Fix #81739: OOB read due to insufficient validation in imageloadfont()

If we swap the byte order of the relevant header bytes, we need to make
sure again that the following multiplication does not overflow.

Author: cmb69

ext/gd/gd.c

@@ -1485,6 +1485,12 @@ PHP_FUNCTION(imageloadfont)
 		font->w = FLIPWORD(font->w);
 		font->h = FLIPWORD(font->h);
 		font->nchars = FLIPWORD(font->nchars);
+		if (overflow2(font->nchars, font->h) || overflow2(font->nchars * font->h, font->w )) {
+			php_error_docref(NULL, E_WARNING, "Error reading font, invalid font header");
+			efree(font);
+			php_stream_close(stream);
+			RETURN_FALSE;
+		}
 		body_size = font->w * font->h * font->nchars;
 	}
 
@@ -1495,6 +1501,7 @@ PHP_FUNCTION(imageloadfont)
 		RETURN_FALSE;
 	}
 
+	ZEND_ASSERT(body_size > 0);
 	font->data = emalloc(body_size);
 	b = 0;
 	while (b < body_size && (n = php_stream_read(stream, &font->data[b], body_size - b)) > 0) {

ext/gd/tests/bug81739.phpt

@@ -0,0 +1,24 @@
+--TEST--
+Bug #81739 (OOB read due to insufficient validation in imageloadfont())
+--SKIPIF--
+<?php
+if (!extension_loaded("gd")) die("skip gd extension not available");
+?>
+--FILE--
+<?php
+$s = fopen(__DIR__ . "/font.font", "w");
+// header without character data
+fwrite($s, "\x01\x00\x00\x00\x20\x00\x00\x00\x08\x00\x00\x00\x08\x00\x00\x00");
+fclose($s);
+var_dump(imageloadfont(__DIR__ . "/font.font"));
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . "/font.font");
+?>
+--EXPECTF--
+Warning: imageloadfont(): %croduct of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
+ in %s on line %d
+
+Warning: imageloadfont(): Error reading font, invalid font header in %s on line %d
+bool(false)