http://bugzilla.maptools.org/show_bug.cgi?id=2369#c5

Index: libtiff/tif_getimage.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_getimage.c,v
retrieving revision 1.63.2.6
diff -r1.63.2.6 tif_getimage.c
675a676
> 	tsize_t bufsize;
682c683,688
< 	buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize);
---
> 	bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,tilesize);
> 	if (bufsize == 0) {
> 		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
> 		return (0);
> 	}
> 	buf = (unsigned char*) _TIFFmalloc(bufsize);
687c693
< 	_TIFFmemset(buf, 0, (alpha?4:3)*tilesize);
---
> 	_TIFFmemset(buf, 0, bufsize);
882a889
> 	tsize_t bufsize;
888c895,900
< 	p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize);
---
> 	bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,stripsize);
> 	if (bufsize == 0) {
> 		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
> 		return (0);
> 	}
> 	p0 = buf = (unsigned char *)_TIFFmalloc(bufsize);
893c905
< 	_TIFFmemset(buf, 0, (alpha?4:3)*stripsize);
---
> 	_TIFFmemset(buf, 0, bufsize);
Index: libtiff/tiffiop.h
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v
retrieving revision 1.51.2.7
diff -r1.51.2.7 tiffiop.h
249c249
< #define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
---
> #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)