Looks like bSkipImageTypeCheck means we proceed with CCodec_ProgressiveDecoder::GetFrames() without ever going through CCodec_ProgressiveDecoder::DetectImageType() to initialize the gif context?

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium.git/+/54d027dbbff8a0270531855082e4f61cb457c173

commit 54d027dbbff8a0270531855082e4f61cb457c173
Author: dsinclair <dsinclair@chromium.org>
Date: Mon Jun 20 16:09:56 2016

Fixup LoadImageInfo type checking.

The ::DetectImageType method does more then just detecting the image type, it
also sets up various needed structures to handle the decoding. Instead of
skipping the ::DetectImageType call this CL changes the code to return early if
the image check fails. This should allow us to stop working on images which do
not match the required data format.

BUG= chromium:621094 

Review-Url: https://codereview.chromium.org/2085493002

[modify] https://crrev.com/54d027dbbff8a0270531855082e4f61cb457c173/core/fxcodec/codec/fx_codec_progress.cpp

Is there a way to force clusterfuzz to try again off of HEAD so I can verify this is fixed?

dsinclair@, there is no way to do it.

Though you may run Redo "Fixed" job (the button is on the top of CF report page), but it will not use HEAD updated just a couple of minutes ago, because CF uses builds provided by build-bot (https://build.chromium.org/p/chromium.fyi/builders/Libfuzzer%20Upload%20Linux%20ASan).

The good thing is that CF will update the bug description automatically once he will check the fix with a new build.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f7014ec458435b22a73f4a085e50764444351ee9

commit f7014ec458435b22a73f4a085e50764444351ee9
Author: ochang <ochang@chromium.org>
Date: Mon Jun 20 22:18:54 2016

Roll PDFium 2fad11a..df6ec80

https://pdfium.googlesource.com/pdfium.git/+log/2fad11a..df6ec80

BUG=612918, 619405 , 621094 
TBR=thestig@chromium.org

Review-Url: https://codereview.chromium.org/2078383003
Cr-Commit-Position: refs/heads/master@{#400811}

[modify] https://crrev.com/f7014ec458435b22a73f4a085e50764444351ee9/DEPS

ClusterFuzz has detected this issue as fixed in range 400757:400887.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6487512726110208

Fuzzer: libfuzzer_pdf_codec_gif_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  CCodec_GifModule::LoadFrameInfo
  CCodec_ProgressiveDecoder::GetFrames
  XFACodecFuzzer::Fuzz
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400121:400191
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887

Minimized Testcase (0.00 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv957oM230j5O_Te5A2SY2QxSUXMLxl5Aw4lwhganZS4-bYMPuEYr3AiEO7K0nfJxTPZaW_AsNxgwfFGcmLcWnY2HKdilBW2xtuN02zgKwpfIiG6ajKV1cEkDOlmiAsNTB7-RmZU5TsqcYsDZ8T7_BOVLFw-UDw?testcase_id=6487512726110208
G


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot