--- /dev/null
+diff -u gd-2.0.28/gd.c gd-2.0.28/gd.c
+--- gd-2.0.28/gd.c 2004-11-02 17:47:12.977824069 +0100
++++ gd-2.0.28/gd.c 2006-01-20 11:14:42.000000000 +0100
+@@ -73,6 +73,11 @@
+ gdImagePtr im;
+ im = (gdImage *) gdMalloc (sizeof (gdImage));
+ memset (im, 0, sizeof (gdImage));
++ if (overflow2(sizeof (unsigned char *), sy))
++ {
++ gdFree(im);
++ return NULL;
++ }
+ /* Row-major ever since gd 1.3 */
+ im->pixels = (unsigned char **) gdMalloc (sizeof (unsigned char *) * sy);
+ im->polyInts = 0;
+@@ -2586,6 +2591,9 @@
+ {
+ im->polyAllocated *= 2;
+ }
++ if (overflow2(sizeof (int), im->polyAllocated)) {
++ return;
++ }
+ im->polyInts = (int *) gdRealloc (im->polyInts,
+ sizeof (int) * im->polyAllocated);
+ }
+only in patch2:
+unchanged:
+--- gd-2.0.28/gdxpm.c.security 2006-01-20 11:14:52.000000000 +0100
++++ gd-2.0.28/gdxpm.c 2006-01-20 11:15:26.000000000 +0100
+@@ -48,6 +48,9 @@
+ return 0;
+
+ number = image.ncolors;
++ if (overflow2(sizeof (int), number)) {
++ return 0;
++ }
+ colors = (int *) gdMalloc (sizeof (int) * number);
+ if (colors == NULL)
+ return (0);