Hello Vladimir, 
we receive the following mail from the CERT. 
 
We are investigating reports of a vulnerability in the LibTIFF library 
concerning an integer overflow in the TIFFFetchStrip() routine that 
can lead to a heap-based buffer overflow. 
 
This issue is publicly documented at: 
 
   http://www.idefense.com/application/poi/display?id=173&type=vulnerabilities 
   http://securitytracker.com/alerts/2004/Dec/1012651.html 
 
We have assigned the tracking number VU#539110 to this issue. 
 
Since this issue is public, we have already drafted a vulnerability 
note addressing it. The note is publicly available at: 
 
   http://www.kb.cert.org/vuls/id/539110 
 
iDEFENSE associates this issue with CAN-2004-1307 which doesn't 
contain 
any data. 
 
However, the iDEFENSE advisory boils down to this part from Dmitry's 
patch: 
 
@@ -62,9 +62,14 @@ 
 static void ChopUpSingleUncompressedStrip(TIFF*); 
 
 static char * 
-CheckMalloc(TIFF* tif, tsize_t n, const char* what) 
+CheckMalloc(TIFF* tif, size_t nmemb, size_t elem_size, const char* what) 
 { 
-       char *cp = (char*)_TIFFmalloc(n); 
+       char    *cp = NULL; 
+       tsize_t bytes = nmemb * elem_size; 
+ 
+       if (elem_size && bytes / elem_size == nmemb) 
+               cp = (char*)_TIFFmalloc(bytes); 
+ 
        if (cp == NULL) 
                TIFFError(tif->tif_name, "No space %s", what); 
        return (cp);