I don't see a NULL deref here. There is a TIFFroundup() integer overflow in TIFFFillStrip() (as bytecount is 0xffffffff), that causes TIFFReadBufferSetup() to be called with size==0, so it does tif->tif_rawdata = malloc(0). Hence TIFFReadRawStrip1() is called with insufficiently sized buffer and negative size argument (uint32 -> tsize_t/int32 cast). It calls application-provided read callback, gtk+'s tiff_load_read() in this case, which tries to memcpy way too much data.
I don't see a NULL deref here. There is a TIFFroundup() integer overflow in TIFFFillStrip() (as bytecount is 0xffffffff), that causes TIFFReadBufferS etup() to be called with size==0, so it does tif->tif_rawdata = malloc(0). Hence TIFFReadRawStrip1() is called with insufficiently sized buffer and negative size argument (uint32 -> tsize_t/int32 cast). It calls application- provided read callback, gtk+'s tiff_load_read() in this case, which tries to memcpy way too much data.