Fix GH-22121: double-free in gdImageSetStyle() after overflow early return

[iliaal]

gdImageSetStyle (ext/gd/libgd/gd.c:2880) frees im->style before calling overflow2(). When the overflow check trips and the function returns, im->style is left dangling and the next gdImageSetStyle, gdImageDestroy, or gdImageSetPixel gdStyled/gdStyledBrushed dispatch frees or dereferences it.

Move the overflow check above the free to match upstream libgd (libgd/libgd src/gd.c::gdImageSetStyle), which has always had the check first. The divergence was an oversight in 77ba248 when the overflow check was ported from libgd 2.0.29.

Fixes php#22121

[devnexen]

Thanks @iliaal do not forget to upstream this fix, there is a sliver of hope seemingly someone is taking charge over there ;)

[iliaal]

Thanks @iliaal do not forget to upstream this fix, there is a sliver of hope seemingly someone is taking charge over there ;)

You are too quick, I am still testing :) Yeah, I'll do PR to GD upstream too once CI/CD confirms this works

[iliaal]

Thanks @iliaal do not forget to upstream this fix, there is a sliver of hope seemingly someone is taking charge over there ;)

Actually this is a result of a bad port from 2016, upstream actually does things correctly, so doing a correct sync.

[iliaal]

Submitted upstream as php#22125. Closing this staging PR.

[devnexen]

nice but by upstream, I meant this repository (and need to come up with a C reproducer).

[iliaal]

Upstream (GD) doesn't have the problem, because it does overflow check before the free, the issue was only in PHP

[devnexen]

ah I missed your previous comment, sorry. Yes indeed upstream gd is correct.