Tk Ticket [822330269b]: int overflow save check from Tk commit

[https://core.tcl-lang.org/tk/vinfo/e129a2efc25f636e?diff=1]
Thanks, Jan !

Author: oehhar

generic/tkImgSVG.c

@@ -602,6 +602,7 @@ RasterizeSVG(
     unsigned char *imgData;
     Tk_PhotoImageBlock svgblock;
     double scale;
+    Tcl_WideUInt wh;
     (void)srcX;
     (void)srcY;
 
@@ -616,13 +617,14 @@ RasterizeSVG(
     }
 
     /* Tk Ticket [822330269b] Check potential int overflow in following ckalloc */
-    if ( w * h < 0 || w * h > INT_MAX / 4) {
+    wh = (Tcl_WideUInt)w * (Tcl_WideUInt)h;
+    if ( w < 0 || h < 0 || wh > INT_MAX / 4) {
 	Tcl_SetObjResult(interp, Tcl_NewStringObj("image size overflow", -1));
 	Tcl_SetErrorCode(interp, "TK", "IMAGE", "SVG", "IMAGE_SIZE_OVERFLOW", NULL);
 	goto cleanRAST;
     }
 
-    imgData = (unsigned char *)attemptckalloc(w * h *4);
+    imgData = (unsigned char *)attemptckalloc(wh * 4);
     if (imgData == NULL) {
 	Tcl_SetObjResult(interp, Tcl_NewStringObj("cannot alloc image buffer", -1));
 	Tcl_SetErrorCode(interp, "TK", "IMAGE", "SVG", "OUT_OF_MEMORY", NULL);