+dsinclair@, could you take a look at this one? Since you're quite active in cpdf related code (and a couple of your CL in the regression range.)
Thanks! 

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This appears to have been caused by https://codereview.chromium.org/2266033002/ which is being reverted.

Should be fixed with https://pdfium.googlesource.com/pdfium/+/8d6c929d2605dc568beb73aab2c585622947fee2 which should roll into Chromium soon.

ClusterFuzz has detected this issue as fixed in range 413455:413548.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4749371256340480

Fuzzer: ochang_neurofuzz_borgfuzz
Job Type: linux_asan_pdfium
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x6040000092e8
Crash State:
  CPDF_Document::RetrievePageCount
  CPDF_Document::LoadDoc
  CPDF_Parser::StartParse
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=412760:412915
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=413455:413548

Minimized Testcase (21.79 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97zji36pxOFuqFCgt1uVu9dfne9zCDFb1ONy5gO6Dx3oTFyGZ1ButdWxBBeZcLEntQoqdqXgEmhyxwr_hPE9rIUuu2JAU43oLETNJ4Z-tyKgAUETYjAzzaLDGCUTbCjYSSVDb3xsdTL4-WmBaKFkHE9cs1TgOXhnxMhGOwns_o8cRzCxmA?testcase_id=4749371256340480

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz testcase 5727537105993728 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

Reopening so we can test if this is still broken ... Removing RB-Beta as this was from M54.

We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue?

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

dsinclair: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Dan, this is now one of the stalest bugs -- can we close this out?

The clusterfuzz pages says Fixed. Closing.

This bug requires manual review: M61 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), ketakid@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I don't think there is any merge is needed here. 
Also this bug has been exists since M54 reported on August 2016. So even if merge is needed, this can wait until M62. 
+awhalley@, pls double check. Thank you.

No 61 merge needed.