Fix MSVC C4267 warnings in gd.c (GH-17680)

cmb69 · web-flow · commit c1f7b87fb1c4 · 2025-02-03T21:02:15.000+01:00
These warnings are about conversion from `size_t` to a smaller type[1], and in this case because `gdIOCtx` works with `int` lengths. Two of these warnings are harmless, and we resolve them by using `size_t` in the first place, and adding a cast (plus an assertion), respectively. The others actually hint at potential issues when reading image data with more than `INT_MAX` bytes; we catch that upfront, and throw a `ValueError` and a warning, respectively. [1] <https://learn.microsoft.com/en-us/cpp/error-messages/compiler-warnings/compiler-warning-level-3-c4267>
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
@@ -1409,7 +1409,8 @@ gdImagePtr _php_image_create_from_string(zend_string *data, const char *tn, gdIm
 	gdImagePtr im;
 	gdIOCtx *io_ctx;
 
-	io_ctx = gdNewDynamicCtxEx(ZSTR_LEN(data), ZSTR_VAL(data), 0);
+	ZEND_ASSERT(ZSTR_LEN(data) <= INT_MAX); /* checked in imagecreatefromstring() */
+	io_ctx = gdNewDynamicCtxEx((int) ZSTR_LEN(data), ZSTR_VAL(data), 0);
 
 	if (!io_ctx) {
 		return NULL;
@@ -1439,6 +1440,10 @@ PHP_FUNCTION(imagecreatefromstring)
 		Z_PARAM_STR(data)
 	ZEND_PARSE_PARAMETERS_END();
 
+	if (ZSTR_LEN(data) > INT_MAX) {
+		zend_argument_value_error(1, "is too long");
+	}
+
 	imtype = _php_image_type(data);
 
 	switch (imtype) {
@@ -1562,17 +1567,23 @@ static void _php_image_create_from(INTERNAL_FUNCTION_PARAMETERS, int image_type,
 		buff = php_stream_copy_to_mem(stream, PHP_STREAM_COPY_ALL, 0);
 
 		if (!buff) {
-			php_error_docref(NULL, E_WARNING,"Cannot read image data");
+			php_error_docref(NULL, E_WARNING, "Cannot read image data");
+			goto out_err;
+		}
+
+		if (ZSTR_LEN(buff) > INT_MAX) {
+			zend_string_release_ex(buff, 0);
+			php_error_docref(NULL, E_WARNING, "Cannot read images with more than %d bytes", INT_MAX);
 			goto out_err;
 		}
 
 		/* needs to be malloc (persistent) - GD will free() it later */
 		pstr = pestrndup(ZSTR_VAL(buff), ZSTR_LEN(buff), 1);
-		io_ctx = gdNewDynamicCtxEx(ZSTR_LEN(buff), pstr, 0);
+		io_ctx = gdNewDynamicCtxEx((int) ZSTR_LEN(buff), pstr, 0);
 		if (!io_ctx) {
 			pefree(pstr, 1);
 			zend_string_release_ex(buff, 0);
-			php_error_docref(NULL, E_WARNING,"Cannot allocate GD IO context");
+			php_error_docref(NULL, E_WARNING, "Cannot allocate GD IO context");
 			goto out_err;
 		}
 
@@ -1796,7 +1807,7 @@ static void _php_image_output(INTERNAL_FUNCTION_PARAMETERS, int image_type, cons
 		fflush(fp);
 		fclose(fp);
 	} else {
-		int   b;
+		size_t b;
 		FILE *tmp;
 		char  buf[4096];
 		zend_string *path;
@@ -2983,7 +2994,8 @@ static void php_imagechar(INTERNAL_FUNCTION_PARAMETERS, int mode)
 	zend_long X, Y, COL;
 	zend_string *C;
 	gdImagePtr im;
-	int ch = 0, col, x, y, i, l = 0;
+	int ch = 0, col, x, y, i;
+	size_t l = 0;
 	unsigned char *str = NULL;
 	zend_object *font_obj = NULL;
 	zend_long font_int = 0;
@@ -4337,7 +4349,9 @@ static void _php_image_output_putc(struct gdIOCtx *ctx, int c) /* {{{ */
 
 static int _php_image_output_putbuf(struct gdIOCtx *ctx, const void* buf, int l) /* {{{ */
 {
-	return php_write((void *)buf, l);
+	size_t written = php_write((void *)buf, l);
+	ZEND_ASSERT(written <= INT_MAX); /* since l <= INT_MAX */
+	return (int) written;
 } /* }}} */
 
 static void _php_image_output_ctxfree(struct gdIOCtx *ctx) /* {{{ */
