Fix #855: crash in gdImageClone after running gdImageFilledPolygon (#856

)

I made the PR for #855. The overflow check is also included.
Similar to the style allocation fix (a93eac0), return dst instead of NULL even if the overflow check fails.

src/gd.c

@@ -2926,7 +2926,8 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
 		dst->tileColorMap[i] = src->tileColorMap[i];
 	}
 
-	if (src->polyAllocated > 0) {
+	if (src->polyAllocated > 0 && overflow2(sizeof(int), src->polyAllocated) == 0) {
+		dst->polyInts = gdMalloc (sizeof (int) * src->polyAllocated);
 		dst->polyAllocated = src->polyAllocated;
 		for (i = 0; i < src->polyAllocated; i++) {
 			dst->polyInts[i] = src->polyInts[i];

tests/gdimageclone/.gitignore

@@ -1,2 +1,3 @@
 /bug00300
 /style
+/polyInts

tests/gdimageclone/CMakeLists.txt

@@ -1,6 +1,7 @@
 LIST(APPEND TESTS_FILES
 	bug00300
 	style
+	polyInts
 )
 
 ADD_GD_TESTS()

tests/gdimageclone/Makemodule.am

@@ -1,6 +1,7 @@
 libgd_test_programs += \
 	gdimageclone/bug00300 \
-	gdimageclone/style
+	gdimageclone/style \
+	gdimageclone/polyInts
 
 EXTRA_DIST += \
 	gdimageclone/CMakeLists.txt

tests/gdimageclone/polyInts.c

@@ -0,0 +1,32 @@
+/**
+ * Cloning polyInts without crashing
+ */
+
+#include <string.h>
+#include "gd.h"
+#include "gdtest.h"
+
+
+int main()
+{
+	gdImagePtr im, clone;
+	gdPoint pts[] = { {5, 5}, {50, 8}, {80, 4}, {85, 50}, {10, 60} };
+
+	im = gdImageCreateTrueColor(100, 100);
+	gdImageFilledPolygon(im, pts, 3, gdTrueColor(255, 0, 0));
+	clone = gdImageClone(im);
+
+	gdTestAssert(clone != NULL);
+	gdTestAssert(clone->polyAllocated == im->polyAllocated);
+	gdTestAssert(clone->polyInts != NULL);
+	gdTestAssert(!memcmp(clone->polyInts, im->polyInts, clone->polyAllocated * sizeof(clone->polyInts[0])));
+
+	/* test for reallocating clone->polyInts with glImageFilledPolygon */
+	gdImageFilledPolygon(clone, pts, 5, gdTrueColor(255, 0, 255));
+	gdTestAssert(clone->polyAllocated >= 5);
+
+	gdImageDestroy(clone);
+	gdImageDestroy(im);
+
+	return gdNumFailures();
+}