dsinclair@  could you please look into this.please feel free to re-assigned back if needed. thanks in advance !

kcwu@ can you take a look? I believe you've fixed a few of the issues in ICC.

This one is similar to https://bugs.chromium.org/p/chromium/issues/detail?id=649847

lcms is doing tetrahedral interpolation and the result value overflowed. I'm not familiar with color space conversion and don't know how to handle such case.

Thanks, I'll try to take a look.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4628308514045952

Fuzzer: libfuzzer_pdf_codec_icc_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  TetrahedralInterp16
  EvaluateCLUTfloatIn16
  _LUTevalFloat
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=420535:420584

Minimized Testcase (0.14 Kb): https://cluster-fuzz.appspot.com/download/AMIfv944yA-FMAFogOub0ZNWC2Jq8g6isBj2zMMWy7GtGVgUFJkAHhvNnvpQJG6oJ7O9JuR_foOR49bExuHOwBjwh1SLW3tusAhqtEcA4XKsHBu7niXJ-BX1Y0Zq5EwgqQkwp1M4FBVqNCSNhoVACaSSjL-st-ex9w?testcase_id=4628308514045952

Additional requirements: Requires Gestures

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5489720576704512

Fuzzer: libfuzzer_pdf_codec_icc_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  TetrahedralInterp16
  EvaluateCLUTfloatIn16
  _LUTeval16
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=420535:420584

Minimized Testcase (0.14 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97N1prhyrRVvwMNDOwekgYuJmZdnGxh8omR5WXN8RqZnUCJmpLGzAabDE9sfbPV57YadqwiFb4MnN_yIRtd1llqpSJ-mO5bIMvhWJvUSkxgPaVQK71OfdKPvza42vG2fVPX9DqmvcB0hhKwAgmMwp91cLe5Cw?testcase_id=5489720576704512

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 452123:452182.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5489720576704512

Fuzzer: libfuzzer_pdf_codec_icc_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  TetrahedralInterp16
  EvaluateCLUTfloatIn16
  _LUTeval16
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=420535:420584
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=452123:452182

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96m7pxaDqLy8ZDEIraOYLnzxKSVhJbO4zlRqHmnYTCHGU1e53qv8Sy1ENIHgmvWo1SzyXYiv41XK1svnaZ-YVZMKypVq4v722loRdFg-YwtkVExFVuu1ypsJTM4bDDayLAdnGfdxwHc4YVbyM8ZXc-P4DVf25MYcLGXz4sCw_aTGCryFHe484uukTAT7Dsw87DdgXodetIm2xQ4wi6d-WA3Jr40F2N4L_AxJFVkVjS58FSHTBW6gFYG9xkBvESOJc5ItfIXYuewa3Fdit_urQFLJJ59pkW2i7AKOZJfyPnm_brcdEf-XWi_yg5y77vzFnj6343Hgop3TCys7sZAYA3-cxKmpi8MT-tudAPrHW41OTWqORI?testcase_id=5489720576704512


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

For more information, please see https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md.

The link referenced in the description is no longer valid.

(bulk edit)

Setting PDF bugs assigned to me back to untriaged so they can get re-assigned as needed.

Tom, I've taken a look at this issue, and what's happening is that on this line:

Rest = c1 * rx + c2 * ry + c3 * rz + 0x8001;

c1 and rx are int32's and I the values I see are:
c1 45558, c2 -45558, c3 0
rx 61424, ry 61424, rz 61424
Rest 32769

c1 * rx therefore overflows an int32, triggering the bug. Since c2 * ry negates it (with the corresponding negative overflow), and c3 is 0, the sum is 0 and the Rest is 0x8001. I think this is WAI for the library, but there are integer overflows. What should we do?

ClusterFuzz has detected this issue as fixed in range 600184:600189.

Detailed report: https://clusterfuzz.com/testcase?key=4628308514045952

Fuzzer: libFuzzer_pdf_codec_icc_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  TetrahedralInterp16
  EvaluateCLUTfloatIn16
  _LUTevalFloat
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=420535:420584
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=600184:600189

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4628308514045952

Additional requirements: Requires Gestures

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 600184:600189.

Detailed report: https://clusterfuzz.com/testcase?key=5287619883958272

Fuzzer: libFuzzer_pdf_codec_icc_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  TetrahedralInterp16
  CachedXFORM
  cmsDoTransform
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=420535:420584
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=600184:600189

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5287619883958272

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4628308514045952 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

PartitionAlloc update broke the fuzzer.

thestig@, why did you re-open this bug? Does tsepez@ need to do anything else here? The fact that this bug is still open, even though all the crashes were fixed, prevents ClusterFuzz from reporting other similar issue(s) like https://clusterfuzz.com/testcase-detail/5888708253057024

Around the time I posted comment 20, I broke all the fuzzers, so I reopened all the ones that CF was confused about.

Comment 10 should have marked this as fixed, but it didn't for some reason.