Why did this get assigned to me? Because of the GYP->GN flip?

I don't really know anything about this fuzzer; maybe one of the PDFium folks should own this instead?

dpranke@, it looks like the issue is in freetype2 (looking at top 6 stack-frames). You are the only owner for third_party/freetype2, this is why I assigned this to you.

Do you think that the issue is in pdfium?

This is clearly a freetype2 issue.
Please note that even though the freetype folks are gladly fixing most of the bugs we report, they did not fix a bunch of signed-integer-overflows (there are too many): https://savannah.nongnu.org/bugs/?func=detailitem&item_id=46149

I don't know what they will tell about bad shifts, but I think they will fix it if there are not too many of those. 

dpranke@, let me assign it to you once again. If there is any other owner for freetype2, please let me know or re-assign to him.

Ah, okay. Yeah, these days I probably shouldn't really be the freetype owner.

bungeman@, jshin@, any idea who should actually own this?

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5511483371028480

Fuzzer: libfuzzer_pdfium_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  tt_face_load_hmtx
  sfnt_load_face
  tt_face_init
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=397764:398208

Minimized Testcase (0.23 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96Fy0JVsKASkZ32bqQXYg-VPDfhMGwq8WNhCQbXTRnACo_feZN8KlLfGkIuen7WrgKvPupyYnGqRUsDBBWF3tZSZuBJEiKAJeoR2O5ZFRcEnM6odSWmuheF3syEz__Wz9xJOOTgC4_T4c91JHXeRJCGQPnSww?testcase_id=5511483371028480
o/Im2/INPe%PDF!rerd'�%kdce
trai:ler>>
trailer<</Root 4 10 R[/AbrF!orm4 4 obj<<>ore%QLFerd/SemiCh2densede;<<
traile</Pages 4 20 R[/Abr 1/Contens[0.0 0.0 0.0 )0.0 0.0<</Contents<<.02/3DVie:�1 0]/Flter
/Keyword>>stream
Tf/CAM
endobj
/


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5511483371028480

Fuzzer: libfuzzer_pdfium_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  tt_face_load_hmtx
  sfnt_load_face
  tt_face_init
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=397764:398208

Minimized Testcase (0.23 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96Fy0JVsKASkZ32bqQXYg-VPDfhMGwq8WNhCQbXTRnACo_feZN8KlLfGkIuen7WrgKvPupyYnGqRUsDBBWF3tZSZuBJEiKAJeoR2O5ZFRcEnM6odSWmuheF3syEz__Wz9xJOOTgC4_T4c91JHXeRJCGQPnSww?testcase_id=5511483371028480
o/Im2/INPe%PDF!rerd'�%kdce
trai:ler>>
trailer<</Root 4 10 R[/AbrF!orm4 4 obj<<>ore%QLFerd/SemiCh2densede;<<
traile</Pages 4 20 R[/Abr 1/Contens[0.0 0.0 0.0 )0.0 0.0<</Contents<<.02/3DVie:�1 0]/Flter
/Keyword>>stream
Tf/CAM
endobj
/


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5983749263327232

Fuzzer: libfuzzer_pdfium_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  tt_face_load_hmtx
  sfnt_load_face
  tt_face_init
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=397764:398208

Minimized Testcase (0.23 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94XQf_bsGlHsfQL1JLKIyJqURXQ7j16MRUtizDksPAfhliLqDnNpLNwVECcvsxDXtWjs7Ox-2YUpMMTXGwxvBUnK4P0TDXze13pLhclLV3MuJHalrZLkDA-sbnhE1kmYfnlxR8_8sUW-DxbESHBPiurQkuWeg?testcase_id=5983749263327232
o/Im2/INPe%PDF!rerd'�%kdce
trai:ler>>
trailer<</Root 4 10 R[/AbrF!orm4 4 obj<<>ore%QLFerd/SemiCh2densede;<<
traile</Pages 4 20 R[/Abr 1/Contens[0.0 0.0 0.0 )0.0 0.0<</Contents<<.02/3DVie:�1 0]/Flter
/Keyword>>stream
Tf/CAM
endobj
/


Filer: kavvaru

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4968268578422784

Fuzzer: libfuzzer_renderer_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  tt_face_load_hmtx
  sfnt_load_face
  tt_face_init
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=408222:408334

Minimized Testcase (0.00 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97vAH-U9lecr1ZVmQxjU-zBhlQTyR8l5P_ZrbA1vWEOcGjXe-fpHavySx5hceXS6jWp1l88IadyKwMSL8vTaRaGzJ7N8RjBlo6r2QMLQouaIM-K0xuS6Dah5RbYVCjWsqP9qOvMFsgyeV9b5PHzTOAkAjtzTw?testcase_id=4968268578422784
?


Filer: rnimmagadda

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Gentle Ping.

@bungeman: Could you please provide some update on this issue.

Thank you.

I don't know why this is assigned to me. If someone wants this fixed, file a bug in launchpad (and be sure to mention which FreeType commit fixed it). We don't ship this code.

Considering that Chrome depends on FreeType2 (even despite the fact that we don't ship FreeType2 with Chrome), we should take care of its security, shouldn't we?

Assume that there is an exploitable vulnerability in FreeType and users get hacked with an exploit being delivered through Chrome. Sounds bad.

I think that fits our threat model. Please fix me if I'm wrong.

Please remember to add Internals>Plugins>PDF, so the relevant people see the bug. Better yet, go through all the CF bugs and make sure they have a component set. It's easy to query crbug.com for that.

So once again, we don't ship third_party/freetype2. It would be nice if we build fuzzers and link to system freetype instead of third_party/freetype2 - that's how it is on my Linux workstation by default when I build pdfium_fuzzer. I'm not sure what build flag is triggering the use of third_party/freetype2 here.

Given the above:
- if this happens with system freetype, then we need to bug the freetype developers about it. The fixes then need to trickle back down to whatever distro the CF machines are running.
- if this happens with third_party/freetype2 but not system freetype, then it's a WontFix because third_party/freetype2 is old by design.

I was not added to Cc in comment 6 due to a bad UI in Cc box. :-)(there's a bug filed against monorail). 

Pdfium has FreeType 2.6.1 and a bunch of shift-related issues found by libfuzz have been fixed over the last 10 months or so. I'm afraid some of them are still present in FreeType 2.6.1 bundled by Pdfium. In that case, Pdfium's copy of FreeType has to be updated. (Chrome OS and Chrome-Android moved up to 2.7 + 5 CLs in ToT ). See https://bugs.chromium.org/p/pdfium/issues/detail?id=601

See  bug 274030  for bundling/stat-linking FreeType on Linux for the security and features. 

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 453205:453227.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5983749263327232

Fuzzer: libfuzzer_pdfium_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  tt_face_load_hmtx
  sfnt_load_face
  tt_face_init
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=397764:398208
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=453205:453227

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96bpRKrAHN17mbXeoP5X9f3HMXuzq7078q_vqfbzw42ZGRYzPS1x35gYR2ggFIabRalTirySgzmPdPxriY20Tt6RJtDBcBxEZOwB12zH3cbF-JwJkSijvctL2ioGwZJAFjuXXOBDQXFrFI9u0gp_kPCsXqHw4e0yieDw3PNGl_a40RW-PV2nA4hXdLcs0x266fIb2_tU58NmAnGJVRzIEBsbat76yergvudCwgjH8_NGGMavBjVVKNWtUPPUr6GWG-Zj-dUPbKEA6YrzjCUHrPm8hDKTKsXkMsyzrzqHzO-2ZbMCEn30WKFz3nmonU6FUwoxlrh0gMNBBAL4-a7u1K7MYBM-AEuVwuNHBCFrhPbxCkGh4o?testcase_id=5983749263327232


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 453205:453227.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4968268578422784

Fuzzer: libfuzzer_renderer_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  tt_face_load_hmtx
  sfnt_load_face
  tt_face_init
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=408222:408334
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=453205:453227

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96IOkQPJ8fQVYXFLvTdQW2RSvZe6U_uQ4YgkmEGVisTZc3eRjKahF9gkFICLe1G5d0V6ktOT0Il1aVzrcEkGcmIeDapdfxhLuPiLtS7AuKa10k0e1nKBYGEGHID3oowbBkbQCOmL3Ts24xRbVOZ7UitbRpzO4Wbvp4mtcHH34eCbkliH-Tyl4IB0gX42r_3xLavfMV_nN0dChAAoN-y9bLtb5eAhFM2VHtQZsSBEQ2ZgDrEWtXtHbimbMBnovaYG29oRHYoawOd-t_MygVbR-qGP9fJgYltGA_yQCErj37SbOEVKDng1UUqwR6rDUaH_jChKck28jzneaY74J7dIA7h3tAEqD9N5zWiBdguAEEKbxs1p7k?testcase_id=4968268578422784


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4968268578422784 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.