Check that image width shown in SOF doesn't exceed what libtiff has allocated based on ImageWidth. Patch from upstream bug http://bugzilla.maptools.org/show_bug.cgi?id=1999 diff -Naur tiff-3.9.4.orig/libtiff/tif_ojpeg.c tiff-3.9.4/libtiff/tif_ojpeg.c --- tiff-3.9.4.orig/libtiff/tif_ojpeg.c 2010-06-08 19:29:51.000000000 -0400 +++ tiff-3.9.4/libtiff/tif_ojpeg.c 2011-04-13 11:38:55.486008471 -0400 @@ -1537,7 +1537,6 @@ OJPEGReadSkip(sp,4); else { - /* TODO: probably best to also add check on allowed upper bound, especially x, may cause buffer overflow otherwise i think */ /* Y: Number of lines */ if (OJPEGReadWord(sp,&p)==0) return(0); @@ -1555,6 +1554,11 @@ TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data indicates unexpected width"); return(0); } + if ((uint32)p>sp->strile_width) + { + TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data image width exceeds expected image width"); + return(0); + } sp->sof_x=p; } /* Nf: Number of image components in frame */