Check that image width shown in SOF doesn't exceed what libtiff has
allocated based on ImageWidth.  Patch from upstream bug
http://bugzilla.maptools.org/show_bug.cgi?id=1999


diff -Naur tiff-3.9.4.orig/libtiff/tif_ojpeg.c tiff-3.9.4/libtiff/tif_ojpeg.c
--- tiff-3.9.4.orig/libtiff/tif_ojpeg.c	2010-06-08 19:29:51.000000000 -0400
+++ tiff-3.9.4/libtiff/tif_ojpeg.c	2011-04-13 11:38:55.486008471 -0400
@@ -1537,7 +1537,6 @@
 		OJPEGReadSkip(sp,4);
 	else
 	{
-		/* TODO: probably best to also add check on allowed upper bound, especially x, may cause buffer overflow otherwise i think */
 		/* Y: Number of lines */
 		if (OJPEGReadWord(sp,&p)==0)
 			return(0);
@@ -1555,6 +1554,11 @@
 			TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data indicates unexpected width");
 			return(0);
 		}
+		if ((uint32)p>sp->strile_width)
+		{
+			TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data image width exceeds expected image width");
+			return(0);
+		}
 		sp->sof_x=p;
 	}
 	/* Nf: Number of image components in frame */