--- libgd2-2.0.33.orig/gd.c
+++ libgd2-2.0.33/gd.c
@@ -7,6 +7,7 @@
 #include <string.h>
 #include <stdlib.h>
 /* 2.03: don't include zlib here or we can't build without PNG */
+#include <limits.h>
 #include "gd.h"
 #include "gdhelpers.h"
 
@@ -74,7 +75,11 @@
   im = (gdImage *) gdMalloc (sizeof (gdImage));
   memset (im, 0, sizeof (gdImage));
   /* Row-major ever since gd 1.3 */
-  im->pixels = (unsigned char **) gdMalloc (sizeof (unsigned char *) * sy);
+  if (sy >= INT_MAX/sizeof (unsigned char *) ||
+      (im->pixels = (unsigned char **) gdMalloc (sizeof (unsigned char *) * sy)) == NULL) {
+    gdFree(im);
+    return NULL;
+  }
   im->polyInts = 0;
   im->polyAllocated = 0;
   im->brush = 0;
@@ -2462,6 +2467,8 @@
     }
   bytes = (w * h / 8) + 1;
   im = gdImageCreate (w, h);
+  if (!im)
+    return 0;
   gdImageColorAllocate (im, 255, 255, 255);
   gdImageColorAllocate (im, 0, 0, 0);
   x = 0;
@@ -2600,6 +2607,8 @@
 	{
 	  im->polyAllocated *= 2;
 	}
+      if (im->polyAllocated >= INT_MAX/sizeof (int))
+	return;
       im->polyInts = (int *) gdRealloc (im->polyInts,
 					sizeof (int) * im->polyAllocated);
     }
--- libgd2-2.0.33.orig/gd_gd.c
+++ libgd2-2.0.33/gd_gd.c
@@ -149,6 +149,10 @@
     {
       im = gdImageCreate (*sx, *sy);
     }
+
+  if (!im)
+    goto fail1;
+
   if (!_gdGetColors (in, im, gd2xFlag))
     {
       goto fail2;
--- libgd2-2.0.33.orig/gd_io_dp.c
+++ libgd2-2.0.33/gd_io_dp.c
@@ -23,6 +23,7 @@
 #include <math.h>
 #include <string.h>
 #include <stdlib.h>
+#include <limits.h>
 #include "gd.h"
 #include "gdhelpers.h"
 
@@ -202,7 +203,8 @@
       if (overflow2(dp->realSize, 2)) {
         return FALSE;
       }
-      if (!gdReallocDynamic (dp, dp->realSize * 2))
+      if (bytesNeeded >= INT_MAX/2 ||
+	  !gdReallocDynamic (dp, bytesNeeded * 2))
 	{
 	  dp->dataGood = FALSE;
 	  return FALSE;
--- libgd2-2.0.33.orig/gd_png.c
+++ libgd2-2.0.33/gd_png.c
@@ -6,6 +6,8 @@
 #include <math.h>
 #include <string.h>
 #include <stdlib.h>
+#include <limits.h>
+
 #include "gd.h"
 
 /* JCE: Arrange HAVE_LIBPNG so that it can be set in gd.h */
@@ -188,6 +190,9 @@
 
   png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
 		&interlace_type, NULL, NULL);
+  if (width >= INT_MAX/sizeof (int) ||
+      width*sizeof (int) >= INT_MAX/height)
+    return NULL;
   if ((color_type == PNG_COLOR_TYPE_RGB) ||
       (color_type == PNG_COLOR_TYPE_RGB_ALPHA))
     {
--- libgd2-2.0.33.orig/gdxpm.c
+++ libgd2-2.0.33/gdxpm.c
@@ -12,6 +12,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <limits.h>
 #include <string.h>
 #include "gd.h"
 #include "gdhelpers.h"
@@ -47,6 +48,10 @@
     return 0;
 
   number = image.ncolors;
+
+  if (number >= INT_MAX/sizeof (int))
+    return (0);
+
   colors = (int *) gdMalloc (sizeof (int) * number);
   if (colors == NULL)
     return (0);
--- libgd2-2.0.33.orig/wbmp.c
+++ libgd2-2.0.33/wbmp.c
@@ -17,6 +17,7 @@
 #include <stddef.h>
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 
 #include "wbmp.h"
 #include "gd.h"
@@ -127,8 +128,10 @@
     gdFree(wbmp);
     return NULL;
   }
-  if ((wbmp->bitmap =
-       (int *) gdMalloc (sizeof (int) * width * height)) == NULL)
+
+  if (width >= INT_MAX/sizeof(int) ||
+      width*sizeof(int) >= INT_MAX/height ||
+      (wbmp->bitmap = (int *) gdMalloc (sizeof (int) * width * height)) == NULL)
     {
       gdFree (wbmp);
       return (NULL);
@@ -194,8 +197,9 @@
       gdFree(wbmp);
       return (-1);
     }
-  if ((wbmp->bitmap =
-       (int *) gdMalloc (sizeof (int) * wbmp->width * wbmp->height)) == NULL)
+  if (wbmp->width >= INT_MAX/sizeof(int) ||
+      wbmp->width*sizeof(int) >= INT_MAX/wbmp->height ||
+      (wbmp->bitmap = (int *) gdMalloc (sizeof (int) * wbmp->width * wbmp->height)) == NULL)
     {
       gdFree (wbmp);
       return (-1);