After three years of development Published Release utilities GNU CFlow 1.7 designed to build Visual Count calls of features in SI programs, which can be used to simplify the study of the application logic. The graph is based only on the basis of the analysis of the source texts, without the need to execute the program. The generation of both direct and inverse execution thread graphs is supported, as well as the generation of cross-link lists for files with code.
Release is notable for the implementation of support for the “dot” output format (‘–format = dot’) to form a result in DOT language for subsequent visualization in the GraphViz . Added the ability to specify several starting functions through the duplication of ‘- mm options, a separate graph will be generated for each of such functions. Also added the option “–Target = FUNCTION” allows you to limit the resulting graph only by a branch including certain functions (the option “–Target” can be specified several times). The CFlow-Mode mode has added new commands to navigate the graph: “C” – transition to the calling function, “n” – the transition to the next function at a given nesting level and “P” – the transition to the previous function with the same nesting level.
The new version also eliminated two vulnerabilities that were revealed back in 2019 and lead to memory damage when processing specially decorated source texts in CFlow. The first vulnerability ( CVE-2019-16165 ) Swanted Memory reference after its release (use-after-free) in code Parser (Reference Function in Parser.c). The second vulnerability ( CVE-2019-16166 ) Dested with buffer overflow in Functions NextToken (). According to the developers, these problems do not pose security threats, as they are limited to the failure of the utility.