Fix potential integer overflow detected by oss-fuzz

src/gd.c

@@ -1884,6 +1884,8 @@ BGD_DECLARE(void) gdImageChar (gdImagePtr im, gdFontPtr f, int x, int y, int c,
 	int cx, cy;
 	int px, py;
 	int fline;
+	const int xuppper = (x > INT_MAX - f->w) ? INT_MAX : x + f->w;
+	const int yuppper = (y > INT_MAX - f->h) ? INT_MAX : y + f->h;
 	cx = 0;
 	cy = 0;
 #ifdef CHARSET_EBCDIC
@@ -1893,8 +1895,8 @@ BGD_DECLARE(void) gdImageChar (gdImagePtr im, gdFontPtr f, int x, int y, int c,
 		return;
 	}
 	fline = (c - f->offset) * f->h * f->w;
-	for (py = y; (py < (y + f->h)); py++) {
-		for (px = x; (px < (x + f->w)); px++) {
+	for (py = y; py < yuppper; py++) {
+		for (px = x; px < xuppper; px++) {
 			if (f->data[fline + cy * f->w + cx]) {
 				gdImageSetPixel (im, px, py, color);
 			}
@@ -1913,6 +1915,8 @@ BGD_DECLARE(void) gdImageCharUp (gdImagePtr im, gdFontPtr f, int x, int y, int c
 	int cx, cy;
 	int px, py;
 	int fline;
+	const int xuppper = (x > INT_MAX - f->h) ? INT_MAX : x + f->h;
+	const int ylower = (y < INT_MIN + f->w) ? INT_MIN : y - f->w;
 	cx = 0;
 	cy = 0;
 #ifdef CHARSET_EBCDIC
@@ -1922,8 +1926,8 @@ BGD_DECLARE(void) gdImageCharUp (gdImagePtr im, gdFontPtr f, int x, int y, int c
 		return;
 	}
 	fline = (c - f->offset) * f->h * f->w;
-	for (py = y; (py > (y - f->w)); py--) {
-		for (px = x; (px < (x + f->h)); px++) {
+	for (py = y; py > ylower; py--) {
+		for (px = x; px < xuppper; px++) {
 			if (f->data[fline + cy * f->w + cx]) {
 				gdImageSetPixel (im, px, py, color);
 			}