Suspecting:

Author: weili
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/0024a22b4a793630a1a8e8d85c4525c7b82a3ed7
Time: Sun Jul 24 08:26:49 2016 -0700
File JBig2_Context.cpp is changed in this cl (and is part of stack frame #2, "CJBig2_Context::parseSymbolDict"; frame #3, "CJBig2_Context::ProcessingParseSegmentData"; frame #4, "parseSegmentData"; frame #5, "CJBig2_Context::decode_SquentialOrgnazation"; frame #6, "decode_EmbedOrgnazation")
Minimum distance from crash line to modified line: 5. (file: JBig2_Context.cpp, crashed on: 589, modified: 594).

@weili: Could you please look into this issue.

Thank you.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5244617612328960

Fuzzer: ifratric_pdf_generic
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000003
Crash State:
  CJBig2_Context::parseSymbolDict
  CJBig2_Context::ProcessingParseSegmentData
  CJBig2_Context::parseSegmentData
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=407779:407803

Minimized Testcase (281.48 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95p2O78nScayqCMMcw9TrexqNC8uYvLTiHnDKe8znZGuScyZTzzYmV47bZuRMgymmfYuKkmiqq1o9SsKZgdQD_oG1NGAP3suL2J9Ebv3j50yF0Vt13YMMSI5f7eHe5RzyZ-lhfWz89-rjMClzWMy_sYGovi3gAPPtqgTANPsdwFeHrEQWo?testcase_id=5244617612328960

Filer: rnimmagadda

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Issue 632051 has been merged into this issue.

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

The bug is here: https://codereview.chromium.org/2178613002/diff/20001/core/fxcodec/codec/fx_codec_jbig.cpp#newcode23

if (!pContextHolder->get())

was changed to

if (!pContextHolder)

where pContextHolder is a std::unique_ptr<JBig2_DocumentContext>* pContextHolder. As a result, the case that populates pContextHolder is never executed.

Users experienced this crash on the following builds:

Win Canary 54.0.2809.0 -  6.85 CPM, 77 reports, 26 clients (signature CJBig2_Context::parseSymbolDict)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium.git/+/6faf9f9508b858e27fde9a7f75ff6962048326ca

commit 6faf9f9508b858e27fde9a7f75ff6962048326ca
Author: weili <weili@chromium.org>
Date: Tue Aug 02 18:34:08 2016

Fix Jbig2 document context creation by checking proper pointer

The pointer a unique_ptr contains should be checked instead of the
pointer of the unique_ptr itself.

BUG= chromium:631912 

Review-Url: https://codereview.chromium.org/2205573004

[modify] https://crrev.com/6faf9f9508b858e27fde9a7f75ff6962048326ca/BUILD.gn
[add] https://crrev.com/6faf9f9508b858e27fde9a7f75ff6962048326ca/core/fxcodec/codec/fx_codec_embeddertest.cpp
[modify] https://crrev.com/6faf9f9508b858e27fde9a7f75ff6962048326ca/core/fxcodec/codec/fx_codec_jbig.cpp
[modify] https://crrev.com/6faf9f9508b858e27fde9a7f75ff6962048326ca/pdfium.gyp
[add] https://crrev.com/6faf9f9508b858e27fde9a7f75ff6962048326ca/testing/resources/bug_631912.pdf

Will roll DEPS shortly.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/49cbf7dc7508bec4920ed325afa0b57749795ac1

commit 49cbf7dc7508bec4920ed325afa0b57749795ac1
Author: thestig <thestig@chromium.org>
Date: Tue Aug 02 20:24:19 2016

Roll PDFium 8f79700..ea3ff9e

https://pdfium.googlesource.com/pdfium.git/+log/8f79700..ea3ff9e

BUG= 631912 
TBR=ochang@chromium.org

Review-Url: https://codereview.chromium.org/2206573003
Cr-Commit-Position: refs/heads/master@{#409304}

[modify] https://crrev.com/49cbf7dc7508bec4920ed325afa0b57749795ac1/DEPS

ClusterFuzz has detected this issue as fixed in range 409223:409458.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6531738176323584

Fuzzer: ifratric_pdf_generic
Job Type: linux_asan_pdfium
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000008
Crash State:
  CJBig2_Context::parseSymbolDict
  CJBig2_Context::ProcessingParseSegmentData
  CJBig2_Context::decode_SquentialOrgnazation
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=407480:407721
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=409223:409458

Minimized Testcase (989.11 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95fKopEM1q5ZMt1lhHo1fW8CTcbjQy3MykZdwMkFxhcape3fzUqfe8BTdtXA6k-Hb1Cheu27dncBTUjYf4tKlNmhvUrOQNjfhutd9snOBha6_T1cMmAA4LDjnyf3DVeToyOAEfrnPLhXXAtSN6B4L4oHIAdKwy5EjbaWf1aGPqmd8HK2zo?testcase_id=6531738176323584

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Issue 634526 has been merged into this issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot