Oops, wrong CC, sorry.

bungeman: Uh oh! This issue still open and hasn't been updated in the last 19 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

bungeman: Uh oh! This issue still open and hasn't been updated in the last 34 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Discussed this offline. I'm going to mark this as Stable impacting rather than None. ExternalDependency is more appropriate.

ClusterFuzz has detected this issue as fixed in range 408633:408661.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6705835866062848

Fuzzer: aohelin_ni
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x61900067a125
Crash State:
  parse_encoding
  parse_dict
  T1_Face_Init
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=314095:314100
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=408633:408661

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv968ZCr0bkcHuPvTTnd-_znvGjWoSZGZFIWUdnRE9ZbGR-ajiooGx3v1YRaECU5M2Uzby0h0kcsiw2U5rWJH498fTmPWRJtINJAcJD_m7UaUqXXW9_prV8y_eBN1GEaKC6yiqZfSORzAi_lDrRSOtwV-shRlAeWNOMkOZ1CgVuk3O-AVULo?testcase_id=6705835866062848


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Your change meets the bar and is auto-approved for M53 (branch: 2785)

Is there anything to merge here? If not, please remove "Merge-Approved-53" label. Thank you.

mbarbella@, interested in your reasoning behind #11

We use the system freetype, so there isn't much we can do here other than get it fixed upstream.

I don't believe it could get fixed, and we have another reproducer as well.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5391489058471936

Fuzzer: attekett_surku_fuzzer
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x6210000434f4
Crash State:
  parse_encoding
  parse_dict
  T1_Face_Init
  
Recommended Security Severity: Medium


Minimized Testcase (24.61 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96AgJ5evUmnVTWKs4OsZqY7rvYiNroajSBEahF5gYkUW2qPx30IWuo9i_1qLYs6QvacIwmxqeBrsZ7ZU1Mw1bDe-hjwkiFmpZ-TAU9bYy9JtQJrlqV0zoR-pVOYFcWnGFh3r_L5iLgF0BqKtJ9ubMTWi25RMwOZdo0WiJlivXhGX38YKow?testcase_id=5391489058471936

Issue manually filed by: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

I'm sorry to say the panel declined to reward for this bug, since it's highly likely to be unexploitable, and potentially caused by the old version of freetype used for testing.

bungeman - can this be closed out?  Thanks.

I can't reproduce this with:
1) up-to-date system FreeType on Ubuntu 14.04
2) PDFium's bundled FreeType.

Probably rediscovering http://savannah.nongnu.org/bugs/?func=detailitem&item_id=36829 or http://savannah.nongnu.org/bugs/?func=detailitem&item_id=37000

 Issue 655951  has been merged into this issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 453196:453213.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5391489058471936

Fuzzer: attekett_surku_fuzzer
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x6210000434f4
Crash State:
  parse_encoding
  parse_dict
  T1_Face_Init
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=453196:453213

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96AgJ5evUmnVTWKs4OsZqY7rvYiNroajSBEahF5gYkUW2qPx30IWuo9i_1qLYs6QvacIwmxqeBrsZ7ZU1Mw1bDe-hjwkiFmpZ-TAU9bYy9JtQJrlqV0zoR-pVOYFcWnGFh3r_L5iLgF0BqKtJ9ubMTWi25RMwOZdo0WiJlivXhGX38YKow?testcase_id=5391489058471936


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Probably fixed by updating freetype in Chromium.

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.