--- gd-2.0.33/gd.c +++ gd-2.0.33/gd.c @@ -133,9 +112,27 @@ BGD_DECLARE(gdImagePtr) gdImageCreateTrueColor (int sx, int sy) { int i; gdImagePtr im; + + if (overflow2(sx, sy)) { + return NULL; + } + + if (overflow2(sizeof (int *), sy)) { + return 0; + } + + if (overflow2(sizeof(int), sx)) { + return NULL; + } + im = (gdImage *) gdMalloc (sizeof (gdImage)); memset (im, 0, sizeof (gdImage)); + im->tpixels = (int **) gdMalloc (sizeof (int *) * sy); + if (!im->tpixels) { + gdFree(im); + return NULL; + } im->polyInts = 0; im->polyAllocated = 0; im->brush = 0;