Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/xrdesktop-0.15.1/examples/client.c
Examining data/xrdesktop-0.15.1/examples/hand-shake.c
Examining data/xrdesktop-0.15.1/examples/overlay_models.c
Examining data/xrdesktop-0.15.1/examples/settings.c
Examining data/xrdesktop-0.15.1/src/overlay/xrd-overlay-client-private.h
Examining data/xrdesktop-0.15.1/src/overlay/xrd-overlay-client.c
Examining data/xrdesktop-0.15.1/src/overlay/xrd-overlay-client.h
Examining data/xrdesktop-0.15.1/src/overlay/xrd-overlay-desktop-cursor.c
Examining data/xrdesktop-0.15.1/src/overlay/xrd-overlay-desktop-cursor.h
Examining data/xrdesktop-0.15.1/src/overlay/xrd-overlay-pointer-tip.c
Examining data/xrdesktop-0.15.1/src/overlay/xrd-overlay-pointer-tip.h
Examining data/xrdesktop-0.15.1/src/overlay/xrd-overlay-pointer.c
Examining data/xrdesktop-0.15.1/src/overlay/xrd-overlay-pointer.h
Examining data/xrdesktop-0.15.1/src/overlay/xrd-overlay-window-private.h
Examining data/xrdesktop-0.15.1/src/overlay/xrd-overlay-window.c
Examining data/xrdesktop-0.15.1/src/overlay/xrd-overlay-window.h
Examining data/xrdesktop-0.15.1/src/scene/renderdoc_app.h
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-background.c
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-background.h
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-client-private.h
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-client.c
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-client.h
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-desktop-cursor.c
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-desktop-cursor.h
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-model.c
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-model.h
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-object.c
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-object.h
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-pointer-tip.c
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-pointer-tip.h
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-pointer.c
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-pointer.h
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-renderer.c
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-renderer.h
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-selection.c
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-selection.h
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-window-private.h
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-window.c
Examining data/xrdesktop-0.15.1/src/scene/xrd-scene-window.h
Examining data/xrdesktop-0.15.1/src/xrd-button.c
Examining data/xrdesktop-0.15.1/src/xrd-button.h
Examining data/xrdesktop-0.15.1/src/xrd-client-private.h
Examining data/xrdesktop-0.15.1/src/xrd-client.c
Examining data/xrdesktop-0.15.1/src/xrd-client.h
Examining data/xrdesktop-0.15.1/src/xrd-container.c
Examining data/xrdesktop-0.15.1/src/xrd-container.h
Examining data/xrdesktop-0.15.1/src/xrd-desktop-cursor.c
Examining data/xrdesktop-0.15.1/src/xrd-desktop-cursor.h
Examining data/xrdesktop-0.15.1/src/xrd-enums.h
Examining data/xrdesktop-0.15.1/src/xrd-input-synth.c
Examining data/xrdesktop-0.15.1/src/xrd-input-synth.h
Examining data/xrdesktop-0.15.1/src/xrd-math.c
Examining data/xrdesktop-0.15.1/src/xrd-math.h
Examining data/xrdesktop-0.15.1/src/xrd-render-lock.c
Examining data/xrdesktop-0.15.1/src/xrd-render-lock.h
Examining data/xrdesktop-0.15.1/src/xrd-settings.c
Examining data/xrdesktop-0.15.1/src/xrd-settings.h
Examining data/xrdesktop-0.15.1/src/xrd-shake-compensator.c
Examining data/xrdesktop-0.15.1/src/xrd-shake-compensator.h
Examining data/xrdesktop-0.15.1/src/xrd-types.h
Examining data/xrdesktop-0.15.1/src/xrd-window-manager.c
Examining data/xrdesktop-0.15.1/src/xrd-window-manager.h
Examining data/xrdesktop-0.15.1/src/xrd-window.c
Examining data/xrdesktop-0.15.1/src/xrd-window.h
Examining data/xrdesktop-0.15.1/src/xrd.h
Examining data/xrdesktop-0.15.1/tests/test_client_switch.c
Examining data/xrdesktop-0.15.1/tests/test_gsettings.c
Examining data/xrdesktop-0.15.1/tests/test_math_angles.c
Examining data/xrdesktop-0.15.1/tests/test_math_matrix_decomposition.c
Examining data/xrdesktop-0.15.1/tests/test_overlay_client.c
Examining data/xrdesktop-0.15.1/tests/test_overlay_window.c
Examining data/xrdesktop-0.15.1/tests/test_scene_client.c
Examining data/xrdesktop-0.15.1/tests/test_scene_window_external_memory.c
Examining data/xrdesktop-0.15.1/tests/test_scene_window_size.c
FINAL RESULTS:
data/xrdesktop-0.15.1/src/scene/xrd-scene-renderer.c:201:9: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf (path, "/shaders/%s.%s.spv", shader_names[i], stage_names[j]);
data/xrdesktop-0.15.1/examples/client.c:575:19: [3] (random) g_rand_int_range:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
gint32 id = g_rand_int_range (self->rand, 0, (gint32) len);
data/xrdesktop-0.15.1/examples/client.c:376:11: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (window_title, "Bird [%d,%d]", col, row);
data/xrdesktop-0.15.1/examples/hand-shake.c:353:7: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char res[50];
data/xrdesktop-0.15.1/examples/overlay_models.c:155:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char name_ret[GXR_MODEL_NAME_MAX];
data/xrdesktop-0.15.1/src/overlay/xrd-overlay-pointer-tip.c:68:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char key[16];
data/xrdesktop-0.15.1/src/scene/xrd-scene-renderer.c:192:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const char *shader_names[PIPELINE_COUNT] = {
data/xrdesktop-0.15.1/src/scene/xrd-scene-renderer.c:195:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const char *stage_names[2] = {"vert", "frag"};
data/xrdesktop-0.15.1/src/scene/xrd-scene-renderer.c:200:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char path[1024];
data/xrdesktop-0.15.1/src/xrd-button.c:115:11: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen (text[i]) > longest_line)
data/xrdesktop-0.15.1/src/xrd-button.c:116:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
longest_line = strlen (text[i]);
ANALYSIS SUMMARY:
Hits = 11
Lines analyzed = 16972 in approximately 0.32 seconds (53496 lines/second)
Physical Source Lines of Code (SLOC) = 12148
Hits@level = [0] 2 [1] 2 [2] 7 [3] 1 [4] 1 [5] 0
Hits@level+ = [0+] 13 [1+] 11 [2+] 9 [3+] 2 [4+] 1 [5+] 0
Hits/KSLOC@level+ = [0+] 1.07014 [1+] 0.905499 [2+] 0.740863 [3+] 0.164636 [4+] 0.0823181 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.