From e2059a4697a63ba82bd0265a9752158b066fb34a Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
Date: Sun, 21 Dec 2025 01:48:46 +0100
Subject: [PATCH] curl: Don't truncate length

Truncating to an int seems dangerous, esp. in combination with a MIN
macro. I don't see a reason to truncate the length from size_t to int,
and especially no reason to change the signedness.

Closes GH-20747.
---
 NEWS                 | 1 +
 ext/curl/interface.c | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index 3f9e5c1354d..3c7e82dece6 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,7 @@ PHP                                                                        NEWS
 - Curl:
   . Fixed bug GH-21023 (CURLOPT_XFERINFOFUNCTION crash with a null callback).
     (David Carlier)
+  . Don't truncate length. (ndossche)
 
 - Date:
   . Fixed bug GH-20936 (DatePeriod::__set_state() cannot handle null start).
diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index 12db566c089..7fc1c77e9a9 100644
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -583,7 +583,7 @@ static size_t curl_write(char *data, size_t size, size_t nmemb, void *ctx)
 			return fwrite(data, size, nmemb, write_handler->fp);
 		case PHP_CURL_RETURN:
 			if (length > 0) {
-				smart_str_appendl(&write_handler->buf, data, (int) length);
+				smart_str_appendl(&write_handler->buf, data, length);
 			}
 			break;
 		case PHP_CURL_USER: {
@@ -860,7 +860,7 @@ static size_t curl_read(char *data, size_t size, size_t nmemb, void *ctx)
 			if (!Z_ISUNDEF(retval)) {
 				_php_curl_verify_handlers(ch, /* reporterror */ true);
 				if (Z_TYPE(retval) == IS_STRING) {
-					length = MIN((size * nmemb), Z_STRLEN(retval));
+					length = MIN(size * nmemb, Z_STRLEN(retval));
 					memcpy(data, Z_STRVAL(retval), length);
 				} else if (Z_TYPE(retval) == IS_LONG) {
 					length = Z_LVAL_P(&retval);
@@ -891,7 +891,7 @@ static size_t curl_write_header(char *data, size_t size, size_t nmemb, void *ctx
 			/* Handle special case write when we're returning the entire transfer
 			 */
 			if (ch->handlers.write->method == PHP_CURL_RETURN && length > 0) {
-				smart_str_appendl(&ch->handlers.write->buf, data, (int) length);
+				smart_str_appendl(&ch->handlers.write->buf, data, length);
 			} else {
 				PHPWRITE(data, length);
 			}