fix(security): resolve CodeQL SM02986 char*/wchar_t* cast warnings (#1602)

Fixes 10 instances of CodeQL security finding SM02986 ('Cast from
char* to wchar_t*') across three shared source files.

Changes:
- core_util.cpp: Use intermediate SQLWCHAR* variable in
  convert_string_from_utf16_inplace to avoid inline cast; add
  clarifying comments for two void*->SQLWCHAR* malloc casts.
- core_stream.cpp: Extract single LPCWSTR intermediate variable before
  #ifdef branches in sqlsrv_stream_read (CP_UTF8 path) with comment
  explaining ODBC fills the buffer as SQL_C_WCHAR even though allocated
  as char*.
- core_stmt.cpp: Remove redundant reinterpret_cast in
  convert_input_str_to_utf16 (str is already char*); add typed
  intermediate variable for SQLPOINTER buffer cast in
  process_string_param; add typed intermediate for SQLWCHAR* cast in
  process_output_string; add clarifying comments for intentional
  SQLWCHAR*->char* binary storage casts.

No behavioral changes. All casts are semantically correct; changes
improve readability and satisfy the static analysis rule.

Verified: BUILD_EXIT_CODE=0 for both sqlsrv and pdo_sqlsrv extensions
against PHP 8.4.14 (VS2022 x64 ZTS).

Author: jahnvi480

source/shared/core_stmt.cpp

@@ -2309,11 +2309,14 @@ bool sqlsrv_param::convert_input_str_to_utf16(_Inout_ sqlsrv_stmt* /*stmt*/, _In
         sqlsrv_malloc_auto_ptr<SQLWCHAR> wide_buffer;
         unsigned int wchar_size = 0;
 
-        wide_buffer = utf16_string_from_mbcs_string(encoding, reinterpret_cast<const char*>(str), static_cast<int>(str_length), &wchar_size, true);
+        // Convert input string to UTF-16. 'str' is already char* so no recast needed here.
+        wide_buffer = utf16_string_from_mbcs_string(encoding, str, static_cast<int>(str_length), &wchar_size, true);
         if (wide_buffer == 0) {
             return false;
         }
         wide_buffer[wchar_size] = L'\0';
+        // Store UTF-16 data as binary in zval. Casting SQLWCHAR* to char* is intentional for storing
+        // raw binary wide character data with length in bytes (wchar_size * sizeof(SQLWCHAR)).
         core::sqlsrv_zval_stringl(&placeholder_z, reinterpret_cast<char*>(wide_buffer.get()), wchar_size * sizeof(SQLWCHAR));
     } else {
         // If the string is empty, then nothing needs to be done
@@ -2747,11 +2750,15 @@ void sqlsrv_param_inout::process_string_param(_Inout_ sqlsrv_stmt* stmt, _Inout_
             sqlsrv_malloc_auto_ptr<SQLWCHAR> wide_buffer;
             unsigned int wchar_size = 0;
 
-            wide_buffer = utf16_string_from_mbcs_string(SQLSRV_ENCODING_UTF8, reinterpret_cast<const char*>(buffer), static_cast<int>(buffer_length), &wchar_size);
+            // buffer is SQLPOINTER (void*) holding UTF-8 char data from Z_STRVAL_P. Cast to const char* is safe here.
+            const char* char_buffer = reinterpret_cast<const char*>(buffer);
+            wide_buffer = utf16_string_from_mbcs_string(SQLSRV_ENCODING_UTF8, char_buffer, static_cast<int>(buffer_length), &wchar_size);
             CHECK_CUSTOM_ERROR(wide_buffer == 0, stmt, SQLSRV_ERROR_INPUT_PARAM_ENCODING_TRANSLATE, param_pos + 1, get_last_error_message(), NULL) {
                 throw core::CoreException();
             }
             wide_buffer[wchar_size] = L'\0';
+            // Store UTF-16 data as binary in zval. Casting SQLWCHAR* to char* is intentional for storing
+            // raw binary wide character data with length in bytes (wchar_size * sizeof(SQLWCHAR)).
             core::sqlsrv_zval_stringl(param_z, reinterpret_cast<char*>(wide_buffer.get()), wchar_size * sizeof(SQLWCHAR));
             buffer = Z_STRVAL_P(param_z);
             buffer_length = Z_STRLEN_P(param_z);
@@ -2904,7 +2911,10 @@ void sqlsrv_param_inout::finalize_output_string()
             char* outString = NULL;
             SQLLEN outLen = 0;
 
-            bool result = convert_string_from_utf16(encoding, reinterpret_cast<const SQLWCHAR*>(str), int(str_len / sizeof(SQLWCHAR)), &outString, outLen);
+            // When encoding is UTF-8 or SYSTEM, ODBC returns data as UTF-16 wide characters
+            // in the output parameter buffer. ODBC guarantees proper alignment and valid UTF-16 data.
+            const SQLWCHAR* wide_str = reinterpret_cast<const SQLWCHAR*>(str);
+            bool result = convert_string_from_utf16(encoding, wide_str, int(str_len / sizeof(SQLWCHAR)), &outString, outLen);
             CHECK_CUSTOM_ERROR(!result, stmt, SQLSRV_ERROR_OUTPUT_PARAM_ENCODING_TRANSLATE, get_last_error_message(), NULL) {
                 throw core::CoreException();
             }

source/shared/core_stream.cpp

@@ -200,11 +200,15 @@ size_t sqlsrv_stream_read(_Inout_ php_stream* stream, _Out_writes_bytes_(count)
                throw core::CoreException();
            }
 
+// When encoding is UTF-8, SQLGetData fills temp_buf with UTF-16 wide character data (SQL_C_WCHAR).
+            // The buffer is allocated as char* but contains properly aligned UTF-16 data from ODBC.
+            // Reinterpret as LPCWSTR for conversion functions. This is safe because ODBC guarantees proper alignment.
+            const LPCWSTR wide_buffer = reinterpret_cast<LPCWSTR>( temp_buf.get() );
 #ifndef _WIN32
-            int enc_len = SystemLocale::FromUtf16( ss->encoding, reinterpret_cast<LPCWSTR>( temp_buf.get() ),
+            int enc_len = SystemLocale::FromUtf16( ss->encoding, wide_buffer,
                                                    static_cast<int>(read >> 1), buf, static_cast<int>(count), NULL, NULL );
 #else
-            int enc_len = WideCharToMultiByte( ss->encoding, flags, reinterpret_cast<LPCWSTR>( temp_buf.get() ),
+            int enc_len = WideCharToMultiByte( ss->encoding, flags, wide_buffer,
                                                static_cast<int>(read >> 1), buf, static_cast<int>(count), NULL, NULL );
 #endif // !_WIN32
             if( enc_len == 0 ) {

source/shared/core_util.cpp

@@ -106,7 +106,10 @@ bool convert_string_from_utf16_inplace( _In_ SQLSRV_ENCODING encoding, _Inout_up
     char* outString = NULL;
     SQLLEN outLen = 0;
 
-    bool result = convert_string_from_utf16( encoding, reinterpret_cast<const SQLWCHAR*>(*string), int(len / sizeof(SQLWCHAR)), &outString, outLen );
+    // The string buffer contains UTF-16 encoded data. Reinterpret as SQLWCHAR* for conversion.
+    // This is safe because the caller ensures the buffer contains valid UTF-16 data.
+    const SQLWCHAR* wide_str = reinterpret_cast<const SQLWCHAR*>(*string);
+    bool result = convert_string_from_utf16( encoding, wide_str, int(len / sizeof(SQLWCHAR)), &outString, outLen );
 
     if (result)
     {
@@ -202,6 +205,7 @@ SQLWCHAR* utf16_string_from_mbcs_string( _In_ SQLSRV_ENCODING php_encoding, _In_
                                         _Out_ unsigned int* utf16_len, bool use_strict_conversion )
 {
     *utf16_len = (mbcs_len + 1);
+    // Allocate buffer for UTF-16 string. Cast from void* (malloc result) to SQLWCHAR* is safe as it's freshly allocated memory.
     SQLWCHAR* utf16_string = reinterpret_cast<SQLWCHAR*>( sqlsrv_malloc( *utf16_len * sizeof( SQLWCHAR )));
     *utf16_len = convert_string_from_default_encoding( php_encoding, mbcs_string, mbcs_len, utf16_string, *utf16_len, use_strict_conversion );
 
@@ -318,6 +322,7 @@ bool core_sqlsrv_get_odbc_error( _Inout_ sqlsrv_context& ctx, _In_ SQLSMALLINT r
                 SQLSMALLINT expected_len = wmessage_len * sizeof(SQLWCHAR);
                 SQLSMALLINT returned_len = 0;
 
+                // Allocate buffer for ODBC error message in UTF-16. Cast from void* to SQLWCHAR* is safe for freshly allocated memory.
                 wnative_message_str = reinterpret_cast<SQLWCHAR*>(sqlsrv_malloc(expected_len));
                 memset(wnative_message_str, '\0', expected_len);