Providing Findit results for internal purpose:
Suspected CLs	Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.)

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 183 of file JBig2_Image.cpp, which is stack frame 1.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 546 of file JBig2_SddProc.cpp, which is stack frame 2.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 614 of file JBig2_Context.cpp, which is stack frame 3.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 339 of file JBig2_Context.cpp, which is stack frame 4.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 330 of file JBig2_Context.cpp, which is stack frame 5.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 86 of file JBig2_Context.cpp, which is stack frame 6.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 189 of file JBig2_Context.cpp, which is stack frame 7.

Suspected Project: chromium-pdfium

requesting pdfium team to check the issue.

I found "SDNUMEXSYMS" is never assigned.
https://cs.chromium.org/search/?q=SDNUMEXSYMS&sq=package:chromium&type=cs

Thus line 577 is always false
https://cs.chromium.org/chromium/src/third_party/pdfium/core/fxcodec/jbig2/JBig2_SddProc.cpp?q=SDNUMEXSYMS&sq=package:chromium&l=577&dr=C
    if (EXFLAGS[I] && J < SDNUMEXSYMS) {
in other words, it will leak memory if EXFLAGS[I] is true.

p.s. line 255 has code with similar structure.
https://cs.chromium.org/chromium/src/third_party/pdfium/core/fxcodec/jbig2/JBig2_SddProc.cpp?q=SDNUMEXSYMS&sq=package:chromium&l=255&dr=C

It looks like the code fails to cleanup the SDNEWSYMS array correctly. In jBig2_SddProc.cpp we allocate a number of BHC->subImage's and put them into SDNEWSYMS.

In this case we create 20 subimages. We then set EXFLAGS to true for images 0-1, 11-19.

We then either add the image to pDict for free it. But we only free it if EXFLAGS is not true. So, we fail to free the 11 subimages we'd set EXFLAGS to true for.

I don't know what EXFLAGS means, or why we'd set it for those particular images.

https://codereview.chromium.org/2419553002/

Many of the VARIABLENAMES are directly from the JBIG2 spec, which describes the procedures PDFium implements. As with many specs, the spec does not deal with the corner cases.

Isn't SDNUMEXSYMS assigned on line 450 of JBig2_Context.cpp?

Ah, you are right.

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium.git/+/6e5239c6e3891d78e7b9e8262c23cd129f0cdbb7

commit 6e5239c6e3891d78e7b9e8262c23cd129f0cdbb7
Author: dsinclair <dsinclair@chromium.org>
Date: Thu Oct 13 14:54:09 2016

Verify number of ex flags matches number of ex items.

Currently the JBig2 decoder can leak subimages in the case where we mark
more items in EXFLAGS then we have SDNUMEXSYMS. This Cl checks for this
condition and fails the decode if it happens.

BUG= chromium:654365 

Review-Url: https://codereview.chromium.org/2419553002

[modify] https://crrev.com/6e5239c6e3891d78e7b9e8262c23cd129f0cdbb7/core/fxcodec/jbig2/JBig2_SddProc.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7f9206f34e7fba79d9b5ba24647f32e5c0431cfa

commit 7f9206f34e7fba79d9b5ba24647f32e5c0431cfa
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Thu Oct 13 15:56:21 2016

Roll src/third_party/pdfium/ f2b940ce2..6e5239c6e (2 commits).

https://pdfium.googlesource.com/pdfium.git/+log/f2b940ce281a..6e5239c6e389

$ git log f2b940ce2..6e5239c6e --date=short --no-merges --format='%ad %ae %s'
2016-10-13 dsinclair Verify number of ex flags matches number of ex items.
2016-10-13 dsinclair Cleanup CPDFXFA_App methods

BUG= 654365 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2416933002
Cr-Commit-Position: refs/heads/master@{#425047}

[modify] https://crrev.com/7f9206f34e7fba79d9b5ba24647f32e5c0431cfa/DEPS

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot