LibTIFF: upstream patch to fix null dereference

This CL applies this patch that fixes a recent null dereference regression:
https://github.com/vadz/libtiff/commit/57f4b28c00d78bd5d74768585d0e46b2e12e94f7

Bug: chromium:743621
Change-Id: I0f9d4321dc6ea71dd31cf0ba8420cc25d401f0d8
Reviewed-on: https://pdfium-review.googlesource.com/9490
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
diff --git a/third_party/libtiff/0026-upstream-null-dereference.patch b/third_party/libtiff/0026-upstream-null-dereference.patch
new file mode 100644
index 0000000..052645f
--- /dev/null
+++ b/third_party/libtiff/0026-upstream-null-dereference.patch
@@ -0,0 +1,22 @@
+diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c
+index 03c9a81fb..d37f729c4 100644
+--- a/third_party/libtiff/tif_getimage.c
++++ b/third_party/libtiff/tif_getimage.c
+@@ -681,7 +681,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+        return (0);
+     }
+     leftmost_toskew = safeskew;
+-    for (row = 0; row < h; row += nrow)
++    for (row = 0; ret != 0 && row < h; row += nrow)
+     {
+         rowstoread = th - (row + img->row_offset) % th;
+        nrow = (row + rowstoread > h ? h - row : rowstoread);
+@@ -830,7 +830,7 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+        leftmost_fromskew = img->col_offset % tw;
+        leftmost_tw = tw - leftmost_fromskew;
+        leftmost_toskew = toskew + leftmost_fromskew;
+-       for (row = 0; row < h; row += nrow)
++       for (row = 0; ret != 0 && row < h; row += nrow)
+        {
+                rowstoread = th - (row + img->row_offset) % th;
+                nrow = (row + rowstoread > h ? h - row : rowstoread);
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index d881207..80cc637 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -15,3 +15,4 @@
 0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch: Fix a heap buffer overflow
 0017-safe_skews_in_gtTileContig.patch: return error if to/from skews overflow from int32.
 0025-upstream-OOM-gtTileContig: allocates the decoded buffer only after a first successful TIFFFillStrip.
+0026-upstream-null-dereference: properly evit when stoponerr is set and avoid null dereferences.
diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c
index 03c9a81..d37f729 100644
--- a/third_party/libtiff/tif_getimage.c
+++ b/third_party/libtiff/tif_getimage.c
@@ -681,7 +681,7 @@
        return (0);
     }
     leftmost_toskew = safeskew;
-    for (row = 0; row < h; row += nrow)
+    for (row = 0; ret != 0 && row < h; row += nrow)
     {
         rowstoread = th - (row + img->row_offset) % th;
     	nrow = (row + rowstoread > h ? h - row : rowstoread);
@@ -830,7 +830,7 @@
 	leftmost_fromskew = img->col_offset % tw;
 	leftmost_tw = tw - leftmost_fromskew;
 	leftmost_toskew = toskew + leftmost_fromskew;
-	for (row = 0; row < h; row += nrow)
+	for (row = 0; ret != 0 && row < h; row += nrow)
 	{
 		rowstoread = th - (row + img->row_offset) % th;
 		nrow = (row + rowstoread > h ? h - row : rowstoread);