http://bugzilla.maptools.org/show_bug.cgi?id=2369#c6

Index: libtiff/tif_getimage.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_getimage.c,v
retrieving revision 1.78
diff -r1.78 tif_getimage.c
694a695
> 	tmsize_t bufsize;
702c703,708
< 	buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize);
---
> 	bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize);
> 	if (bufsize == 0) {
> 		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
> 		return (0);
> 	}
> 	buf = (unsigned char*) _TIFFmalloc(bufsize);
707c713
< 	_TIFFmemset(buf, 0, (alpha?4:3)*tilesize);
---
> 	_TIFFmemset(buf, 0, bufsize);
919a926
> 	tmsize_t bufsize;
925c932,937
< 	p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize);
---
> 	bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize);
> 	if (bufsize == 0) {
> 		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
> 		return (0);
> 	}
> 	p0 = buf = (unsigned char *)_TIFFmalloc(bufsize);
930c942
< 	_TIFFmemset(buf, 0, (alpha?4:3)*stripsize);
---
> 	_TIFFmemset(buf, 0, bufsize);
Index: libtiff/tiffiop.h
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v
retrieving revision 1.82
diff -r1.82 tiffiop.h
253c253
< #define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
---
> #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)