Based on http://bugzilla.maptools.org/show_bug.cgi?id=2750#c5

diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c

index 7a57800..8443fce 100644

--- a/tools/pal2rgb.c

+++ b/tools/pal2rgb.c

@@ -184,8 +184,19 @@ main(int argc, char* argv[])

 	{ unsigned char *ibuf, *obuf;

 	  register unsigned char* pp;

 	  register uint32 x;

-	  ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in));

-	  obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out));

+	  tmsize_t tss_in = TIFFScanlineSize(in);

+	  tmsize_t tss_out = TIFFScanlineSize(out);

+	  if (tss_out / tss_in < 3) {

+		/*

+		 * BUG 2750: The following code assumes the output buffer is 3x the

+		 * length of the input buffer due to exploding the palette into

+		 * RGB tuples. If this doesn't happen, fail now.

+		*/

+		fprintf(stderr, "Could not determine correct image size for output. Exiting.\n");

+		return -1;

+	  }

+	  ibuf = (unsigned char*)_TIFFmalloc(tss_in);

+	  obuf = (unsigned char*)_TIFFmalloc(tss_out);

 	  switch (config) {

 	  case PLANARCONFIG_CONTIG:

 		for (row = 0; row < imagelength; row++) {