Memory overrun in gd_interpolation.c
gdImageScaleTwoPass() in gd_interpolation.c constructs an array of data structures containing arrays of weights used for interpolating the pixel values. Unfortunately, the arrays of weights are sometimes smaller than their parent structure reports, resulting in reads past the ends of the arrays.
This seems to be harmless most of the time since (I think) malloc() on Linux adds extra space to the end of the array and leaves it initialized to zero.
In order to detect it, you need to first apply the attached patch ("window-assert.patch"). This puts an assert in front of the array access, causing the program to die if the index is too big.
The attached program 'membug.c' tickles the bug. If you compile and run it (or just run it as a shell script), it will trigger the assertion by resizing an image.
(I also have a fix for this; the pull request will be submitted in about five minutes.)