$NetBSD: patch-as,v 1.1.2.2 2004/10/18 17:03:48 agc Exp $

--- libtiff/tif_next.c.orig	2003-07-11 08:25:25.000000000 +0200
+++ libtiff/tif_next.c	2004-10-18 16:25:32.000000000 +0200
@@ -87,7 +87,7 @@
 			 */
 			off = (bp[0] * 256) + bp[1];
 			n = (bp[2] * 256) + bp[3];
-			if (cc < 4+n)
+			if (cc < 4+n || off+n > scanline)
 				goto bad;
 			_TIFFmemcpy(row+off, bp+4, n);
 			bp += 4+n;
