1diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c
2index 53c938a89..03c9a81fb 100644
3--- a/third_party/libtiff/tif_getimage.c
4+++ b/third_party/libtiff/tif_getimage.c
5@@ -627,7 +627,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
6     uint32 col, row, y, rowstoread;
7     tmsize_t pos;
8     uint32 tw, th;
9-    unsigned char* buf;
10+    unsigned char* buf = NULL;
11     int32 fromskew, toskew;
12     int64 safeskew;
13     uint32 nrow;
14@@ -636,13 +636,14 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
15     int32 this_toskew, leftmost_toskew;
16     int32 leftmost_fromskew;
17     uint32 leftmost_tw;
18+    tmsize_t bufsize;
19
20-    buf = (unsigned char*) _TIFFmalloc(TIFFTileSize(tif));
21-    if (buf == 0) {
22-               TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer");
23-               return (0);
24+    bufsize = TIFFTileSize(tif);
25+    if (bufsize == 0) {
26+        TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer");
27+        return (0);
28     }
29-    _TIFFmemset(buf, 0, TIFFTileSize(tif));
30+
31     TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw);
32     TIFFGetField(tif, TIFFTAG_TILELENGTH, &th);
33
34@@ -691,8 +692,9 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
35        col = img->col_offset;
36        while (tocol < w)
37         {
38-           if (TIFFReadTile(tif, buf, col,
39-                            row+img->row_offset, 0, 0)==(tmsize_t)(-1) && img->stoponerr)
40+           if (_TIFFReadTileAndAllocBuffer(tif, (void**) &buf, bufsize, col,
41+                            row+img->row_offset, 0, 0)==(tmsize_t)(-1) &&
42+                (buf == NULL || img->stoponerr))
43             {
44                 ret = 0;
45                 break;
46@@ -772,11 +774,11 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
47        uint32 col, row, y, rowstoread;
48        tmsize_t pos;
49        uint32 tw, th;
50-       unsigned char* buf;
51-       unsigned char* p0;
52-       unsigned char* p1;
53-       unsigned char* p2;
54-       unsigned char* pa;
55+       unsigned char* buf = NULL;
56+       unsigned char* p0 = NULL;
57+       unsigned char* p1 = NULL;
58+       unsigned char* p2 = NULL;
59+       unsigned char* pa = NULL;
60        tmsize_t tilesize;
61        tmsize_t bufsize;
62        int32 fromskew, toskew;
63@@ -795,16 +797,7 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
64                TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
65                return (0);
66        }
67-       buf = (unsigned char*) _TIFFmalloc(bufsize);
68-       if (buf == 0) {
69-               TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer");
70-               return (0);
71-       }
72-       _TIFFmemset(buf, 0, bufsize);
73-       p0 = buf;
74-       p1 = p0 + tilesize;
75-       p2 = p1 + tilesize;
76-       pa = (alpha?(p2+tilesize):NULL);
77+
78        TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw);
79        TIFFGetField(tif, TIFFTAG_TILELENGTH, &th);
80
81@@ -824,7 +817,6 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
82           case PHOTOMETRIC_MINISBLACK:
83           case PHOTOMETRIC_PALETTE:
84             colorchannels = 1;
85-            p2 = p1 = p0;
86             break;
87
88           default:
89@@ -849,7 +841,30 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
90                col = img->col_offset;
91                while (tocol < w)
92                {
93-                       if (TIFFReadTile(tif, p0, col,
94+                        if( buf == NULL )
95+                        {
96+                            if (_TIFFReadTileAndAllocBuffer(
97+                                    tif, (void**) &buf, bufsize, col,
98+                                    row+img->row_offset,0,0)==(tmsize_t)(-1)
99+                                && (buf == NULL || img->stoponerr))
100+                            {
101+                                    ret = 0;
102+                                    break;
103+                            }
104+                            p0 = buf;
105+                            if( colorchannels == 1 )
106+                            {
107+                                p2 = p1 = p0;
108+                                pa = (alpha?(p0+3*tilesize):NULL);
109+                            }
110+                            else
111+                            {
112+                                p1 = p0 + tilesize;
113+                                p2 = p1 + tilesize;
114+                                pa = (alpha?(p2+tilesize):NULL);
115+                            }
116+                        }
117+                       else if (TIFFReadTile(tif, p0, col,
118                            row+img->row_offset,0,0)==(tmsize_t)(-1) && img->stoponerr)
119                        {
120                                ret = 0;
121@@ -940,13 +955,14 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
122        tileContigRoutine put = img->put.contig;
123        uint32 row, y, nrow, nrowsub, rowstoread;
124        tmsize_t pos;
125-       unsigned char* buf;
126+       unsigned char* buf = NULL;
127        uint32 rowsperstrip;
128        uint16 subsamplinghor,subsamplingver;
129        uint32 imagewidth = img->width;
130        tmsize_t scanline;
131        int32 fromskew, toskew;
132        int ret = 1, flip;
133+       tmsize_t maxstripsize;
134
135        TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver);
136        if( subsamplingver == 0 ) {
137@@ -954,12 +970,7 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
138                return (0);
139        }
140
141-       buf = (unsigned char*) _TIFFmalloc(TIFFStripSize(tif));
142-       if (buf == 0) {
143-               TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer");
144-               return (0);
145-       }
146-       _TIFFmemset(buf, 0, TIFFStripSize(tif));
147+       maxstripsize = TIFFStripSize(tif);
148
149        flip = setorientation(img);
150        if (flip & FLIP_VERTICALLY) {
151@@ -981,11 +992,12 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
152                nrowsub = nrow;
153                if ((nrowsub%subsamplingver)!=0)
154                        nrowsub+=subsamplingver-nrowsub%subsamplingver;
155-               if (TIFFReadEncodedStrip(tif,
156+               if (_TIFFReadEncodedStripAndAllocBuffer(tif,
157                    TIFFComputeStrip(tif,row+img->row_offset, 0),
158-                   buf,
159+                   (void**)(&buf),
160+                   maxstripsize,
161                    ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
162-                   && img->stoponerr)
163+                   && (buf == NULL || img->stoponerr))
164                {
165                        ret = 0;
166                        break;
167@@ -1029,8 +1041,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
168 {
169        TIFF* tif = img->tif;
170        tileSeparateRoutine put = img->put.separate;
171-       unsigned char *buf;
172-       unsigned char *p0, *p1, *p2, *pa;
173+       unsigned char *buf = NULL;
174+       unsigned char *p0 = NULL, *p1 = NULL, *p2 = NULL, *pa = NULL;
175        uint32 row, y, nrow, rowstoread;
176        tmsize_t pos;
177        tmsize_t scanline;
178@@ -1049,15 +1061,6 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
179                TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
180                return (0);
181        }
182-       p0 = buf = (unsigned char *)_TIFFmalloc(bufsize);
183-       if (buf == 0) {
184-               TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer");
185-               return (0);
186-       }
187-       _TIFFmemset(buf, 0, bufsize);
188-       p1 = p0 + stripsize;
189-       p2 = p1 + stripsize;
190-       pa = (alpha?(p2+stripsize):NULL);
191
192        flip = setorientation(img);
193        if (flip & FLIP_VERTICALLY) {
194@@ -1075,7 +1078,6 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
195           case PHOTOMETRIC_MINISBLACK:
196           case PHOTOMETRIC_PALETTE:
197             colorchannels = 1;
198-            p2 = p1 = p0;
199             break;
200
201           default:
202@@ -1091,7 +1093,31 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
203                rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
204                nrow = (row + rowstoread > h ? h - row : rowstoread);
205                offset_row = row + img->row_offset;
206-               if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
207+                if( buf == NULL )
208+                {
209+                    if (_TIFFReadEncodedStripAndAllocBuffer(
210+                            tif, TIFFComputeStrip(tif, offset_row, 0),
211+                            (void**) &buf, bufsize,
212+                            ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
213+                        && (buf == NULL || img->stoponerr))
214+                    {
215+                            ret = 0;
216+                            break;
217+                    }
218+                    p0 = buf;
219+                    if( colorchannels == 1 )
220+                    {
221+                        p2 = p1 = p0;
222+                        pa = (alpha?(p0+3*stripsize):NULL);
223+                    }
224+                    else
225+                    {
226+                        p1 = p0 + stripsize;
227+                        p2 = p1 + stripsize;
228+                        pa = (alpha?(p2+stripsize):NULL);
229+                    }
230+                }
231+               else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
232                    p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
233                    && img->stoponerr)
234                {
235diff --git a/third_party/libtiff/tif_read.c b/third_party/libtiff/tif_read.c
236index cc4f5d2f6..ad0a778c0 100644
237--- a/third_party/libtiff/tif_read.c
238+++ b/third_party/libtiff/tif_read.c
239@@ -442,18 +442,17 @@ TIFFReadScanline(TIFF* tif, void* buf, uint32 row, uint16 sample)
240 }
241
242 /*
243- * Read a strip of data and decompress the specified
244- * amount into the user-supplied buffer.
245+ * Calculate the strip size according to the number of
246+ * rows in the strip (check for truncated last strip on any
247+ * of the separations).
248  */
249-tmsize_t
250-TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
251+static tmsize_t TIFFReadEncodedStripGetStripSize(TIFF* tif, uint32 strip, uint16* pplane)
252 {
253        static const char module[] = "TIFFReadEncodedStrip";
254        TIFFDirectory *td = &tif->tif_dir;
255        uint32 rowsperstrip;
256        uint32 stripsperplane;
257        uint32 stripinplane;
258-       uint16 plane;
259        uint32 rows;
260        tmsize_t stripsize;
261        if (!TIFFCheckRead(tif,0))
262@@ -465,23 +464,37 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
263                    (unsigned long)td->td_nstrips);
264                return((tmsize_t)(-1));
265        }
266-       /*
267-        * Calculate the strip size according to the number of
268-        * rows in the strip (check for truncated last strip on any
269-        * of the separations).
270-        */
271+
272        rowsperstrip=td->td_rowsperstrip;
273        if (rowsperstrip>td->td_imagelength)
274                rowsperstrip=td->td_imagelength;
275        stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
276        stripinplane=(strip%stripsperplane);
277-       plane=(uint16)(strip/stripsperplane);
278+       if( pplane ) *pplane=(uint16)(strip/stripsperplane);
279        rows=td->td_imagelength-stripinplane*rowsperstrip;
280        if (rows>rowsperstrip)
281                rows=rowsperstrip;
282        stripsize=TIFFVStripSize(tif,rows);
283        if (stripsize==0)
284                return((tmsize_t)(-1));
285+    return stripsize;
286+}
287+
288+/*
289+ * Read a strip of data and decompress the specified
290+ * amount into the user-supplied buffer.
291+ */
292+tmsize_t
293+TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
294+{
295+  static const char module[] = "TIFFReadEncodedStrip";
296+  TIFFDirectory *td = &tif->tif_dir;
297+  tmsize_t stripsize;
298+  uint16 plane;
299+
300+  stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane);
301+  if (stripsize==((tmsize_t)(-1)))
302+      return((tmsize_t)(-1));
303
304     /* shortcut to avoid an extra memcpy() */
305     if( td->td_compression == COMPRESSION_NONE &&
306@@ -510,6 +523,50 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
307        return(stripsize);
308 }
309
310+/* Variant of TIFFReadEncodedStrip() that does
311+ * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillStrip() has
312+ *   suceeded. This avoid excessive memory allocation in case of truncated
313+ *   file.
314+ * * calls regular TIFFReadEncodedStrip() if *buf != NULL
315+ */
316+tmsize_t
317+_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,
318+                                    void **buf, tmsize_t bufsizetoalloc,
319+                                    tmsize_t size_to_read)
320+{
321+    tmsize_t this_stripsize;
322+    uint16 plane;
323+
324+    if( *buf != NULL )
325+    {
326+        return TIFFReadEncodedStrip(tif, strip, *buf, size_to_read);
327+    }
328+
329+    this_stripsize=TIFFReadEncodedStripGetStripSize(tif, strip, &plane);
330+    if (this_stripsize==((tmsize_t)(-1)))
331+            return((tmsize_t)(-1));
332+
333+    if ((size_to_read!=(tmsize_t)(-1))&&(size_to_read<this_stripsize))
334+            this_stripsize=size_to_read;
335+    if (!TIFFFillStrip(tif,strip))
336+            return((tmsize_t)(-1));
337+
338+    *buf = _TIFFmalloc(bufsizetoalloc);
339+    if (*buf == NULL) {
340+            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer");
341+            return((tmsize_t)(-1));
342+    }
343+    _TIFFmemset(*buf, 0, bufsizetoalloc);
344+
345+    if ((*tif->tif_decodestrip)(tif,*buf,this_stripsize,plane)<=0)
346+            return((tmsize_t)(-1));
347+    (*tif->tif_postdecode)(tif,*buf,this_stripsize);
348+    return(this_stripsize);
349+
350+
351+}
352+
353+
354 static tmsize_t
355 TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,
356     const char* module)
357@@ -939,6 +996,78 @@ TIFFReadEncodedTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
358                return ((tmsize_t)(-1));
359 }
360
361+/* Variant of TIFFReadTile() that does
362+ * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillTile() has
363+ *   suceeded. This avoid excessive memory allocation in case of truncated
364+ *   file.
365+ * * calls regular TIFFReadEncodedTile() if *buf != NULL
366+ */
367+tmsize_t
368+_TIFFReadTileAndAllocBuffer(TIFF* tif,
369+                            void **buf, tmsize_t bufsizetoalloc,
370+                            uint32 x, uint32 y, uint32 z, uint16 s)
371+{
372+    if (!TIFFCheckRead(tif, 1) || !TIFFCheckTile(tif, x, y, z, s))
373+            return ((tmsize_t)(-1));
374+    return (_TIFFReadEncodedTileAndAllocBuffer(tif,
375+                                               TIFFComputeTile(tif, x, y, z, s),
376+                                               buf, bufsizetoalloc,
377+                                               (tmsize_t)(-1)));
378+}
379+
380+/* Variant of TIFFReadEncodedTile() that does
381+ * * if *buf == NULL, *buf = _TIFFmalloc(bufsizetoalloc) only after TIFFFillTile() has
382+ *   suceeded. This avoid excessive memory allocation in case of truncated
383+ *   file.
384+ * * calls regular TIFFReadEncodedTile() if *buf != NULL
385+ */
386+tmsize_t
387+_TIFFReadEncodedTileAndAllocBuffer(TIFF* tif, uint32 tile,
388+                                    void **buf, tmsize_t bufsizetoalloc,
389+                                    tmsize_t size_to_read)
390+{
391+    static const char module[] = "_TIFFReadEncodedTileAndAllocBuffer";
392+    TIFFDirectory *td = &tif->tif_dir;
393+    tmsize_t tilesize = tif->tif_tilesize;
394+
395+    if( *buf != NULL )
396+    {
397+        return TIFFReadEncodedTile(tif, tile, *buf, size_to_read);
398+    }
399+
400+    if (!TIFFCheckRead(tif, 1))
401+            return ((tmsize_t)(-1));
402+    if (tile >= td->td_nstrips) {
403+            TIFFErrorExt(tif->tif_clientdata, module,
404+                "%lu: Tile out of range, max %lu",
405+                (unsigned long) tile, (unsigned long) td->td_nstrips);
406+            return ((tmsize_t)(-1));
407+    }
408+
409+    if (!TIFFFillTile(tif,tile))
410+            return((tmsize_t)(-1));
411+
412+    *buf = _TIFFmalloc(bufsizetoalloc);
413+    if (*buf == NULL) {
414+            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
415+                         "No space for tile buffer");
416+            return((tmsize_t)(-1));
417+    }
418+    _TIFFmemset(*buf, 0, bufsizetoalloc);
419+
420+    if (size_to_read == (tmsize_t)(-1))
421+        size_to_read = tilesize;
422+    else if (size_to_read > tilesize)
423+        size_to_read = tilesize;
424+    if( (*tif->tif_decodetile)(tif,
425+        (uint8*) *buf, size_to_read, (uint16)(tile/td->td_stripsperimage))) {
426+        (*tif->tif_postdecode)(tif, (uint8*) *buf, size_to_read);
427+        return (size_to_read);
428+    } else
429+        return ((tmsize_t)(-1));
430+}
431+
432+
433 static tmsize_t
434 TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module)
435 {
436diff --git a/third_party/libtiff/tiffiop.h b/third_party/libtiff/tiffiop.h
437index 7e415c750..6fb47de5b 100644
438--- a/third_party/libtiff/tiffiop.h
439+++ b/third_party/libtiff/tiffiop.h
440@@ -364,6 +364,20 @@ extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
441 extern double _TIFFUInt64ToDouble(uint64);
442 extern float _TIFFUInt64ToFloat(uint64);
443
444+extern tmsize_t
445+_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,
446+                                    void **buf, tmsize_t bufsizetoalloc,
447+                                    tmsize_t size_to_read);
448+extern tmsize_t
449+_TIFFReadEncodedTileAndAllocBuffer(TIFF* tif, uint32 tile,
450+                                    void **buf, tmsize_t bufsizetoalloc,
451+                                    tmsize_t size_to_read);
452+extern tmsize_t
453+_TIFFReadTileAndAllocBuffer(TIFF* tif,
454+                            void **buf, tmsize_t bufsizetoalloc,
455+                            uint32 x, uint32 y, uint32 z, uint16 s);
456+
457+
458 extern int TIFFInitDumpMode(TIFF*, int);
459 #ifdef PACKBITS_SUPPORT
460 extern int TIFFInitPackBits(TIFF*, int);
461