Author: Wu, Chia-I (吳佳一)
Project: chromium-freetype2
Changelist: https://chromium.googlesource.com/chromium/src/third_party/freetype2.git/+/108fdbbbd3ab7ea18b512762abd01ab4a051ca34
Time: Mon Jan 16 15:35:56 2006
The CL last changed line 107 of file psconv.c, which is stack frame 0.

Author: Wu, Chia-I (吳佳一)
Project: chromium-freetype2
Changelist: https://chromium.googlesource.com/chromium/src/third_party/freetype2.git/+/108fdbbbd3ab7ea18b512762abd01ab4a051ca34
Time: Mon Jan 16 15:35:56 2006
The CL last changed line 128 of file psconv.c, which is stack frame 1.

Author: Wu, Chia-I (吳佳一)
Project: chromium-freetype2
Changelist: https://chromium.googlesource.com/chromium/src/third_party/freetype2.git/+/108fdbbbd3ab7ea18b512762abd01ab4a051ca34
Time: Mon Jan 16 15:35:56 2006
The CL last changed line 1108 of file psobjs.c, which is stack frame 2.

@Wu, Chia-I: Cc'ing you. request you to please take a look into it.

providing Findit results for internal purpose:

Suspected CLs	The result is a list of CLs that change the crashed files.

Author: Werner Lemberg
Project: chromium-freetype2
Changelist: https://chromium.googlesource.com/chromium/src/third_party/freetype2.git/+/fc1532a7c4c592f24a4c1a0261d2845524ca5cff
Time: Thu Jan 23 07:14:53 2014
Files psobjs.c, t1load.c are changed in this cl (and is part of stack frame #2, "ps_parser_load_field"; frame #3, "ps_parser_load_field_table")
Minimum distance from crash line to modified line: 70. (file: t1load.c, crashed on: 1034, modified: 1104).

Suspected Project: chromium-freetype2

based on findit results assigning to wl@gnu.org - could you please check the issue and update.

Such bugs should be filed against Ubuntu Precise, not the FreeType project. The code in third_party/freetype2 is the same source as that of the Ubuntu Precise fork of FreeType. No point in bothering FreeType with old, probably already fixed, bugs.

It wouldn't be that much work for fuzzer bots to build against a much newer FreeType, however. The reason for the FreeType in the content shell being stuck at Ubuntu Precise is to keep the layout tests stable. I think if the build at https://cs.chromium.org/chromium/src/content/shell/BUILD.gn?q=third_party/freetype2+file:BUILD.gn&sq=package:chromium&l=363&dr=C were updated from 

if (is_linux) {
  deps += [ "//third_party/freetype2" ]
}

to

if (is_linux) {
  if (is_fuzzer_build) {
    deps += [ "//third_party/freetype-android:freetype" ]
  } else {
    deps += [ "//third_party/freetype2" ]
  }
}

it would be more interesting. However, I'm not sure what 'is_fuzzer_build' should be to keep things sane.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 453210:453213.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6479101315776512

Fuzzer: ochang_search_index_mutator
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  PS_Conv_Strtol
  PS_Conv_ToInt
  ps_parser_load_field
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=409458:409520
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=453210:453213

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96373xwAs_ApCPNvHk-HUITPqwXpDwEBX9bfKa9BB8u0ZxbKC_tDmy75ULLZGJwaKeyztUJpRiMfAlm8cLSnoFlAVZYkEs4yT_igb4yF2t00gOQ9soh7u5epZvS-zi4VM97gd8mRHekmffgD8iLhC0deMOatnhqQuhjgsHSuv68RG4FRCY?testcase_id=6479101315776512


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6479101315776512 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.