Fix #14577 (Checkers report: unsigned integer overflow can lead to huge string) (danmar#8306)

Author: danmar

Makefile

@@ -294,6 +294,7 @@ TESTOBJ =     test/fixture.o \
               test/testbufferoverrun.o \
               test/testcharvar.o \
               test/testcheck.o \
+              test/testcheckersreport.o \
               test/testclangimport.o \
               test/testclass.o \
               test/testcmdlineparser.o \
@@ -757,6 +758,9 @@ test/testcharvar.o: test/testcharvar.cpp lib/addoninfo.h lib/check.h lib/checker
 test/testcheck.o: test/testcheck.cpp lib/addoninfo.h lib/check.h lib/checkers.h lib/color.h lib/config.h lib/errorlogger.h lib/errortypes.h lib/library.h lib/mathlib.h lib/platform.h lib/settings.h lib/standards.h lib/utils.h test/fixture.h
 	$(CXX) ${INCLUDE_FOR_TEST} ${CFLAGS_FOR_TEST} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ test/testcheck.cpp
 
+test/testcheckersreport.o: test/testcheckersreport.cpp lib/addoninfo.h lib/check.h lib/checkers.h lib/checkersreport.h lib/color.h lib/config.h lib/errorlogger.h lib/errortypes.h lib/library.h lib/mathlib.h lib/path.h lib/platform.h lib/settings.h lib/standards.h lib/tokenize.h lib/tokenlist.h lib/utils.h test/fixture.h test/helpers.h
+	$(CXX) ${INCLUDE_FOR_TEST} ${CFLAGS_FOR_TEST} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ test/testcheckersreport.cpp
+
 test/testclangimport.o: test/testclangimport.cpp lib/addoninfo.h lib/check.h lib/checkers.h lib/clangimport.h lib/color.h lib/config.h lib/errorlogger.h lib/errortypes.h lib/library.h lib/mathlib.h lib/platform.h lib/settings.h lib/smallvector.h lib/sourcelocation.h lib/standards.h lib/symboldatabase.h lib/templatesimplifier.h lib/token.h lib/tokenize.h lib/tokenlist.h lib/utils.h lib/vfvalue.h test/fixture.h
 	$(CXX) ${INCLUDE_FOR_TEST} ${CFLAGS_FOR_TEST} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ test/testclangimport.cpp
 

lib/checkersreport.cpp

@@ -209,13 +209,19 @@ std::string CheckersReport::getReport(const std::string& criticalErrors) const
         fout << title << std::endl;
         fout << std::string(title.size(), '-') << std::endl;
 
+        maxCheckerSize = 0;
+        for (const auto& checkReq: addonInfo.checkers) {
+            const std::string& checker = checkReq.first;
+            maxCheckerSize = std::max(checker.size(), maxCheckerSize);
+        }
+
         for (const auto& checkReq: addonInfo.checkers) {
             const std::string& checker = checkReq.first;
             const bool active = mActiveCheckers.count(checkReq.first) > 0;
             const std::string& req = checkReq.second;
             fout << (active ? "Yes  " : "No   ") << checker;
             if (!active && !req.empty())
-                fout << std::string(maxCheckerSize + 4 - checker.size(), ' ') << "require:" + req;
+                fout << std::string(maxCheckerSize + 4 - checker.size(), ' ') << "require:" << req;
             fout << std::endl;
         }
     }

test/testcheckersreport.cpp

@@ -0,0 +1,58 @@
+/*
+ * Cppcheck - A tool for static C/C++ code analysis
+ * Copyright (C) 2007-2025 Cppcheck team.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+
+#include "checkersreport.h"
+#include "fixture.h"
+#include "helpers.h"
+#include "settings.h"
+
+#include <cstddef>
+
+class TestCheckersReport : public TestFixture {
+public:
+    TestCheckersReport() : TestFixture("TestCheckersReport") {}
+
+
+    void run() final {
+        // AddonInfo::checkers
+        TEST_CASE(addonInfoCheckers);
+    }
+
+    void addonInfoCheckers() const {
+        AddonInfo a;
+        a.name = "test";
+        a.checkers["abcdefghijklmnopqrstuvwxyz::abcdefghijklmnopqrstuvwxyz"] = "123";
+        Settings s;
+        s.addonInfos.emplace_back(a);
+        const std::set<std::string> activeCheckers;
+        CheckersReport r(s, activeCheckers);
+        const std::string report = r.getReport("");
+        const auto pos = report.rfind("\n\n");
+        ASSERT(pos != std::string::npos);
+
+        const char expected[] =
+            "test checkers\n"
+            "-------------\n"
+            "No   abcdefghijklmnopqrstuvwxyz::abcdefghijklmnopqrstuvwxyz    require:123\n";
+
+        ASSERT_EQUALS(expected, report.substr(pos+2));
+    }
+};
+
+REGISTER_TEST(TestCheckersReport)

test/testrunner.vcxproj

@@ -53,6 +53,7 @@
     <ClCompile Include="testbufferoverrun.cpp" />
     <ClCompile Include="testcharvar.cpp" />
     <ClCompile Include="testcheck.cpp" />
+    <ClCompile Include="testcheckersreport.cpp" />
     <ClCompile Include="testclangimport.cpp" />
     <ClCompile Include="testclass.cpp" />
     <ClCompile Include="testcmdlineparser.cpp" />