stdin

Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/xpra-3.0.9+dfsg1/win32/service/Xpra-Service.cpp
Examining data/xpra-3.0.9+dfsg1/win32/service/event_log.h
Examining data/xpra-3.0.9+dfsg1/xpra/buffers/buffers.h
Examining data/xpra-3.0.9+dfsg1/xpra/buffers/memalign.c
Examining data/xpra-3.0.9+dfsg1/xpra/buffers/xxhash.h
Examining data/xpra-3.0.9+dfsg1/xpra/buffers/memalign.h
Examining data/xpra-3.0.9+dfsg1/xpra/buffers/xxhash.c
Examining data/xpra-3.0.9+dfsg1/xpra/buffers/buffers.c
Examining data/xpra-3.0.9+dfsg1/xpra/buffers/xxh3.h
Examining data/xpra-3.0.9+dfsg1/xpra/x11/gtk3/gdk_x11_macros.c
Examining data/xpra-3.0.9+dfsg1/xpra/x11/gtk3/gdk_x11_macros.h
Examining data/xpra-3.0.9+dfsg1/xpra/monotonic_ctime.h
Examining data/xpra-3.0.9+dfsg1/xpra/codecs/dec_avcodec2/register_compat.h
Examining data/xpra-3.0.9+dfsg1/xpra/codecs/dec_avcodec2/register_compat.c
Examining data/xpra-3.0.9+dfsg1/xpra/codecs/v4l2/video.h
Examining data/xpra-3.0.9+dfsg1/xpra/platform/darwin/transparency_glue.h
Examining data/xpra-3.0.9+dfsg1/xpra/platform/darwin/nsevent_glue.h
Examining data/xpra-3.0.9+dfsg1/xpra/platform/win32/setappid.h
Examining data/xpra-3.0.9+dfsg1/xpra/monotonic_ctime.c

FINAL RESULTS:

data/xpra-3.0.9+dfsg1/win32/service/Xpra-Service.cpp:249:10:  [3] (shell) CreateProcess:
  This causes a new process to execute and is difficult to use safely
  (CWE-78). Specify the application path in the first argument, NOT as part
  of the second, or embedded spaces could allow an attacker to force a
  different program to run.
    if (!CreateProcess(NULL, command, NULL, NULL, FALSE, 0, NULL, cwd, &si, &pi))
data/xpra-3.0.9+dfsg1/win32/service/Xpra-Service.cpp:249:10:  [3] (shell) CreateProcess:
  This causes a new process to execute and is difficult to use safely
  (CWE-78). Specify the application path in the first argument, NOT as part
  of the second, or embedded spaces could allow an attacker to force a
  different program to run.
    if (!CreateProcess(NULL, command, NULL, NULL, FALSE, 0, NULL, cwd, &si, &pi))
data/xpra-3.0.9+dfsg1/win32/service/Xpra-Service.cpp:65:5:  [2] (buffer) TCHAR:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    TCHAR szPath[MAX_PATH];
data/xpra-3.0.9+dfsg1/win32/service/Xpra-Service.cpp:228:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char buf[64];
data/xpra-3.0.9+dfsg1/win32/service/Xpra-Service.cpp:380:5:  [2] (buffer) TCHAR:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    TCHAR Buffer[80];
data/xpra-3.0.9+dfsg1/xpra/buffers/xxh3.h:925:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(dst, &v64, sizeof(v64));
data/xpra-3.0.9+dfsg1/xpra/buffers/xxh3.h:1080:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(dst_state, src_state, sizeof(*dst_state));
data/xpra-3.0.9+dfsg1/xpra/buffers/xxh3.h:1223:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(acc, state->acc, sizeof(state->acc));  /* digest locally, state remains unaltered, and can continue ingesting more input afterwards */
data/xpra-3.0.9+dfsg1/xpra/buffers/xxh3.h:1242:13:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
            memcpy(lastStripe, state->buffer + sizeof(state->buffer) - catchupSize, catchupSize);
data/xpra-3.0.9+dfsg1/xpra/buffers/xxh3.h:1243:13:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
            memcpy(lastStripe + catchupSize, state->buffer, state->bufferedSize);
data/xpra-3.0.9+dfsg1/xpra/buffers/xxh3.h:1598:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(dst, &hash.high64, sizeof(hash.high64));
data/xpra-3.0.9+dfsg1/xpra/buffers/xxh3.h:1599:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy((char*)dst + sizeof(hash.high64), &hash.low64, sizeof(hash.low64));
data/xpra-3.0.9+dfsg1/xpra/buffers/xxhash.c:114:76:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
static void* XXH_memcpy(void* dest, const void* src, size_t size) { return memcpy(dest,src,size); }
data/xpra-3.0.9+dfsg1/xpra/buffers/xxhash.c:521:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(dstState, srcState, sizeof(*dstState));
data/xpra-3.0.9+dfsg1/xpra/buffers/xxhash.c:533:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(statePtr, &state, sizeof(state) - sizeof(state.reserved));
data/xpra-3.0.9+dfsg1/xpra/buffers/xxhash.c:633:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(dst, &hash, sizeof(*dst));
data/xpra-3.0.9+dfsg1/xpra/buffers/xxhash.c:982:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(dstState, srcState, sizeof(*dstState));
data/xpra-3.0.9+dfsg1/xpra/buffers/xxhash.c:994:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(statePtr, &state, sizeof(state) - sizeof(state.reserved64));
data/xpra-3.0.9+dfsg1/xpra/buffers/xxhash.c:1090:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(dst, &hash, sizeof(*dst));
data/xpra-3.0.9+dfsg1/xpra/buffers/xxhash.h:249:27:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
typedef struct { unsigned char digest[4]; } XXH32_canonical_t;
data/xpra-3.0.9+dfsg1/xpra/buffers/xxhash.h:286:27:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
typedef struct { unsigned char digest[8]; } XXH64_canonical_t;
data/xpra-3.0.9+dfsg1/xpra/buffers/xxhash.h:469:27:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
   XXH_ALIGN(64) unsigned char customSecret[XXH3_SECRET_DEFAULT_SIZE];  /* used to store a custom secret generated from the seed. Makes state larger. Design might change */
data/xpra-3.0.9+dfsg1/xpra/buffers/xxhash.h:470:27:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
   XXH_ALIGN(64) unsigned char buffer[XXH3_INTERNALBUFFER_SIZE];
data/xpra-3.0.9+dfsg1/xpra/buffers/xxhash.h:563:27:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
typedef struct { unsigned char digest[16]; } XXH128_canonical_t;

ANALYSIS SUMMARY:

Hits = 24
Lines analyzed = 4056 in approximately 0.17 seconds (23866 lines/second)
Physical Source Lines of Code (SLOC) = 2491
Hits@level = [0]  12 [1]   0 [2]  22 [3]   2 [4]   0 [5]   0
Hits@level+ = [0+]  36 [1+]  24 [2+]  24 [3+]   2 [4+]   0 [5+]   0
Hits/KSLOC@level+ = [0+] 14.452 [1+] 9.63468 [2+] 9.63468 [3+] 0.80289 [4+]   0 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.