thestig: Could you please handle this or re-assign it to someone who can? Thank you!

Well, I tried fixing the indexing to be more sane, but now some images don't display correctly. I'll keep looking.

ClusterFuzz has detected this issue as fixed in range 398351:398496.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4580419215556608

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0x7fb7dcdfc004
Crash State:
  CWeightTable::Calc
  CStretchEngine::StartStretchHorz
  CFX_ImageStretcher::StartStretch
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=393856:393893
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=398351:398496

Minimized Testcase (4.13 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96K80q4u40O_HAo6b2Cg0D1rYfwb3ORucxXErxkKgVG-2eRiC8D1TqoAl7OGqkQ8upW9xDQXzg1EKfE3g-UftF3EnjQcnjV-mTlK0x8Ln20ToSQ5sHyRaN19pEB6tlcxSGhRkgm2E_UGXQP1pxm4tN6q3kgKg?testcase_id=4580419215556608

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

M53 beta launch is coming soon.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix before 6:00 PM PST, Monday (07/18/16). Thank you.

thestig: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

M53 beta launch is next week.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix before 6:00 PM PST, Friday (07/22/16). Thank you.

ReleaseBlock-Stable after discussion with thestig@

thestig: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

https://codereview.chromium.org/2204773003/

M53 Stable launch is coming soon.Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix asap so it gets chance to bake in beta before stable promotion. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8c5429e3337f1635fee44eb51d4c9330d05e54db

commit 8c5429e3337f1635fee44eb51d4c9330d05e54db
Author: thestig <thestig@chromium.org>
Date: Thu Aug 04 23:07:09 2016

Roll PDFium a72ab5e..32e693f

https://pdfium.googlesource.com/pdfium.git/+log/a72ab5e..32e693f

BUG= 634394 , 624514 
TBR=tsepez@chromium.org

Review-Url: https://codereview.chromium.org/2210063004
Cr-Commit-Position: refs/heads/master@{#409927}

[modify] https://crrev.com/8c5429e3337f1635fee44eb51d4c9330d05e54db/DEPS

Will request the merge on Monday.

[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.

+awhalley@, is this good to take in for this week M53 Beta release?

Yep, good for M53, along with the other bugs bugs that have a PDFium roll: 624514, 628304, 628890

Approving merge to M53 branch 2785 based on comment #25. Please merge ASAP (latest by tomorrow, Tuesday 3:00 PM PT) so we can take it in for this week beta release.

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/205c3faca7f4c678fddf6e3811ec6fe9b0fd7031

commit 205c3faca7f4c678fddf6e3811ec6fe9b0fd7031
Author: Oliver Chang <ochang@google.com>
Date: Tue Aug 09 16:01:16 2016

$3,500 for this one - good to see the fuzzer churning out great bugs.  Thanks.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.