Fix GH-22121: double-free in gdImageSetStyle() after overflow early return

gdImageSetStyle freed im->style before checking overflow2(). When the
overflow check tripped and the function early-returned, im->style was
left dangling. The next gdImageSetStyle, gdImageDestroy, or
gdImageSetPixel gdStyled/gdStyledBrushed dispatch then freed or
dereferenced it. Move the overflow check above the free to match
upstream libgd (libgd/libgd src/gd.c::gdImageSetStyle), which has
always had the check first. The original divergence was an oversight
in 77ba248 when the overflow check was ported from libgd 2.0.29.

Fixes GH-22121

Author: iliaal

ext/gd/libgd/gd.c

@@ -2879,12 +2879,12 @@ void gdImageFilledPolygon (gdImagePtr im, gdPointPtr p, int n, int c)
 
 void gdImageSetStyle (gdImagePtr im, int *style, int noOfPixels)
 {
-	if (im->style) {
-		gdFree(im->style);
-	}
 	if (overflow2(sizeof (int), noOfPixels)) {
 		return;
 	}
+	if (im->style) {
+		gdFree(im->style);
+	}
 	im->style = (int *) gdMalloc(sizeof(int) * noOfPixels);
 	memcpy(im->style, style, sizeof(int) * noOfPixels);
 	im->styleLength = noOfPixels;

ext/gd/tests/gh22121.phpt

@@ -0,0 +1,23 @@
+--TEST--
+GH-22121 (Double free in gdImageSetStyle() after overflow-triggered early return)
+--EXTENSIONS--
+gd
+--INI--
+memory_limit=-1
+--SKIPIF--
+<?php
+if (!getenv('RUN_RESOURCE_HEAVY_TESTS')) die('skip resource-heavy test');
+if (PHP_INT_SIZE < 8) die('skip 64-bit only (allocates ~10 GiB)');
+?>
+--FILE--
+<?php
+$im = imagecreatetruecolor(1, 1);
+imagesetstyle($im, [0]);
+imagesetstyle($im, array_fill(0, 536870912, 0));
+unset($im);
+echo "no double free\n";
+?>
+--EXPECTF--
+Warning: imagesetstyle(): Product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
+ in %s on line %d
+no double free