This time I will attach the minimized proof-of-concept files. The difference between the seed image and proof-of-concept image has been reduced to one byte. The 10th byte of the gif image was changed from 0xF7 to 0x77. This mutation could crash pdfium.

---------
SEED
---------
struct Gif.LogicalScreenDescriptor.PackedFields {   // 0xF7
    UBYTE GlobalColorTableFlag : 1;     // 1
    UBYTE ColorResolution : 3;          // 7
    UBYTE SortFlag : 1;                 // 0
    UBYTE SizeOfGlobalColorTable : 3;   // 7
}

---------
POC
---------
struct Gif.LogicalScreenDescriptor.PackedFields {   // 0x77
    UBYTE GlobalColorTableFlag : 1;     // 0 <-------- flipped
    UBYTE ColorResolution : 3;          // 7
    UBYTE SortFlag : 1;                 // 0
    UBYTE SizeOfGlobalColorTable : 3;   // 7
}

To conclude, the |GlobalColorTableFlag| was flipped from 1 to 0.

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5712389257560064

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4859911976779776

Thanks for the report.

tsepez, when it rains it pours...! PTAL?

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4859911976779776

Uploader: felt@google.com
Job Type: linux_asan_pdfium
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x60900000209c
Crash State:
  CCodec_ProgressiveDecoder::ReSampleScanline
  CCodec_ProgressiveDecoder::GifReadScanlineCallback
  gif_load_frame
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=393856:393893

Minimized Testcase (5.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97-WTTEvE5sX8FVcA_mJC3KM2T-CabbufIRiZG9YQwgpXYwuAnGlzyWxYGeTRy8xQ6_DJt59BqdDfWcVcstuX0wTL4MWSdibU9Mcxiodm4X0OnsoHI7GZF_pokdg2Nm3surKXJ_LwKTVum1Cgt8CwBXYJNtrg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

hong_zhang, could you please route this security bug to the appropriate person? thanks.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4602825703424000

Uploader: felt@google.com
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x60900000ed5c
Crash State:
  CCodec_ProgressiveDecoder::ReSampleScanline
  CCodec_ProgressiveDecoder::GifReadScanlineCallback
  gif_load_frame
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=393856:393893

Minimized Testcase (5.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94yML7H2Gy2f631uNxuwgj_OJFwl3iIOGEzcWby139fX_GWR93mrpnarGffBnMvelAFohLztc_itTp7MMnSDdDSezMjDzVA-N0AiuOgwRMczxcmaPjh3xeoi4iTHjAorw_rhXafYCJwTyqTTmELU-lbpRO_lg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this issue as fixed in range 399086:399117.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4859911976779776

Uploader: felt@google.com
Job Type: linux_asan_pdfium
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x60900000209c
Crash State:
  CCodec_ProgressiveDecoder::ReSampleScanline
  CCodec_ProgressiveDecoder::GifReadScanlineCallback
  gif_load_frame
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=393856:393893
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=399086:399117

Minimized Testcase (5.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97-WTTEvE5sX8FVcA_mJC3KM2T-CabbufIRiZG9YQwgpXYwuAnGlzyWxYGeTRy8xQ6_DJt59BqdDfWcVcstuX0wTL4MWSdibU9Mcxiodm4X0OnsoHI7GZF_pokdg2Nm3surKXJ_LwKTVum1Cgt8CwBXYJNtrg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 399086:399117.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4602825703424000

Uploader: felt@google.com
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x60900000ed5c
Crash State:
  CCodec_ProgressiveDecoder::ReSampleScanline
  CCodec_ProgressiveDecoder::GifReadScanlineCallback
  gif_load_frame
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=393856:393893
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=399086:399117

Minimized Testcase (5.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94yML7H2Gy2f631uNxuwgj_OJFwl3iIOGEzcWby139fX_GWR93mrpnarGffBnMvelAFohLztc_itTp7MMnSDdDSezMjDzVA-N0AiuOgwRMczxcmaPjh3xeoi4iTHjAorw_rhXafYCJwTyqTTmELU-lbpRO_lg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 399086:399117.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4602825703424000

Uploader: felt@google.com
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x60900000ed5c
Crash State:
  CCodec_ProgressiveDecoder::ReSampleScanline
  CCodec_ProgressiveDecoder::GifReadScanlineCallback
  gif_load_frame
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=393856:393893
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=399086:399117

Minimized Testcase (5.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94yML7H2Gy2f631uNxuwgj_OJFwl3iIOGEzcWby139fX_GWR93mrpnarGffBnMvelAFohLztc_itTp7MMnSDdDSezMjDzVA-N0AiuOgwRMczxcmaPjh3xeoi4iTHjAorw_rhXafYCJwTyqTTmELU-lbpRO_lg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sorry for the incorrect ClusterFuzz update, please ignore it. Reopening bug.

[Bulk edit]

Per inferno@, Security_Impact=None bugs should not be release blockers.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5687426890858496

Fuzzer: pdf_codec_gif_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x60300000ed3c
Crash State:
  CCodec_ProgressiveDecoder::ReSampleScanline
  CCodec_ProgressiveDecoder::GifReadScanlineCallback
  gif_load_frame
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887

Minimized Testcase (0.17 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94FD_pZpsR06g0bI-TG8gbBohMzzmCKVriqnunDi3iAkHgFLD2ysvW6qmdnzql7SvCnTwzqMfzx_C88pkvE8k-3G_0IW6YSjU5Ugl3OnGbQ5thTELKr6d2wHTfhE4spUmzw8wqtZPJ9nvo__1nUPPgEdvJs0A?testcase_id=5687426890858496

Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

ClusterFuzz has detected this issue as fixed in range 408652:408744.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5687426890858496

Fuzzer: pdf_codec_gif_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x60300000ed3c
Crash State:
  CCodec_ProgressiveDecoder::ReSampleScanline
  CCodec_ProgressiveDecoder::GifReadScanlineCallback
  gif_load_frame
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=408652:408744

Minimized Testcase (0.17 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94FD_pZpsR06g0bI-TG8gbBohMzzmCKVriqnunDi3iAkHgFLD2ysvW6qmdnzql7SvCnTwzqMfzx_C88pkvE8k-3G_0IW6YSjU5Ugl3OnGbQ5thTELKr6d2wHTfhE4spUmzw8wqtZPJ9nvo__1nUPPgEdvJs0A?testcase_id=5687426890858496

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6010965573500928

Fuzzer: afl_pdf_codec_gif_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x60a00000ecf0
Crash State:
  CCodec_ProgressiveDecoder::ReSampleScanline
  CCodec_ProgressiveDecoder::GifReadScanlineCallback
  gif_load_frame
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=402185:402404

Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94uAyHmXqa3aXCUJBkPUaMUj1M50TTjGap1PrO4tU4fmA7h2KnvCCoaOBZz0A4ftNK3p_reOJmcoRmPUFHkD_TlJRM-xFh_HlovtD5-1nxjgNsKjcLV3Q_Cr1i3sCVljyHV3-zXj2ikekUoFOipqG7bf7MOgw?testcase_id=6010965573500928

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Kindly reminder: this issue is still reproducible.

ClusterFuzz testcase is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

==23891==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf072ed1c at pc 0x09ea497b bp 0xff867ac8 sp 0xff867ac0
READ of size 4 at 0xf072ed1c thread T0
    #0 0x9ea497a in CCodec_ProgressiveDecoder::ReSampleScanline(CFX_DIBitmap*, int, unsigned char*, CCodec_ProgressiveDecoder::FXCodec_Format) core/fxcodec/codec/fx_codec_progress.cpp:1618:34
    #1 0x9ea192c in CCodec_ProgressiveDecoder::GifReadScanlineCallback(void*, int, unsigned char*) core/fxcodec/codec/fx_codec_progress.cpp:769:11
    #2 0x9ed37d7 in gif_read_scanline(tag_gif_decompress_struct*, int, unsigned char*) core/fxcodec/codec/fx_codec_gif.cpp:50:3
    #3 0x9f036a0 in gif_load_frame(tag_gif_decompress_struct*, int) core/fxcodec/lgif/fx_gif.cpp:931:11
    #4 0x9ed4836 in CCodec_GifModule::LoadFrame(FXGIF_Context*, int, CFX_DIBAttribute*) core/fxcodec/codec/fx_codec_gif.cpp:146:17
    #5 0x9ebc0f6 in CCodec_ProgressiveDecoder::ContinueDecode(IFX_Pause*) core/fxcodec/codec/fx_codec_progress.cpp:2166:25
    #6 0x94b5f61 in XFA_LoadImageFromBuffer(IFX_SeekableReadStream*, FXCODEC_IMAGE_TYPE, int&, int&) xfa/fxfa/app/xfa_ffwidget.cpp:1167:28
    #7 0x94b414f in XFA_LoadImageData(CXFA_FFDoc*, CXFA_Image*, bool&, int&, int&) xfa/fxfa/app/xfa_ffwidget.cpp:1095:7
    #8 0x94e1903 in CXFA_ImageLayoutData::LoadImageData(CXFA_WidgetAcc*) xfa/fxfa/app/xfa_ffwidgetacc.cpp:97:25
    #9 0x94d4431 in CXFA_WidgetAcc::LoadImageImage() xfa/fxfa/app/xfa_ffwidgetacc.cpp:999:9
    #10 0x99260ff in CXFA_FFImage::LoadWidget() xfa/fxfa/app/xfa_ffimage.cpp:27:17
    #11 0x94834c8 in CXFA_FFPageWidgetIterator::GetWidget(CXFA_LayoutItem*) xfa/fxfa/app/xfa_ffpageview.cpp:208:16
    #12 0x948364e in CXFA_FFPageWidgetIterator::MoveToNext() xfa/fxfa/app/xfa_ffpageview.cpp:178:34
    #13 0x824dac9 in CPDFSDK_PageView::LoadFXAnnots() fpdfsdk/cpdfsdk_pageview.cpp:411:54
    #14 0x8215b4f in CPDFSDK_FormFillEnvironment::GetPageView(CPDFXFA_Page*, bool) fpdfsdk/cpdfsdk_formfillenvironment.cpp:587:14
    #15 0x81d12d9 in (anonymous namespace)::FormHandleToPageView(void*, void*) fpdfsdk/fpdfformfill.cpp:58:39
    #16 0x81d5c4d in FORM_OnAfterLoadPage fpdfsdk/fpdfformfill.cpp:657:37
    #17 0x8150ff7 in GetPageForIndex(_FPDF_FORMFILLINFO*, void*, int) samples/pdfium_test.cc:590:3
    #18 0x815142d in RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void*, void*&, FPDF_FORMFILLINFO_PDFiumTest&, int, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:604:20
    #19 0x8155e1b in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned int, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:820:9
    #20 0x8159987 in main samples/pdfium_test.cc:955:5
    #21 0xf3ff7636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

0xf072ed1c is located 4 bytes to the right of 8-byte region [0xf072ed10,0xf072ed18)
allocated by thread T0 here:
    #0 0x8108e06 in __interceptor_calloc (/home/worker/Desktop/repo/pdfium/out/Debug/pdfium_test+0x8108e06)
    #1 0x81f2d5d in FX_AllocOrDie(unsigned int, unsigned int) core/fxcrt/fx_memory.h:40:22
    #2 0x9e9faf7 in CCodec_ProgressiveDecoder::GifInputRecordPositionBufCallback(void*, unsigned int, FX_RECT const&, int, void*, int, bool, int, int, bool) core/fxcodec/codec/fx_codec_progress.cpp:666:29
    #3 0x9ed3c07 in gif_get_record_position(tag_gif_decompress_struct*, unsigned int, int, int, int, int, int, void*, int, bool, int, int, bool) core/fxcodec/codec/fx_codec_gif.cpp:67:10
    #4 0x9f02721 in gif_load_frame(tag_gif_decompress_struct*, int) core/fxcodec/lgif/fx_gif.cpp:876:19
    #5 0x9ed4836 in CCodec_GifModule::LoadFrame(FXGIF_Context*, int, CFX_DIBAttribute*) core/fxcodec/codec/fx_codec_gif.cpp:146:17
    #6 0x9ebc0f6 in CCodec_ProgressiveDecoder::ContinueDecode(IFX_Pause*) core/fxcodec/codec/fx_codec_progress.cpp:2166:25
    #7 0x94b5f61 in XFA_LoadImageFromBuffer(IFX_SeekableReadStream*, FXCODEC_IMAGE_TYPE, int&, int&) xfa/fxfa/app/xfa_ffwidget.cpp:1167:28
    #8 0x94b414f in XFA_LoadImageData(CXFA_FFDoc*, CXFA_Image*, bool&, int&, int&) xfa/fxfa/app/xfa_ffwidget.cpp:1095:7
    #9 0x94e1903 in CXFA_ImageLayoutData::LoadImageData(CXFA_WidgetAcc*) xfa/fxfa/app/xfa_ffwidgetacc.cpp:97:25
    #10 0x94d4431 in CXFA_WidgetAcc::LoadImageImage() xfa/fxfa/app/xfa_ffwidgetacc.cpp:999:9
    #11 0x99260ff in CXFA_FFImage::LoadWidget() xfa/fxfa/app/xfa_ffimage.cpp:27:17
    #12 0x94834c8 in CXFA_FFPageWidgetIterator::GetWidget(CXFA_LayoutItem*) xfa/fxfa/app/xfa_ffpageview.cpp:208:16
    #13 0x948364e in CXFA_FFPageWidgetIterator::MoveToNext() xfa/fxfa/app/xfa_ffpageview.cpp:178:34
    #14 0x824dac9 in CPDFSDK_PageView::LoadFXAnnots() fpdfsdk/cpdfsdk_pageview.cpp:411:54
    #15 0x8215b4f in CPDFSDK_FormFillEnvironment::GetPageView(CPDFXFA_Page*, bool) fpdfsdk/cpdfsdk_formfillenvironment.cpp:587:14
    #16 0x81d12d9 in (anonymous namespace)::FormHandleToPageView(void*, void*) fpdfsdk/fpdfformfill.cpp:58:39
    #17 0x81d5c4d in FORM_OnAfterLoadPage fpdfsdk/fpdfformfill.cpp:657:37
    #18 0x8150ff7 in GetPageForIndex(_FPDF_FORMFILLINFO*, void*, int) samples/pdfium_test.cc:590:3
    #19 0x815142d in RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void*, void*&, FPDF_FORMFILLINFO_PDFiumTest&, int, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:604:20
    #20 0x8155e1b in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned int, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:820:9
    #21 0x8159987 in main samples/pdfium_test.cc:955:5
    #22 0xf3ff7636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow core/fxcodec/codec/fx_codec_progress.cpp:1618:34 in CCodec_ProgressiveDecoder::ReSampleScanline(CFX_DIBitmap*, int, unsigned char*, CCodec_ProgressiveDecoder::FXCodec_Format)
Shadow bytes around the buggy address:
  0x3e0e5d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e0e5d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e0e5d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e0e5d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e0e5d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3e0e5da0: fa fa 00[fa]fa fa 04 fa fa fa 00 01 fa fa 05 fa
  0x3e0e5db0: fa fa 06 fa fa fa 00 00 fa fa 04 fa fa fa 00 00
  0x3e0e5dc0: fa fa 04 fa fa fa 04 fa fa fa 00 00 fa fa 00 fa
  0x3e0e5dd0: fa fa 00 04 fa fa 04 fa fa fa 00 00 fa fa 04 fa
  0x3e0e5de0: fa fa fd fd fa fa fd fd fa fa 00 04 fa fa fd fd
  0x3e0e5df0: fa fa fd fd fa fa fd fd fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23891==ABORTING

Hello, this issue is still reproducible, please re-open it and mark it as ClusterFuzz-Wrong, thanks.

Any chance to fix this? There are other invariants of this crash, e.g. https://clusterfuzz.com/v2/testcase-detail/5305773927432192

In total, this crash happens in 97+% of fuzzer runs: https://clusterfuzz.com/v2/performance-report/libFuzzer_pdf_codec_gif_fuzzer/libfuzzer_chrome_asan/latest

It's a real blocker for gaining new coverage and performing continuous testing.

It might help if it were assigned to a team member rather than FX.

Is this really security impact none, this should affect prod, no ?

dsinclair: Uh oh! This issue still open and hasn't been updated in the last 233 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

XFA_LoadImageFromBuffer is XFA, is not enabled in any stable branch.

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/73bed4ef57444a2ea066d532a8a82b230fd206d9

commit 73bed4ef57444a2ea066d532a8a82b230fd206d9
Author: Ryan Harrison <rharrison@chromium.org>
Date: Fri Sep 22 15:03:06 2017

Fix crash when rendering invalid GIF

The core fix in this CL is a change to how LWZ decompression works, so
that when the min code table size and the color palette size are
different, color codes after the end of the defined color palette are
considered errors.

This CL also introduces a bunch of tweaks to the call return path,
since there were multiple locations where the GIF decode failing
status was being dropped on the floor, so the end widget would have a
bitmap with the default colour in it, instead of nothing.

BUG= chromium:616671 

Change-Id: Id6f40d552dc24650c91e9903f710ff2fa63bc774
Reviewed-on: https://pdfium-review.googlesource.com/14630
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>

[modify] https://crrev.com/73bed4ef57444a2ea066d532a8a82b230fd206d9/core/fxcodec/lgif/cgifcontext.cpp
[modify] https://crrev.com/73bed4ef57444a2ea066d532a8a82b230fd206d9/core/fxcodec/lgif/fx_gif.cpp
[modify] https://crrev.com/73bed4ef57444a2ea066d532a8a82b230fd206d9/core/fxcodec/codec/fx_codec_progress.cpp
[modify] https://crrev.com/73bed4ef57444a2ea066d532a8a82b230fd206d9/core/fxcodec/fx_codec_def.h
[modify] https://crrev.com/73bed4ef57444a2ea066d532a8a82b230fd206d9/xfa/fxfa/cxfa_ffwidget.cpp
[modify] https://crrev.com/73bed4ef57444a2ea066d532a8a82b230fd206d9/core/fxcodec/lgif/fx_gif.h
[modify] https://crrev.com/73bed4ef57444a2ea066d532a8a82b230fd206d9/core/fxcodec/lgif/cgifcontext.h
[modify] https://crrev.com/73bed4ef57444a2ea066d532a8a82b230fd206d9/xfa/fxfa/cxfa_ffimage.cpp
[modify] https://crrev.com/73bed4ef57444a2ea066d532a8a82b230fd206d9/core/fxcodec/codec/ccodec_gifmodule.cpp
[modify] https://crrev.com/73bed4ef57444a2ea066d532a8a82b230fd206d9/xfa/fxfa/cxfa_ffpageview.cpp
[modify] https://crrev.com/73bed4ef57444a2ea066d532a8a82b230fd206d9/core/fxcodec/codec/ccodec_progressivedecoder.h
[modify] https://crrev.com/73bed4ef57444a2ea066d532a8a82b230fd206d9/testing/libfuzzer/xfa_codec_fuzzer.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/62d2414587ea6ba0c55952dae9064788db264ac0

commit 62d2414587ea6ba0c55952dae9064788db264ac0
Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org>
Date: Fri Sep 22 16:18:00 2017

Roll src/third_party/pdfium/ 0150a5455..73bed4ef5 (1 commit)

https://pdfium.googlesource.com/pdfium.git/+log/0150a5455829..73bed4ef5744

$ git log 0150a5455..73bed4ef5 --date=short --no-merges --format='%ad %ae %s'
2017-09-22 rharrison Fix crash when rendering invalid GIF

Created with:
  roll-dep src/third_party/pdfium
BUG= 616671 


Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls


TBR=dsinclair@chromium.org

Change-Id: I057608cd564cde4d6a11c4ebffd04a192133e43f
Reviewed-on: https://chromium-review.googlesource.com/678914
Reviewed-by: <pdfium-deps-roller@chromium.org>
Commit-Queue: <pdfium-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#503759}
[modify] https://crrev.com/62d2414587ea6ba0c55952dae9064788db264ac0/DEPS

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot