Merge branch 'PHP-8.4' into PHP-8.5

* PHP-8.4:
  Fix GH-22121: double-free in gdImageSetStyle() after overflow early return

Author: iliaal

NEWS

@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.5.8
 
+- GD:
+  . Fixed bug GH-22121 (Double free in gdImageSetStyle() after
+    overflow-triggered early return). (iliaal)
+
 - Zlib:
   . Fixed memory leak if deflate initialization fails and there is a dict.
     (ndossche)

ext/gd/libgd/gd.c

@@ -2879,12 +2879,12 @@ void gdImageFilledPolygon (gdImagePtr im, gdPointPtr p, int n, int c)
 
 void gdImageSetStyle (gdImagePtr im, int *style, int noOfPixels)
 {
-	if (im->style) {
-		gdFree(im->style);
-	}
 	if (overflow2(sizeof (int), noOfPixels)) {
 		return;
 	}
+	if (im->style) {
+		gdFree(im->style);
+	}
 	im->style = (int *) gdMalloc(sizeof(int) * noOfPixels);
 	memcpy(im->style, style, sizeof(int) * noOfPixels);
 	im->styleLength = noOfPixels;