Not a duplicate, incorrectly marked.

Note, the TIFF plugin is used in XFA, so is not currently used in any release of Chromium as XFA is disabled.

https://codereview.chromium.org/2389993002/

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium.git/+/76383db4906c9357292846ace77566b34eb47de9

commit 76383db4906c9357292846ace77566b34eb47de9
Author: dsinclair <dsinclair@chromium.org>
Date: Mon Oct 03 20:59:57 2016

Fix potentially uninitialized value.

Depending on what ReadOK does it's possible for |dircount16| to be used without
being initialized. The read code calls back into PDFium specific code which then
calls into the stream reading code.

Initialize the value to be sure it is set.

BUG= chromium:651632 

Review-Url: https://codereview.chromium.org/2389993002

[add] https://crrev.com/76383db4906c9357292846ace77566b34eb47de9/third_party/libtiff/0007-uninitialized-value.patch
[modify] https://crrev.com/76383db4906c9357292846ace77566b34eb47de9/third_party/libtiff/README.pdfium
[modify] https://crrev.com/76383db4906c9357292846ace77566b34eb47de9/third_party/libtiff/tif_dirread.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0fa26ad94fd19078497d0e5626696b6f041b15b1

commit 0fa26ad94fd19078497d0e5626696b6f041b15b1
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Mon Oct 03 22:39:18 2016

Roll src/third_party/pdfium/ d61f95838..76383db49 (3 commits).

https://pdfium.googlesource.com/pdfium.git/+log/d61f958385be..76383db4906c

$ git log d61f95838..76383db49 --date=short --no-merges --format='%ad %ae %s'
2016-10-03 dsinclair Fix potentially uninitialized value.
2016-10-03 tsepez Rename CFX_WeakPtr::Clear() to DestroyObject()
2016-10-03 dsinclair Guard against double deletion of page views.

BUG= 651632 , 652103 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2388133003
Cr-Commit-Position: refs/heads/master@{#422572}

[modify] https://crrev.com/0fa26ad94fd19078497d0e5626696b6f041b15b1/DEPS

ClusterFuzz has detected this issue as fixed in range 422546:422646.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5428787238141952

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  TIFFFetchDirectory
  TIFFReadDirectory
  TIFFClientOpen
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=421422:421468
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=422546:422646

Minimized Testcase (0.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94co4EM3WIeEWlGdYiKPYjeScfljQgSXsydvFAfYzftp_dU-x2WSuZ1hnxFBKKoyrP4ytODkO_HmntrevXry6uzVuQx9vJVBdaUwF7L09YYwzoscnYyoJagtz1KT9oWlLQxwU1_qBy8yxVn6Z0AuT51b9jZug?testcase_id=5428787238141952

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot