diff --git a/ChangeLog b/ChangeLog
index 600f20f9..d7981499 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
 18/5/16 started 8.3.2
 - more robust vips image reading
+- more robust tiff read [Matt Richards]
 
 15/4/16 started 8.3.1
 - rename vips wrapper script, it was still vips-8.2, thanks Benjamin
diff --git a/libvips/foreign/tiff2vips.c b/libvips/foreign/tiff2vips.c
index 1c58bd61..2c2bf39c 100644
--- a/libvips/foreign/tiff2vips.c
+++ b/libvips/foreign/tiff2vips.c
@@ -1832,9 +1832,17 @@ my_tiff_read( thandle_t st, tdata_t buffer, tsize_t size )
 {
 	ReadTiff *rtiff = (ReadTiff *) st;
 
-	size_t available = rtiff->len - rtiff->pos;
-	size_t copy = VIPS_MIN( size, available );
+	size_t available;
+	size_t copy;
 
+	if( rtiff->pos > rtiff->len ) {
+		vips_error( "tiff2vips", 
+			"%s", _( "read beyond end of buffer" ) );
+		return( 0 );
+	}
+
+	available = rtiff->len - rtiff->pos;
+	copy = VIPS_MIN( size, available );
 	memcpy( buffer, (unsigned char *) rtiff->buf + rtiff->pos, copy );
 	rtiff->pos += copy;
 
@@ -1855,6 +1863,9 @@ my_tiff_close( thandle_t st )
 	return 0;
 }
 
+/* After calling this, ->pos is not bound by the size of the buffer, it can 
+ * have any positive value.
+ */
 static toff_t 
 my_tiff_seek( thandle_t st, toff_t pos, int whence )
 {