Backported for 5.4 from 5.5.35 by Remi Collet
Binary diff removed

From b15f0ecc0f34364fd7ce924b4164be4e8198ff93 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 18 Apr 2016 22:20:22 -0700
Subject: [PATCH] Fix for bug #71912 (libgd: signedness vulnerability)

---
 ext/gd/libgd/gd_gd2.c             |   3 +++
 ext/gd/tests/bug71912.phpt        |  16 ++++++++++++++++
 ext/gd/tests/invalid_neg_size.gd2 | Bin 0 -> 1676 bytes
 3 files changed, 19 insertions(+)
 create mode 100644 ext/gd/tests/bug71912.phpt
 create mode 100644 ext/gd/tests/invalid_neg_size.gd2

diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
index efc6ef4..1794ca9 100644
--- a/ext/gd/libgd/gd_gd2.c
+++ b/ext/gd/libgd/gd_gd2.c
@@ -150,6 +150,9 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
 			if (gdGetInt(&cidx[i].size, in) != 1) {
 				goto fail1;
 			}
+			if (cidx[i].offset < 0 || cidx[i].size < 0) {
+				goto fail1;
+			}
 		}
 		*chunkIdx = cidx;
 	}

From 61c7a06e7c19d9b408db1129efa0959a0acbf0b1 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 26 Apr 2016 22:54:58 -0700
Subject: [PATCH] Fix memory leak

---
 ext/gd/libgd/gd_gd2.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
index 1794ca9..6726fee 100644
--- a/ext/gd/libgd/gd_gd2.c
+++ b/ext/gd/libgd/gd_gd2.c
@@ -145,12 +145,15 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
 		cidx = gdCalloc(sidx, 1);
 		for (i = 0; i < nc; i++) {
 			if (gdGetInt(&cidx[i].offset, in) != 1) {
+				gdFree(cidx);
 				goto fail1;
 			}
 			if (gdGetInt(&cidx[i].size, in) != 1) {
+				gdFree(cidx);
 				goto fail1;
 			}
 			if (cidx[i].offset < 0 || cidx[i].size < 0) {
+				gdFree(cidx);
 				goto fail1;
 			}
 		}