gif2tiff buffer overrun. Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2270 This appears not to be security critical: it's a read not a write overrun, so the worst possible consequence is SIGSEGV, and even that doesn't seem to happen on any popular architectures. diff -Naur tiff-3.9.4.orig/tools/gif2tiff.c tiff-3.9.4/tools/gif2tiff.c --- tiff-3.9.4.orig/tools/gif2tiff.c 2010-06-08 14:50:44.000000000 -0400 +++ tiff-3.9.4/tools/gif2tiff.c 2010-11-02 22:32:10.018264489 -0400 @@ -503,6 +503,10 @@ strip = 0; stripsize = TIFFStripSize(tif); for (row=0; row<height; row += rowsperstrip) { + if (rowsperstrip > height-row) { + rowsperstrip = height-row; + stripsize = TIFFVStripSize(tif, rowsperstrip); + } if (TIFFWriteEncodedStrip(tif, strip, newras+row*width, stripsize) < 0) break; strip++;