kcwu@ more ICC fuzzer fun. Please feel free to assign these back to me if needed.

This is similar to  issue 654265 .

It crashed at https://cs.chromium.org/chromium/src/third_party/pdfium/third_party/lcms2-2.6/src/cmsintrp.c?sq=package:chromium&dr=CSs&l=633
    c1 = DENS(X1, Y0, Z0) - c0;
where X1=1, Y0=0, Z0=0. which is LutTable[1]. 

LutTable is allocated at https://cs.chromium.org/chromium/src/third_party/pdfium/third_party/lcms2-2.6/src/cmslut.c?sq=package:chromium&dr=CSs&l=503
    NewElem ->Tab.TFloat = (cmsFloat32Number*) _cmsDupMem(mpe ->ContextID, Data ->Tab.TFloat, Data ->nEntries * sizeof (cmsFloat32Number));
where Data->nEntries=1.

kcwu: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium.git/+/413e3518ce390860cb5560720e5fba3ca7c8f764

commit 413e3518ce390860cb5560720e5fba3ca7c8f764
Author: kcwu <kcwu@chromium.org>
Date: Mon Nov 07 18:41:52 2016

lcms: backport upstream commit c0a98d86

This fixed several issues.

BUG= chromium:654265 , chromium:657282 , chromium:654676 , chromium:654313 

Review-Url: https://codereview.chromium.org/2482523003

[add] https://crrev.com/413e3518ce390860cb5560720e5fba3ca7c8f764/third_party/lcms2-2.6/0012-backport-c0a98d86.patch
[modify] https://crrev.com/413e3518ce390860cb5560720e5fba3ca7c8f764/third_party/lcms2-2.6/README.pdfium
[modify] https://crrev.com/413e3518ce390860cb5560720e5fba3ca7c8f764/third_party/lcms2-2.6/src/cmsintrp.c
[modify] https://crrev.com/413e3518ce390860cb5560720e5fba3ca7c8f764/third_party/lcms2-2.6/src/cmsio0.c
[modify] https://crrev.com/413e3518ce390860cb5560720e5fba3ca7c8f764/third_party/lcms2-2.6/src/cmstypes.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/497a104c1a41fa6840998a97b1c674da1fd00c9b

commit 497a104c1a41fa6840998a97b1c674da1fd00c9b
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Tue Nov 08 05:00:34 2016

Roll src/third_party/pdfium/ a97fc7c63..3c669a7fb (8 commits).

https://pdfium.googlesource.com/pdfium.git/+log/a97fc7c6392c..3c669a7fb05d

$ git log a97fc7c63..3c669a7fb --date=short --no-merges --format='%ad %ae %s'
2016-11-07 thestig Fix #include after commit c09625ca.
2016-11-07 tsepez Force compiler to deduce src type for checked_cast<dst, src>.
2016-11-07 tsepez Hold trailers via unique_ptrs.
2016-11-07 thestig Sync pdfium tryserver list with main pdfium waterfall.
2016-11-07 tsepez Use unique_ptr return from CPDF_Parser::ParseIndirectObject()
2016-11-07 tsepez Rename CPDF_Linearized to CPDF_LinearizedHeader
2016-11-07 kcwu lcms: backport upstream commit c0a98d86
2016-11-07 dsinclair Fold DataProviders into parent classes

BUG= 654265 , 657282 , 654676 , 654313 

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2485023002
Cr-Commit-Position: refs/heads/master@{#430520}

[modify] https://crrev.com/497a104c1a41fa6840998a97b1c674da1fd00c9b/DEPS

ClusterFuzz has detected this issue as fixed in range 430510:430537.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5306574816149504

Fuzzer: afl_pdf_codec_icc_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x609000000c54
Crash State:
  TetrahedralInterpFloat
  Eval4InputsFloat
  Eval5InputsFloat
  
Recommended Security Severity: Medium

Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=430510:430537

Minimized Testcase (0.17 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Qm88VpNEwUaWBaxHvDU1Uw0J0OTotaSUkt4H-uJXnciD8X-gzPM1C1h16sUURx9ccY6bD4VWWoArjwnUay3QkeX61KILrRP8lVYjrr1dl0d-CWjAf_h33mreoHX66HTEJ1mZ6ufOyatiAuJXPwgJliQk3Rg?testcase_id=5306574816149504

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot