File php-4.3.9-CVE-2007-3996.patch of Package php4

--- php-4.3.9/ext/gd/libgd/gd.c.cve3996
+++ php-4.3.9/ext/gd/libgd/gd.c
@@ -2,6 +2,7 @@
 #include <math.h>
 #include <string.h>
 #include <stdlib.h>
+#include <limits.h>
 #include "gd.h"
 #include "gdhelpers.h"
 
@@ -118,10 +119,35 @@ void php_gd_error(const char *format, ..
 	va_end(args);
 }
 
+static int overflow2(int a, int b)
+{
+	if(a < 0 || b < 0) {
+		php_gd_error("gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
+		return 1;
+	}
+	if(b == 0)
+		return 0;
+	if(a > INT_MAX / b) {
+		php_gd_error("gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
+		return 1;
+	}
+	return 0;
+}
+
+
 gdImagePtr gdImageCreate (int sx, int sy)
 {
 	int i;
 	gdImagePtr im;
+
+	if (overflow2(sx, sy)) {
+		return NULL;
+	}
+
+	if (overflow2(sizeof(unsigned char *), sy)) {
+		return NULL;
+	}
+
 	im = (gdImage *) gdMalloc(sizeof(gdImage));
 	memset(im, 0, sizeof(gdImage));
 	/* Row-major ever since gd 1.3 */
@@ -164,6 +190,19 @@ gdImagePtr gdImageCreateTrueColor (int s
 {
 	int i;
 	gdImagePtr im;
+
+	if (overflow2(sx, sy)) {
+		return NULL;
+	}
+
+	if (overflow2(sizeof(unsigned char *), sy)) {
+		return NULL;
+	}
+	
+	if (overflow2(sizeof(int), sx)) {
+		return NULL;
+	}
+
 	im = (gdImage *) gdMalloc(sizeof(gdImage));
 	memset(im, 0, sizeof(gdImage));
 	im->tpixels = (int **) safe_emalloc(sizeof(int *), sy, 0);
@@ -3021,6 +3060,10 @@ void gdImageFilledPolygon (gdImagePtr im
 		return;
 	}
 
+	if (overflow2(sizeof(int), n)) {
+		return;
+	}
+
 	if (c == gdAntiAliased) {
 		fill_color = im->AA_color;
 	} else {
@@ -3035,6 +3078,9 @@ void gdImageFilledPolygon (gdImagePtr im
 		while (im->polyAllocated < n) {
 			im->polyAllocated *= 2;
 		}
+		if (overflow2(sizeof(int), im->polyAllocated)) {
+			return;
+		}
 		im->polyInts = (int *) gdRealloc(im->polyInts, sizeof(int) * im->polyAllocated);
 	}
 	miny = p[0].y;
--- php-4.3.9/ext/gd/libgd/gd_gd.c.cve3996
+++ php-4.3.9/ext/gd/libgd/gd_gd.c
@@ -123,7 +123,7 @@ static gdImagePtr _gdCreateFromFile (gdI
 	} else {
 		im = gdImageCreate(*sx, *sy);
 	}
-	if (!_gdGetColors(in, im, gd2xFlag)) {
+	if (im && !_gdGetColors(in, im, gd2xFlag)) {
 		goto fail2;
 	}
 
--- php-4.3.9/ext/gd/gd.c.cve3996
+++ php-4.3.9/ext/gd/gd.c
@@ -746,6 +746,10 @@ PHP_FUNCTION(imagecreatetruecolor)
 	
 	im = gdImageCreateTrueColor(Z_LVAL_PP(x_size), Z_LVAL_PP(y_size));
 
+	if (!im) {
+		RETURN_FALSE;
+	}
+
 	ZEND_REGISTER_RESOURCE(return_value, im, le_gd);
 }
 /* }}} */
@@ -1190,6 +1194,10 @@ PHP_FUNCTION(imagecreate)
 
 	im = gdImageCreate(Z_LVAL_PP(x_size), Z_LVAL_PP(y_size));
 
+	if (!im) {
+		RETURN_FALSE;
+	}
+
 	ZEND_REGISTER_RESOURCE(return_value, im, le_gd);
 }
 /* }}} */