--- camlimages-2.2.orig/tiff/tiffread.c	2004-09-21 22:56:44.000000000 +0100
+++ camlimages-2.2.tiff/tiff/tiffread.c	2009-10-16 10:47:32.515257997 +0100
@@ -18,6 +18,13 @@
 #include <caml/memory.h>
 #include <caml/fail.h>
 
+#include <limits.h>
+#define oversized(x, y) \
+  ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
+
+#define failwith_oversized(lib) \
+  failwith("#lib error: image contains oversized or bogus width and height");
+
 #if HAVE_TIFF
 
 /* These are defined in caml/config.h */
@@ -68,6 +75,10 @@
     TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres);
     TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric);
 
+    if (oversized (imagewidth, imagelength)) {
+      failwith_oversized("tiff");
+    }
+
     if( imagesample == 3 && photometric == PHOTOMETRIC_RGB ){
       if( imagebits != 8 ){
 	failwith("Sorry, tiff rgb file must be 24bit-color");
@@ -156,6 +167,11 @@
     TIFFGetField(tif, TIFFTAG_RESOLUTIONUNIT, &runit);
     TIFFGetField(tif, TIFFTAG_XRESOLUTION, &xres);
     TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres);
+
+    if (oversized (imagewidth, imagelength)) {
+      failwith_oversized("tiff");
+    }
+
     if( imagesample != 3 || imagebits != 8 ) {
       failwith("tiff file is not in the 24 bit RGB format");
     }