diff --git a/tiff-4.0.6-nextdecode-oob.patch b/tiff-4.0.6-nextdecode-oob.patch
new file mode 100644
index 0000000..263abc1
--- /dev/null
+++ b/tiff-4.0.6-nextdecode-oob.patch
@@ -0,0 +1,36 @@
+--- libtiff/tif_next.c	29 Dec 2014 12:09:11 -0000	1.16
++++ libtiff/tif_next.c	27 Dec 2015 17:14:52 -0000	1.18
+@@ -37,7 +37,7 @@
+ 	case 0:	op[0]  = (unsigned char) ((v) << 6); break;	\
+ 	case 1:	op[0] |= (v) << 4; break;	\
+ 	case 2:	op[0] |= (v) << 2; break;	\
+-	case 3:	*op++ |= (v);	   break;	\
++	case 3:	*op++ |= (v);	   op_offset++; break;	\
+ 	}					\
+ }
+ 
+@@ -103,6 +103,7 @@
+ 		}
+ 		default: {
+ 			uint32 npixels = 0, grey;
++			tmsize_t op_offset = 0;
+ 			uint32 imagewidth = tif->tif_dir.td_imagewidth;
+             if( isTiled(tif) )
+                 imagewidth = tif->tif_dir.td_tilewidth;
+@@ -122,10 +123,15 @@
+ 				 * bounds, potentially resulting in a security
+ 				 * issue.
+ 				 */
+-				while (n-- > 0 && npixels < imagewidth)
++				while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
+ 					SETPIXEL(op, grey);
+ 				if (npixels >= imagewidth)
+ 					break;
++                if (op_offset >= scanline ) {
++                    TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
++                        (long) tif->tif_row);
++                    return (0);
++                }
+ 				if (cc == 0)
+ 					goto bad;
+ 				n = *bp++, cc--;
diff --git a/tiff.changes b/tiff.changes
index 2e3ae43..1ba2d68 100644
--- a/tiff.changes
+++ b/tiff.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Mon Jan 11 09:48:49 UTC 2016 - fstrba@suse.com
+
+- Added patch:
+  * tiff-4.0.6-nextdecode-oob.patch
+    - Fix potential out-of-bound write in NeXTDecode() triggered by
+      http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif (#2508,
+      bsc#942690)
+
 -------------------------------------------------------------------
 Tue Dec  8 15:55:30 UTC 2015 - p.drouand@gmail.com
 
diff --git a/tiff.spec b/tiff.spec
index f7f9988..bbb68b0 100644
--- a/tiff.spec
+++ b/tiff.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package tiff
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -29,6 +29,8 @@ Source3:        baselibs.conf
 Patch0:         tiff-4.0.3-seek.patch
 # http://bugzilla.maptools.org/show_bug.cgi?id=2442
 Patch1:         tiff-4.0.3-compress-warning.patch
+# http://bugzilla.maptools.org/show_bug.cgi?id=2508
+Patch2:         tiff-4.0.6-nextdecode-oob.patch
 BuildRequires:  gcc-c++
 BuildRequires:  libjpeg-devel
 BuildRequires:  libtool
@@ -94,6 +96,7 @@ the libtiff library.
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p0
 
 %build
 CFLAGS="%{optflags} -fPIE"