Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 279 of file fpdf_font.cpp, which is stack frame 0.

Author: dan sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/61b2fc718910a5ab2a75ec5026b239ff33bccfdc
Time: Wed Mar 23 19:21:44 2016 -0400
The CL last changed line 283 of file cpdf_font.cpp, which is stack frame 1.

@dsinclair: Assigning to you, please take a look into it. Please help us to reassign to a right owner if not with respect to your changes. 

Thanks.!

npm@ can you take a look?

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium.git/+/89f9ee3b8f3b4756f05ff48055f4bff7353201e2

commit 89f9ee3b8f3b4756f05ff48055f4bff7353201e2
Author: npm <npm@chromium.org>
Date: Tue Oct 04 17:15:55 2016

Use FX_SAFE_UINT32 on CPDF_ToUnicodeMap::Load

m_Map maps to unsigned integer, but m_MultiCharBuf.GetLength() returns
an integer. There will be integer overflow if the length is big, and
UBSAN will complain. Thus, using FX_SAFE_UINT32. Replacing with uint32
would work as well: the point is to consider the length as uint instead
of int.

BUG= chromium:652232 

Review-Url: https://codereview.chromium.org/2393573002

[modify] https://crrev.com/89f9ee3b8f3b4756f05ff48055f4bff7353201e2/core/fpdfapi/fpdf_font/fpdf_font.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/af0f73399f18929d1b6871b6a33661c5684f82cb

commit af0f73399f18929d1b6871b6a33661c5684f82cb
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Tue Oct 04 19:07:48 2016

Roll src/third_party/pdfium/ 78c271dd9..89f9ee3b8 (1 commit).

https://pdfium.googlesource.com/pdfium.git/+log/78c271dd9ee8..89f9ee3b8f3b

$ git log 78c271dd9..89f9ee3b8 --date=short --no-merges --format='%ad %ae %s'
2016-10-04 npm Use FX_SAFE_UINT32 on CPDF_ToUnicodeMap::Load

BUG= 652232 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2385063004
Cr-Commit-Position: refs/heads/master@{#422877}

[modify] https://crrev.com/af0f73399f18929d1b6871b6a33661c5684f82cb/DEPS

ClusterFuzz has detected this issue as fixed in range 422834:422891.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4591831520378880

Fuzzer: ochang_search_index_mutator
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  CPDF_ToUnicodeMap::Load
  CPDF_Font::LoadUnicodeMap
  CPDF_Font::UnicodeFromCharCode
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=368790:368799
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=422834:422891

Minimized Testcase (297.32 Kb): https://cluster-fuzz.appspot.com/download/AMIfv950g4i4rnGWU4cFMgQRoV0sYqNqZfNLeX4rQz6AgFQQEIcS3mC7v0VwRGyR-WFDU2s9zrnPn8MRHwx4pzrNbaDKNBN6q5xQB9IGBqEjJDct2Lie2K1fvw-5uIzzoC92eZhh253o1O0mdIgHL6QTlCe-taSLr-M5Dihu1azqC4U3ynhTer0?testcase_id=4591831520378880

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot