c Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper-launcher-dialog.c Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-window.c Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-chooser.c Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper-main.c Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper-utils.c Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper-launcher-dialog.h Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-chooser.h Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper-enum-types.c Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper-enum-types.h Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper-utils.h Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper-chooser.h Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper.c Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-window.h Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/xfce-mime-helper.h Examining data/xfce4-settings-4.15.2/dialogs/mime-settings/main.c Examining data/xfce4-settings-4.15.2/dialogs/accessibility-settings/find-cursor.c Examining data/xfce4-settings-4.15.2/dialogs/accessibility-settings/accessibility-dialog_ui.h Examining data/xfce4-settings-4.15.2/dialogs/accessibility-settings/main.c Examining data/xfce4-settings-4.15.2/dialogs/mouse-settings/mouse-dialog_ui.h Examining data/xfce4-settings-4.15.2/dialogs/mouse-settings/main.c Examining data/xfce4-settings-4.15.2/dialogs/appearance-settings/images.h Examining data/xfce4-settings-4.15.2/dialogs/appearance-settings/appearance-dialog_ui.h Examining data/xfce4-settings-4.15.2/dialogs/appearance-settings/main.c Examining data/xfce4-settings-4.15.2/dialogs/display-settings/confirmation-dialog_ui.h Examining data/xfce4-settings-4.15.2/dialogs/display-settings/display-dialog_ui.h Examining data/xfce4-settings-4.15.2/dialogs/display-settings/minimal-display-dialog_ui.h Examining data/xfce4-settings-4.15.2/dialogs/display-settings/foo-marshal.c Examining data/xfce4-settings-4.15.2/dialogs/display-settings/identity-popup_ui.h Examining data/xfce4-settings-4.15.2/dialogs/display-settings/scrollarea.c Examining data/xfce4-settings-4.15.2/dialogs/display-settings/foo-marshal.h Examining data/xfce4-settings-4.15.2/dialogs/display-settings/scrollarea.h Examining data/xfce4-settings-4.15.2/dialogs/display-settings/main.c Examining data/xfce4-settings-4.15.2/dialogs/display-settings/profile-changed-dialog_ui.h Examining data/xfce4-settings-4.15.2/dialogs/keyboard-settings/xfce-keyboard-settings.c Examining data/xfce4-settings-4.15.2/dialogs/keyboard-settings/keyboard-dialog_ui.h Examining data/xfce4-settings-4.15.2/dialogs/keyboard-settings/command-dialog.h Examining data/xfce4-settings-4.15.2/dialogs/keyboard-settings/command-dialog.c Examining data/xfce4-settings-4.15.2/dialogs/keyboard-settings/xfce-keyboard-settings.h Examining data/xfce4-settings-4.15.2/dialogs/keyboard-settings/main.c Examining data/xfce4-settings-4.15.2/dialogs/color-settings/color-dialog_ui.h Examining data/xfce4-settings-4.15.2/dialogs/color-settings/color-device.c Examining data/xfce4-settings-4.15.2/dialogs/color-settings/color-device.h Examining data/xfce4-settings-4.15.2/dialogs/color-settings/color-profile.h Examining data/xfce4-settings-4.15.2/dialogs/color-settings/color-profile.c Examining data/xfce4-settings-4.15.2/dialogs/color-settings/main.c FINAL RESULTS: data/xfce4-settings-4.15.2/dialogs/color-settings/main.c:133:68: [3] (buffer) g_get_home_dir: This function is synonymous with 'getenv("HOME")';it returns untrustable input if the environment can beset by an attacker. It can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. gtk_file_chooser_set_current_folder (GTK_FILE_CHOOSER(dialog), g_get_home_dir ()); data/xfce4-settings-4.15.2/dialogs/mouse-settings/main.c:474:47: [3] (buffer) g_get_home_dir: This function is synonymous with 'getenv("HOME")';it returns untrustable input if the environment can beset by an attacker. It can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. path = homedir = g_strconcat (g_get_home_dir (), basedirs[i] + 1, NULL); data/xfce4-settings-4.15.2/common/display-name.c:43:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char vendor_id[4]; data/xfce4-settings-4.15.2/common/display-name.c:44:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char vendor_name[78]; data/xfce4-settings-4.15.2/common/edid.h:114:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char manufacturer_code[4]; data/xfce4-settings-4.15.2/common/edid.h:190:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char dsc_serial_number[14]; data/xfce4-settings-4.15.2/common/edid.h:191:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char dsc_product_name[14]; data/xfce4-settings-4.15.2/common/edid.h:192:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char dsc_string[14]; /* Unspecified ASCII data */ data/xfce4-settings-4.15.2/dialogs/mouse-settings/main.c:196:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (buffer, image->pixels, bsize); data/xfce4-settings-4.15.2/xfsettingsd/clipboard-manager.c:394:25: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (tdata->data + tdata->length, data, length + 1); data/xfce4-settings-4.15.2/xfsettingsd/xsettings.c:800:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (needle, name + 1 /* +1 for the xfconf slash */, name_len); data/xfce4-settings-4.15.2/xfsettingsd/xsettings.c:828:17: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (needle, str, value_len); data/xfce4-settings-4.15.2/dialogs/display-settings/main.c:2041:86: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). profile_hash = g_compute_checksum_for_string (G_CHECKSUM_SHA1, profile_name, strlen(profile_name)); data/xfce4-settings-4.15.2/dialogs/mouse-settings/main.c:1606:34: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). string = g_string_sized_new (strlen (name)); data/xfce4-settings-4.15.2/xfsettingsd/gtk-decorations.c:101:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen (value); data/xfce4-settings-4.15.2/xfsettingsd/keyboard-layout.c:346:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen (option_value) != 0) data/xfce4-settings-4.15.2/xfsettingsd/pointers.c:710:34: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). string = g_string_sized_new (strlen (name)); data/xfce4-settings-4.15.2/xfsettingsd/pointers.c:1024:42: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). pointer_data.prop_name_len = strlen (prop) + 1; data/xfce4-settings-4.15.2/xfsettingsd/workspaces.c:240:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). i += strlen (p) + 1; data/xfce4-settings-4.15.2/xfsettingsd/workspaces.c:328:55: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). g_string_append_len (names_str, name, strlen (name) + 1); data/xfce4-settings-4.15.2/xfsettingsd/workspaces.c:335:59: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). g_string_append_len (names_str, new_name, strlen (new_name) + 1); data/xfce4-settings-4.15.2/xfsettingsd/xsettings.c:732:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). name_len = strlen (name) - 1 /* -1 for the xfconf slash */; data/xfce4-settings-4.15.2/xfsettingsd/xsettings.c:753:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). value_len = strlen (str); ANALYSIS SUMMARY: Hits = 23 Lines analyzed = 41880 in approximately 1.13 seconds (36912 lines/second) Physical Source Lines of Code (SLOC) = 31153 Hits@level = [0] 0 [1] 11 [2] 10 [3] 2 [4] 0 [5] 0 Hits@level+ = [0+] 23 [1+] 23 [2+] 12 [3+] 2 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 0.738292 [1+] 0.738292 [2+] 0.385196 [3+] 0.0641993 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.