diff --git a/ChangeLog b/ChangeLog
index 3c0a33a7..4033f16f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -30,6 +30,7 @@
 
 18/5/16 started 8.3.2
 - more robust vips image reading
+- more robust tiff read [Matt Richards]
 
 15/4/16 started 8.3.1
 - rename vips wrapper script, it was still vips-8.2, thanks Benjamin
diff --git a/libvips/foreign/tiff2vips.c b/libvips/foreign/tiff2vips.c
index 222adc80..26815b52 100644
--- a/libvips/foreign/tiff2vips.c
+++ b/libvips/foreign/tiff2vips.c
@@ -1895,9 +1895,17 @@ my_tiff_read( thandle_t st, tdata_t buffer, tsize_t size )
 {
 	ReadTiff *rtiff = (ReadTiff *) st;
 
-	size_t available = rtiff->len - rtiff->pos;
-	size_t copy = VIPS_MIN( size, available );
+	size_t available;
+	size_t copy;
 
+	if( rtiff->pos > rtiff->len ) {
+		vips_error( "tiff2vips", 
+			"%s", _( "read beyond end of buffer" ) );
+		return( 0 );
+	}
+
+	available = rtiff->len - rtiff->pos;
+	copy = VIPS_MIN( size, available );
 	memcpy( buffer, (unsigned char *) rtiff->buf + rtiff->pos, copy );
 	rtiff->pos += copy;
 
@@ -1918,6 +1926,9 @@ my_tiff_close( thandle_t st )
 	return 0;
 }
 
+/* After calling this, ->pos is not bound by the size of the buffer, it can 
+ * have any positive value.
+ */
 static toff_t 
 my_tiff_seek( thandle_t st, toff_t pos, int whence )
 {