add some sanity checks to prevent integer overflows when
allocating memory for big images

http://bugs.gentoo.org/112937

--- gd/gd.c
+++ gd/gd.c
@@ -74,6 +74,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreate (i
   im = (gdImage *) gdMalloc (sizeof (gdImage));
   memset (im, 0, sizeof (gdImage));
   /* Row-major ever since gd 1.3 */
+  if (overflow2(sizeof (unsigned char *), sy)) {
+    gdFree(im);
+    return NULL;
+  }
   im->pixels = (unsigned char **) gdMalloc (sizeof (unsigned char *) * sy);
   im->polyInts = 0;
   im->polyAllocated = 0;
@@ -114,6 +118,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateTru
   gdImagePtr im;
   im = (gdImage *) gdMalloc (sizeof (gdImage));
   memset (im, 0, sizeof (gdImage));
+  if (overflow2(sizeof (int *), sy)) {
+    gdFree(im);
+    return NULL;
+  }
   im->tpixels = (int **) gdMalloc (sizeof (int *) * sy);
   im->polyInts = 0;
   im->polyAllocated = 0;
@@ -2462,6 +2470,8 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
     }
   bytes = (w * h / 8) + 1;
   im = gdImageCreate (w, h);
+  if (!im)
+    return 0;
   gdImageColorAllocate (im, 255, 255, 255);
   gdImageColorAllocate (im, 0, 0, 0);
   x = 0;
--- gd/gd_gd.c
+++ gd/gd_gd.c
@@ -149,6 +149,8 @@ _gdCreateFromFile (gdIOCtx * in, int *sx
     {
       im = gdImageCreate (*sx, *sy);
     }
+  if (!im)
+    goto fail1;
   if (!_gdGetColors (in, im, gd2xFlag))
     {
       goto fail2;