Backported for 2.1, without binary patch, from:


From 78d83ac76c16d269b538a7cef4120a5fb5177b6d Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Tue, 28 Jun 2016 16:23:42 +0700
Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
 _gd2GetHeader() resulting in heap overflow

---
 src/gd_gd2.c                    |   5 ++++-
 tests/gd2/CMakeLists.txt        |   1 +
 tests/gd2/Makemodule.am         |   6 ++++--
 tests/gd2/php_bug_72339.c       |  21 +++++++++++++++++++++
 tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes
 5 files changed, 30 insertions(+), 3 deletions(-)
 create mode 100644 tests/gd2/php_bug_72339.c
 create mode 100644 tests/gd2/php_bug_72339_exp.gd2

diff --git a/src/gd_gd2.c b/src/gd_gd2.c
index fd1e0c9..bdbbecf 100644
--- a/src/gd_gd2.c
+++ b/src/gd_gd2.c
@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
 		nc = (*ncx) * (*ncy);
 		GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
 		sidx = sizeof (t_chunk_info) * nc;
+		if (overflow2(sidx, nc)) {
+			goto fail1;
+		}
 		cidx = gdCalloc (sidx, 1);
-		if (!cidx) {
+		if (cidx == NULL) {
 			goto fail1;
 		}
 		for (i = 0; i < nc; i++) {