--- libwmf-0.2.8.4/src/extra/gd/gd.c +++ libwmf-0.2.8.4/src/extra/gd/gd.c @@ -65,6 +65,18 @@ { int i; gdImagePtr im; + + if (overflow2(sx, sy)) { + return NULL; + } + + if (overflow2(sizeof (unsigned char *), sy)) { + return NULL; + } + if (overflow2(sizeof (unsigned char), sx)) { + return NULL; + } + im = (gdImage *) gdMalloc (sizeof (gdImage)); memset (im, 0, sizeof (gdImage)); /* Row-major ever since gd 1.3 */