Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 1140 of file fpdf_render_pattern.cpp, which is stack frame 0.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 1191 of file fpdf_render_pattern.cpp, which is stack frame 1.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 469 of file fpdf_render.cpp, which is stack frame 2.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 349 of file fpdf_render.cpp, which is stack frame 3.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 311 of file fpdf_render.cpp, which is stack frame 4.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 1059 of file fpdf_render.cpp, which is stack frame 5.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5200170184867840

Fuzzer: tokenfuzz_pdf_april16
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  CPDF_ToUnicodeMap::Load
  CPDF_Font::LoadUnicodeMap
  CPDF_Font::UnicodeFromCharCode
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97OxTt2h0FXEzbcfpK6BLm26Ie8DLEnn3p3IAJqDQCrOf3XyDiPaSzfyk6WcNt9hRM9cwKv8J67O16xiRwxSbYb-PsQQ6y3MnJP2SjMNlraYTdk8IkPnyVnx-MN1Psgey2hbaOzR2Ktn98epmta_cXNqnmsPpUUsA9y0jEvI21gn4bagx0?testcase_id=5200170184867840


Additional requirements: Requires Gestures

Issue manually filed by: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium.git/+/b1f5545e34375a5947004ee92cc808b3df9d4a5b

commit b1f5545e34375a5947004ee92cc808b3df9d4a5b
Author: dsinclair <dsinclair@chromium.org>
Date: Wed Sep 07 20:53:51 2016

Verify pattern start values.

When calculating the starting x and y for a pattern it is possible to overflow
the int value. Use checked math to make sure we don't overflow.

BUG= chromium:637984 

Review-Url: https://codereview.chromium.org/2317283002

[modify] https://crrev.com/b1f5545e34375a5947004ee92cc808b3df9d4a5b/core/fpdfapi/fpdf_render/fpdf_render_pattern.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3eff4410ebbaf6c85cc875cc7fcdc3a1ed24a1e0

commit 3eff4410ebbaf6c85cc875cc7fcdc3a1ed24a1e0
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Wed Sep 07 22:20:17 2016

Roll src/third_party/pdfium/ 1df1efa39..f56d93f8e (2 commits).

https://pdfium.googlesource.com/pdfium.git/+log/1df1efa39218..f56d93f8ea1c

$ git log 1df1efa39..f56d93f8e --date=short --no-merges --format='%ad %ae %s'
2016-09-07 dsinclair Verify image dimentions before using
2016-09-07 dsinclair Verify pattern start values.

BUG= 639160 , 637984 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2320823002
Cr-Commit-Position: refs/heads/master@{#417090}

[modify] https://crrev.com/3eff4410ebbaf6c85cc875cc7fcdc3a1ed24a1e0/DEPS

ClusterFuzz has detected this issue as fixed in range 417065:417100.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5452236614533120

Fuzzer: tokenfuzz_pdf_march16
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  CPDF_RenderStatus::DrawTilingPattern
  CPDF_RenderStatus::ProcessPathPattern
  CPDF_RenderStatus::ProcessPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=417065:417100

Minimized Testcase (1576.15 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97KEysSiV4YBvDXKuCDbrPdN9536bgCc45BDmbdyJbxM_gncVD9LvmwIHoDclw94WlgkUtfnJIu7u2sew_vYTJ1chJGHXzIzTv-d7J0gbElyLJ70ymr5IeuihG6LFhHogZccOO2p0Wqa6RDcXxVHpL5_wBUJfJleZDGn0wAuVkzXbmCMio?testcase_id=5452236614533120

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium.git/+/d827111fb10c7d8b89bc954ab0934b4009d6643c

commit d827111fb10c7d8b89bc954ab0934b4009d6643c
Author: dsinclair <dsinclair@chromium.org>
Date: Thu Sep 08 17:15:56 2016

Switch to ValueOrDie

We know the values are always valid at this point, so use ValueOrDie instead
of ValueOrDefault.

BUG= chromium:637984 

Review-Url: https://codereview.chromium.org/2319343003

[modify] https://crrev.com/d827111fb10c7d8b89bc954ab0934b4009d6643c/core/fpdfapi/fpdf_render/fpdf_render_pattern.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b1ccd20bb037a21f872c0ff939957d7f7aad599f

commit b1ccd20bb037a21f872c0ff939957d7f7aad599f
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Thu Sep 08 18:27:10 2016

Roll src/third_party/pdfium/ 8c2a8cda1..d827111fb (2 commits).

https://pdfium.googlesource.com/pdfium.git/+log/8c2a8cda1bdb..d827111fb10c

$ git log 8c2a8cda1..d827111fb --date=short --no-merges --format='%ad %ae %s'
2016-09-08 dsinclair Switch to ValueOrDie
2016-09-08 weili Fix leaks in class CFGAS_FontMgrImp

BUG= 637984 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2324833003
Cr-Commit-Position: refs/heads/master@{#417346}

[modify] https://crrev.com/b1ccd20bb037a21f872c0ff939957d7f7aad599f/DEPS

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot