Oliver, can you please triage? I believe XFA isn't enabled yet, so I'm not sure about the security impact of this.

XFA is enabled on HEAD. Symbolized stack trace:

==26413==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f2328c3c800 at pc 0x000003e5c1da bp 0x7fffb4efe2e0 sp 0x7fffb4efe2d8
READ of size 4 at 0x7f2328c3c800 thread T0
    #0 0x3e5c1d9 in FX_wcsnicmp(wchar_t const*, wchar_t const*, unsigned long) out/Fuzzer/../../third_party/pdfium/xfa/fgas/crt/fgas_system.cpp:30:33
    #1 0x3e4f578 in CFDE_XMLSyntaxParser::DoSyntaxParse() out/Fuzzer/../../third_party/pdfium/xfa/fde/xml/fde_xml_imp.cpp:1889:15
    #2 0x3e830a8 in CXFA_XMLParser::DoParser(IFX_Pause*) out/Fuzzer/../../third_party/pdfium/xfa/fxfa/parser/xfa_parser_imp.cpp:1430:28
    #3 0x3e4238d in CFDE_XMLDoc::DoLoad(IFX_Pause*) out/Fuzzer/../../third_party/pdfium/xfa/fde/xml/fde_xml_imp.cpp:934:22
    #4 0x4e7665 in LLVMFuzzerTestOneInput out/Fuzzer/../../third_party/pdfium/testing/libfuzzer/pdf_xml_fuzzer.cc:64:25
    #5 0x525334 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) out/Fuzzer/../../third_party/libFuzzer/src/FuzzerLoop.cpp:465:13
    #6 0x524206 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) out/Fuzzer/../../third_party/libFuzzer/src/FuzzerLoop.cpp:398:3
    #7 0x4e9a73 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) out/Fuzzer/../../third_party/libFuzzer/src/FuzzerDriver.cpp:256:3
    #8 0x4ed617 in fuzzer::FuzzerDriver(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&, int (*)(unsigned char const*, unsigned long)) out/Fuzzer/../../third_party/libFuzzer/src/FuzzerDriver.cpp:372:9
    #9 0x4e9c64 in fuzzer::FuzzerDriver(int, char**, int (*)(unsigned char const*, unsigned long)) out/Fuzzer/../../third_party/libFuzzer/src/FuzzerDriver.cpp:421:10
    #10 0x565989 in main out/Fuzzer/../../third_party/libFuzzer/src/FuzzerMain.cpp:25:10
    #11 0x7f23292c9ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287

0x7f2328c3c800 is located 0 bytes to the right of 131072-byte region [0x7f2328c1c800,0x7f2328c3c800)
allocated by thread T0 here:
    #0 0x4b8e24 in __interceptor_calloc (/mnt/ssd/chromium2/src/out/Fuzzer/pdf_xml_fuzzer+0x4b8e24)
    #1 0x4e85bb in FX_AllocOrDie(unsigned long, unsigned long) out/Fuzzer/../../third_party/pdfium/core/fxcrt/include/fx_memory.h:39:22
    #2 0x3e41c99 in CFDE_XMLSyntaxParser::Init(IFX_Stream*, int, int) out/Fuzzer/../../third_party/pdfium/xfa/fde/xml/fde_xml_imp.cpp:1477:15
    #3 0x3e82af0 in CXFA_XMLParser::CXFA_XMLParser(CFDE_XMLNode*, IFX_Stream*) out/Fuzzer/../../third_party/pdfium/xfa/fxfa/parser/xfa_parser_imp.cpp:1412:3
    #4 0x4e7136 in LLVMFuzzerTestOneInput out/Fuzzer/../../third_party/pdfium/testing/libfuzzer/pdf_xml_fuzzer.cc:59:11
    #5 0x525334 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) out/Fuzzer/../../third_party/libFuzzer/src/FuzzerLoop.cpp:465:13
    #6 0x524206 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) out/Fuzzer/../../third_party/libFuzzer/src/FuzzerLoop.cpp:398:3
    #7 0x4e9a73 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) out/Fuzzer/../../third_party/libFuzzer/src/FuzzerDriver.cpp:256:3
    #8 0x4ed617 in fuzzer::FuzzerDriver(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&, int (*)(unsigned char const*, unsigned long)) out/Fuzzer/../../third_party/libFuzzer/src/FuzzerDriver.cpp:372:9
    #9 0x4e9c64 in fuzzer::FuzzerDriver(int, char**, int (*)(unsigned char const*, unsigned long)) out/Fuzzer/../../third_party/libFuzzer/src/FuzzerDriver.cpp:421:10
    #10 0x565989 in main out/Fuzzer/../../third_party/libFuzzer/src/FuzzerMain.cpp:25:10
    #11 0x7f23292c9ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium.git/+/816ff7b92ff0f94e4ffaafc975b08d2c4c1a6417

commit 816ff7b92ff0f94e4ffaafc975b08d2c4c1a6417
Author: ochang <ochang@chromium.org>
Date: Fri May 27 17:16:12 2016

Make sure CFDE_XMLSyntaxParser's buffer is null terminated.

BUG= chromium:614962 

Review-Url: https://codereview.chromium.org/2017803002

[modify] https://crrev.com/816ff7b92ff0f94e4ffaafc975b08d2c4c1a6417/xfa/fde/xml/fde_xml_imp.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cc5a500413f69e6dd7d89404f662e13fb2071e90

commit cc5a500413f69e6dd7d89404f662e13fb2071e90
Author: ochang <ochang@chromium.org>
Date: Fri May 27 21:43:45 2016

Roll PDFium 490d612..d23df55

https://pdfium.googlesource.com/pdfium.git/+log/490d612..d23df55

BUG= 615424 , 614962 
TBR=thestig@chromium.org

Review-Url: https://codereview.chromium.org/2016983003
Cr-Commit-Position: refs/heads/master@{#396569}

[modify] https://crrev.com/cc5a500413f69e6dd7d89404f662e13fb2071e90/DEPS

[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.

Before we approve merge to M51, Could you please confirm whether this change is baked/verified in Canary and safe to merge?

@meacer - does this even need to go to stable? XFA is only enabled on head, so can this roll with M52?

Sure, that makes sense.

[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.

Thanks @meacer.

Krishna - please approve for M52 / 2743

Approved for M52 branch 2743 based on comment #12.

The following revision refers to this bug:
  http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=88327

------------------------------------------------------------------
r88327 | ochang@google.com | 2016-05-27T23:37:29.119216Z

-----------------------------------------------------------------

Thanks for your report. We'll consider your report under the Chrome Reward Program for a security cash reward - full details here: https://www.google.com/about/appsecurity/chrome-rewards/

We'll update you once we have a decision. Feel free to check in with me in a few weeks if you haven't heard back, either by updating this bug or reaching out to me at timwillis@

Congratulations, the panel has decided to award $1,000 for this bug.  A member of our finance team will be in touch shortly.

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an established charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot