Based on http://bugzilla.maptools.org/show_bug.cgi?id=2750#c5

diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
index 7a57800..8443fce 100644
--- a/tools/pal2rgb.c
+++ b/tools/pal2rgb.c
@@ -184,8 +184,19 @@ main(int argc, char* argv[])
 	{ unsigned char *ibuf, *obuf;
 	  register unsigned char* pp;
 	  register uint32 x;
-	  ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in));
-	  obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out));
+	  tmsize_t tss_in = TIFFScanlineSize(in);
+	  tmsize_t tss_out = TIFFScanlineSize(out);
+	  if (tss_out / tss_in < 3) {
+		/*
+		 * BUG 2750: The following code assumes the output buffer is 3x the
+		 * length of the input buffer due to exploding the palette into
+		 * RGB tuples. If this doesn't happen, fail now.
+		*/
+		fprintf(stderr, "Could not determine correct image size for output. Exiting.\n");
+		return -1;
+	  }
+	  ibuf = (unsigned char*)_TIFFmalloc(tss_in);
+	  obuf = (unsigned char*)_TIFFmalloc(tss_out);
 	  switch (config) {
 	  case PLANARCONFIG_CONTIG:
 		for (row = 0; row < imagelength; row++) {