looks this is the suspected
Changelist: https://pdfium.googlesource.com/pdfium.git/+/fcf61b39ee597c73e80ba789833fb7fe49878422

thestig@ could you please look into this. thanks in advance.

+sleffler for libtiff advice. Please let me know if I should CC you on more libtiff related bugs from ClusterFuzz.

In this example from the fuzzer, D3 * Cb overflows with:

signed integer overflow: 116130 * -2147483648 cannot be represented in type int

Punting PDF security-ish bugs. Sam says he hasn't worked on libtiff in a looooooooooooong time.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Looks like this file picks up a couple of issues locally. One is reported above and the other is doing float calculations with nan.

The float calculations should be fixed with: https://pdfium-review.googlesource.com/c/2151/

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium.git/+/5f92eab76505fc6be2e5373390591a55be489b21

commit 5f92eab76505fc6be2e5373390591a55be489b21
Author: Dan Sinclair <dsinclair@chromium.org>
Date: Mon Jan 09 14:50:50 2017

[libtiff] Validate refblackwhite values

The td_refblackwhite value is currently assigned without validation. This
may pose an issue as the image can specify the value as nan. This will cause
problems later when we use the nan in calcluations.

This CL validates each of the float values are not nan and if they are sets
them to the default provided by the TIFF spec v6.

BUG= chromium:632883 

Change-Id: I17b01f744d3f5247c4bd3f42765a27b611dc7d8c
Reviewed-on: https://pdfium-review.googlesource.com/2151
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>

[add] https://crrev.com/5f92eab76505fc6be2e5373390591a55be489b21/third_party/libtiff/0013-validate-refblackwhite.patch
[modify] https://crrev.com/5f92eab76505fc6be2e5373390591a55be489b21/third_party/libtiff/README.pdfium
[modify] https://crrev.com/5f92eab76505fc6be2e5373390591a55be489b21/third_party/libtiff/tif_dir.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/eb2e0d69c4b49d1ac044feff8563cdb794960b8e

commit eb2e0d69c4b49d1ac044feff8563cdb794960b8e
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Mon Jan 09 17:00:28 2017

Roll src/third_party/pdfium/ 0fa471794..661008dde (4 commits).

https://pdfium.googlesource.com/pdfium.git/+log/0fa471794a88..661008dde735

$ git log 0fa471794..661008dde --date=short --no-merges --format='%ad %ae %s'
2017-01-09 npm Do not parse references with invalid objnum
2017-01-09 dsinclair [libtiff] Validate refblackwhite values
2017-01-09 tsepez Remove CFX_ArrayTemplate from CPWL_Wnd.
2017-01-09 tsepez Remove CFX_ArrayTemplate from fpdftext and fxcodec.

BUG= 632883 

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2625443002
Cr-Commit-Position: refs/heads/master@{#442271}

[modify] https://crrev.com/eb2e0d69c4b49d1ac044feff8563cdb794960b8e/DEPS

ClusterFuzz has detected this issue as fixed in range 453271:453317.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6054703976939520

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  TIFFYCbCrToRGBInit
  initYCbCrConversion
  TIFFRGBAImageBegin
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=400697:402043
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=453271:453317

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96ka-1df2RTfvUkABQxRvouwEvnrlDXgW5JslI7Pv3f-biGe7AoC2-1ZBe1AUg2LFqoB5y4WkAPYlVg-_tioN_Xs1s0QyJD95aJXgMO0FqFn721PI1LBka_vsqWmDqqkRZAcRepPbaECASdDAJB0FISkMh3EEvXUzFykUYBqBbb0pWKddQ19OBBeA_kc44KeVuaLQkrDnDtmA7ZA3NhuLCF6t4fnvsvcuv0RPPCTmWDL5L6LCCzWd65xRf8ZaehLG0AeKBaIfBEJm5hDDQHkmruj4m73s0Picd4_0uEikvsdLQg30p44TDoKHlu3ir4OX7fhBIGfMGdUDXWw2XQM0W0lK8le730j3hgt-99BPO2MTo0Ei0?testcase_id=6054703976939520


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6054703976939520 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

 Issue 628201  has been merged into this issue.

 Issue 697010  has been merged into this issue.

Just want to mention this is XFA only, for the purposes of filtering a query.

ClusterFuzz has detected this issue as fixed in range 488413:488525.

Detailed report: https://clusterfuzz.com/testcase?key=6054703976939520

Fuzzer: libFuzzer_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  TIFFYCbCrToRGBInit
  initYCbCrConversion
  TIFFRGBAImageBegin
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=400697:402043
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=488413:488525

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6054703976939520


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

For more information, please see https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md.

The link referenced in the description is no longer valid.

(bulk edit)

Needed to enable XFA in args.gn to correctly build.

This no longer reproduces.