rsesek, is this the bug you were expecting? 

Yup. https://codereview.chromium.org/2141963002/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/41b7abbdb0a34bc77373673dd1400dfdf8c4d84c

commit 41b7abbdb0a34bc77373673dd1400dfdf8c4d84c
Author: rsesek <rsesek@chromium.org>
Date: Wed Jul 13 00:09:01 2016

Validate safe_browsing::dmg::UDIFBlock data before attempting to read at its offsets.

This change also validates that the blkx plist does not run past the end of the
file.

BUG= 627355 
TEST=Clusterfuzz coverage.
R=mark@chromium.org

Review-Url: https://codereview.chromium.org/2141963002
Cr-Commit-Position: refs/heads/master@{#404862}

[modify] https://crrev.com/41b7abbdb0a34bc77373673dd1400dfdf8c4d84c/chrome/utility/safe_browsing/mac/hfs.cc
[modify] https://crrev.com/41b7abbdb0a34bc77373673dd1400dfdf8c4d84c/chrome/utility/safe_browsing/mac/udif.cc
[modify] https://crrev.com/41b7abbdb0a34bc77373673dd1400dfdf8c4d84c/chrome/utility/safe_browsing/mac/udif.h

Clusterfuzz seems to have found a different variant with the same stack. Another fix coming.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e1a415e9785da06e836c9929ec764487a4abb80f

commit e1a415e9785da06e836c9929ec764487a4abb80f
Author: rsesek <rsesek@chromium.org>
Date: Tue Aug 02 21:26:31 2016

[Mac] Convert a DCHECK to a condition in safe_browsing::dmg::UDIFBlockChunkReadStream::Seek.

BUG= 627355 

Review-Url: https://codereview.chromium.org/2202343004
Cr-Commit-Position: refs/heads/master@{#409324}

[modify] https://crrev.com/e1a415e9785da06e836c9929ec764487a4abb80f/chrome/utility/safe_browsing/mac/udif.cc

ClusterFuzz has detected this issue as fixed in range 409316:409332.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6100230152126464

Fuzzer: libfuzzer_safe_browsing_dmg_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: UNKNOWN
Crash Address: 0x61500020b500
Crash State:
  _platform_memmove$VARIANT$Nehalem
  safe_browsing::dmg::UDIFBlockChunkReadStream::Read
  safe_browsing::dmg::UDIFPartitionReadStream::Read
  
Recommended Security Severity: Medium

Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_libfuzzer_chrome_asan&range=409316:409332

Minimized Testcase (7.97 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Oj_kON-ertOXRK55sIEHzmluSYmqDrJxWqoIgUTLsS38csZdRQ3e1Rrt0VsfAmCATzVDcOnb4q1uULTDB950_pSPOmyuKQqeWArMGOB0QwFcPom6KUO5d22a4dIZBJDqznrODc3np56Z0laieVNO9bUlnmQ?testcase_id=6100230152126464

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Your change meets the bar and is auto-approved for M53 (branch: 2785)

Please merge your change to M53 branch 2785 today before 5:00 PM PT so we can take it in for this week Beta release. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9fa921f0231392e89c9bd2280bb18224591e7f13

commit 9fa921f0231392e89c9bd2280bb18224591e7f13
Author: Robert Sesek <rsesek@chromium.org>
Date: Mon Aug 08 19:00:39 2016

[Mac] Convert a DCHECK to a condition in safe_browsing::dmg::UDIFBlockChunkReadStream::Seek.

BUG= 627355 

Review-Url: https://codereview.chromium.org/2202343004
Cr-Commit-Position: refs/heads/master@{#409324}
(cherry picked from commit e1a415e9785da06e836c9929ec764487a4abb80f)

Review URL: https://codereview.chromium.org/2225123002 .

Cr-Commit-Position: refs/branch-heads/2785@{#530}
Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382}

[modify] https://crrev.com/9fa921f0231392e89c9bd2280bb18224591e7f13/chrome/utility/safe_browsing/mac/udif.cc

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot