Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/xfdesktop4-4.15.1/settings/xfdesktop-settings-appearance-frame-ui.h Examining data/xfdesktop4-4.15.1/settings/main.c Examining data/xfdesktop4-4.15.1/settings/xfdesktop-settings-ui.h Examining data/xfdesktop4-4.15.1/common/xfdesktop-common.h Examining data/xfdesktop4-4.15.1/common/xfdesktop-thumbnailer.h Examining data/xfdesktop4-4.15.1/common/xfdesktop-thumbnailer.c Examining data/xfdesktop4-4.15.1/common/tumbler.c Examining data/xfdesktop4-4.15.1/common/xfdesktop-marshal.h Examining data/xfdesktop4-4.15.1/common/xfdesktop-marshal.c Examining data/xfdesktop4-4.15.1/common/tumbler.h Examining data/xfdesktop4-4.15.1/common/xfdesktop-common.c Examining data/xfdesktop4-4.15.1/src/xfce-workspace.h Examining data/xfdesktop4-4.15.1/src/xfdesktop-file-manager-proxy.h Examining data/xfdesktop4-4.15.1/src/xfdesktop-clipboard-manager.c Examining data/xfdesktop4-4.15.1/src/xfdesktop-icon.h Examining data/xfdesktop4-4.15.1/src/xfdesktop-file-icon-manager.h Examining data/xfdesktop4-4.15.1/src/xfce-desktop-enum-types.c Examining data/xfdesktop4-4.15.1/src/xfdesktop-regular-file-icon.c Examining data/xfdesktop4-4.15.1/src/xfdesktop-clipboard-manager.h Examining data/xfdesktop4-4.15.1/src/xfdesktop-notify.c Examining data/xfdesktop4-4.15.1/src/xfdesktop-icon-view.h Examining data/xfdesktop4-4.15.1/src/windowlist.h Examining data/xfdesktop4-4.15.1/src/xfdesktop-icon.c Examining data/xfdesktop4-4.15.1/src/xfce-desktop.c Examining data/xfdesktop4-4.15.1/src/xfdesktop-icon-view-manager.h Examining data/xfdesktop4-4.15.1/src/xfdesktop-window-icon-manager.c Examining data/xfdesktop4-4.15.1/src/main.c Examining data/xfdesktop4-4.15.1/src/xfdesktop-regular-file-icon.h Examining data/xfdesktop4-4.15.1/src/xfdesktop-window-icon.c Examining data/xfdesktop4-4.15.1/src/xfdesktop-volume-icon.c Examining data/xfdesktop4-4.15.1/src/xfdesktop-file-utils.c Examining data/xfdesktop4-4.15.1/src/xfce-workspace.c Examining data/xfdesktop4-4.15.1/src/xfdesktop-icon-view.c Examining data/xfdesktop4-4.15.1/src/xfdesktop-application.h Examining data/xfdesktop4-4.15.1/src/xfce-backdrop.c Examining data/xfdesktop4-4.15.1/src/xfdesktop-thunar-proxy.c Examining data/xfdesktop4-4.15.1/src/menu.h Examining data/xfdesktop4-4.15.1/src/menu.c Examining data/xfdesktop4-4.15.1/src/xfdesktop-special-file-icon.c Examining data/xfdesktop4-4.15.1/src/xfdesktop-notify.h Examining data/xfdesktop4-4.15.1/src/xfdesktop-file-icon-manager.c Examining data/xfdesktop4-4.15.1/src/xfdesktop-file-utils.h Examining data/xfdesktop4-4.15.1/src/xfdesktop-file-manager-proxy.c Examining data/xfdesktop4-4.15.1/src/windowlist.c Examining data/xfdesktop4-4.15.1/src/xfce-backdrop.h Examining data/xfdesktop4-4.15.1/src/xfdesktop-window-icon.h Examining data/xfdesktop4-4.15.1/src/xfdesktop-icon-view-manager.c Examining data/xfdesktop4-4.15.1/src/xfce-desktop-enum-types.h Examining data/xfdesktop4-4.15.1/src/xfdesktop-special-file-icon.h Examining data/xfdesktop4-4.15.1/src/xfdesktop-volume-icon.h Examining data/xfdesktop4-4.15.1/src/xfdesktop-file-icon.c Examining data/xfdesktop4-4.15.1/src/xfdesktop-file-icon.h Examining data/xfdesktop4-4.15.1/src/xfdesktop-application.c Examining data/xfdesktop4-4.15.1/src/xfdesktop-thunar-proxy.h Examining data/xfdesktop4-4.15.1/src/xfce-desktop.h Examining data/xfdesktop4-4.15.1/src/xfdesktop-trash-proxy.h Examining data/xfdesktop4-4.15.1/src/xfdesktop-trash-proxy.c Examining data/xfdesktop4-4.15.1/src/xfdesktop-window-icon-manager.h FINAL RESULTS: data/xfdesktop4-4.15.1/common/xfdesktop-common.c:308:5: [4] (format) vfprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. vfprintf(stdout, format, args); data/xfdesktop4-4.15.1/common/xfdesktop-common.h:119:116: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. void xfdesktop_debug(const char *func, const char *file, int line, const char *format, ...) __attribute__((format (printf,4,5))); data/xfdesktop4-4.15.1/common/xfdesktop-thumbnailer.c:545:56: [3] (buffer) g_get_home_dir: This function is synonymous with 'getenv("HOME")';it returns untrustable input if the environment can beset by an attacker. It can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. thumbnail_location = g_build_path("/", g_get_home_dir(), data/xfdesktop4-4.15.1/src/xfce-backdrop.c:606:20: [3] (random) g_random_int_range: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. cur_file = g_random_int_range(0, n_items); data/xfdesktop4-4.15.1/src/windowlist.c:72:24: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). if(!ws_name || atoi(ws_name) == nworkspaces) { data/xfdesktop4-4.15.1/src/windowlist.c:402:24: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). if(!ws_name || atoi(ws_name) == nworkspaces) data/xfdesktop4-4.15.1/src/xfce-backdrop.c:1063:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(color, &backdrop->priv->color1, sizeof(GdkRGBA)); data/xfdesktop4-4.15.1/src/xfce-backdrop.c:1104:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(color, &backdrop->priv->color2, sizeof(GdkRGBA)); data/xfdesktop4-4.15.1/src/xfce-workspace.c:146:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1024]; data/xfdesktop4-4.15.1/src/xfce-workspace.c:178:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1024]; data/xfdesktop4-4.15.1/src/xfce-workspace.c:421:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1024]; data/xfdesktop4-4.15.1/src/xfce-workspace.c:452:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1024]; data/xfdesktop4-4.15.1/src/xfce-workspace.c:484:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1024]; data/xfdesktop4-4.15.1/src/xfce-workspace.c:516:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1024]; data/xfdesktop4-4.15.1/src/xfce-workspace.c:552:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1024]; data/xfdesktop4-4.15.1/src/xfce-workspace.c:610:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1024]; data/xfdesktop4-4.15.1/src/xfdesktop-file-utils.c:1346:54: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). gboolean open, data/xfdesktop4-4.15.1/src/xfdesktop-file-utils.c:1367:65: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). uri, open, data/xfdesktop4-4.15.1/src/xfdesktop-file-utils.h:102:59: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). gboolean open, data/xfdesktop4-4.15.1/src/xfdesktop-icon-view.c:3557:13: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(data, data_p, tmp_size); data/xfdesktop4-4.15.1/common/xfdesktop-common.c:186:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). for(curr=0; curr<=strlen(str); curr++) { data/xfdesktop4-4.15.1/common/xfdesktop-thumbnailer.c:527:67: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). f_uri, strlen (f_uri)); data/xfdesktop4-4.15.1/settings/main.c:534:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). guint name_length = strlen(name); data/xfdesktop4-4.15.1/src/windowlist.c:77:64: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gchar *ws_name_esc = g_markup_escape_text(ws_name, strlen(ws_name)); data/xfdesktop4-4.15.1/src/windowlist.c:299:68: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gchar *ws_name_esc = g_markup_escape_text(ws_name, strlen(ws_name)); data/xfdesktop4-4.15.1/src/windowlist.c:405:64: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gchar *ws_name_esc = g_markup_escape_text(ws_name, strlen(ws_name)); data/xfdesktop4-4.15.1/src/xfce-backdrop.c:489:17: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if(dir_name[strlen(dir_name)-1] == '/') data/xfdesktop4-4.15.1/src/xfce-desktop.c:305:49: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (guchar *)filename, strlen(filename)+1); data/xfdesktop4-4.15.1/src/xfce-workspace.c:561:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). pp_len = strlen(buf); data/xfdesktop4-4.15.1/src/xfce-workspace.c:628:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). pp_len = strlen(buf); data/xfdesktop4-4.15.1/src/xfdesktop-clipboard-manager.c:493:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen (data)); data/xfdesktop4-4.15.1/src/xfdesktop-clipboard-manager.c:502:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen (string_list)); data/xfdesktop4-4.15.1/src/xfdesktop-file-icon-manager.c:3470:33: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(uri)); data/xfdesktop4-4.15.1/src/xfdesktop-file-icon-manager.c:3829:89: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gtk_selection_data_set(data, gtk_selection_data_get_target(data), 8, (guchar *)str, strlen(str)); ANALYSIS SUMMARY: Hits = 34 Lines analyzed = 41032 in approximately 0.89 seconds (46242 lines/second) Physical Source Lines of Code (SLOC) = 29722 Hits@level = [0] 9 [1] 14 [2] 16 [3] 2 [4] 2 [5] 0 Hits@level+ = [0+] 43 [1+] 34 [2+] 20 [3+] 4 [4+] 2 [5+] 0 Hits/KSLOC@level+ = [0+] 1.44674 [1+] 1.14393 [2+] 0.672902 [3+] 0.13458 [4+] 0.0672902 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.