This might be dupe of https://bugs.chromium.org/p/chromium/issues/detail?id=654365, dsinclair@ could you please check and help.

Providing Findit results for internal purpose:

Suspected CLs	Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.)

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 452 of file JBig2_SddProc.cpp, which is stack frame 0.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 614 of file JBig2_Context.cpp, which is stack frame 1.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 330 of file JBig2_Context.cpp, which is stack frame 2.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 86 of file JBig2_Context.cpp, which is stack frame 3.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 189 of file JBig2_Context.cpp, which is stack frame 4.

Author: weili
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/e05957908d7bac3c5938a8c20d7e1b732e4f7e92
Time: Tue Jul 12 11:58:55 2016 -0700
The CL last changed line 70 of file fx_codec_jbig.cpp, which is stack frame 5.

Author: kcwu
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/ec7a9455c15b2cebb75a6036c8636beb601e543a
Time: Tue Sep 27 14:06:50 2016 -0700
The CL last changed line 41 of file pdf_codec_jbig2_fuzzer.cc, which is stack frame 6.

Suspected Project: chromium-pdfium

kcwu@ you've looked into the JBig2 Huffman code, want to take a look? Feel free to assign to me if not.

Looks like CJBig2_SDDProc::decode_Huffman is buggy for decoding case REFAGGNINST == 1.

https://cs.chromium.org/chromium/src/third_party/pdfium/core/fxcodec/jbig2/JBig2_SddProc.cpp?q=JBig2_SddProc.cpp&sq=package:chromium&dr&l=465

First, look at this code
            for (IDI = 0; IDI < SBNUMSYMS; IDI++) {
              if ((nVal == SBSYMCODES[IDI].code) &&
                  (nBits == SBSYMCODES[IDI].codelen)) {
                break;
              }
            }
nBits is always 0 (forgot to increase in the loop?)
SBSYMCODES[*].codelen = SBSYMCODELEN, which is always >= 1. 
So the conditions inside this loop never meet.

Assign back to dsinclair.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 459701:459705.

Detailed report: https://clusterfuzz.com/testcase?key=5247994566017024

Fuzzer: libfuzzer_pdf_codec_jbig2_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  CJBig2_SDDProc::decode_Huffman
  CJBig2_Context::parseSymbolDict
  CJBig2_Context::parseSegmentData
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=421422:421461
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=459701:459705

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95VomaqLrGi1ewTdzeX1vaxFRZXK85PUKc0QvSy8UR0Mtv3Inqq5ZMSNGzCUh5Ym6AUUsozRdaN2PWOrNJeb2T9HgzLChRDG2Ta6X2gg8FZ4_NYBnlTevmwbYXo7Qt-gb0dzAKNdrnpQVV5tFW9oQdG9sYm73eUutc18-J9M891AuDSAWp-HaxSFalUha1vJ5A59szw8B8vm67-zEutijDeLlLe4YGILvaTptBcJSQefJ4LjTOEwGv3Ysh9d8CK8ySDYa3EzNmnL03N1br77e4QCsEU1UNeVmaQc6yYyROCH2IlHNIt9egUmto3eqblMI3bIcxpjkW6wb7LycUDrWmp0kaStzk5yCRQEy-74wtgktSjU5k?testcase_id=5247994566017024


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5247994566017024 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Ubsan seems to just be crashing?

Can't seem to repro this, npm@ can you give it a try?

Able to reproduce now that it doesn't crash, waking up clusterfuzz

ClusterFuzz has detected this issue as fixed in range 459701:459705.

Detailed report: https://clusterfuzz.com/testcase?key=5247994566017024

Fuzzer: libfuzzer_pdf_codec_jbig2_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  CJBig2_SDDProc::decode_Huffman
  CJBig2_Context::parseSymbolDict
  CJBig2_Context::parseSegmentData
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=421422:421461
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=459701:459705

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95VomaqLrGi1ewTdzeX1vaxFRZXK85PUKc0QvSy8UR0Mtv3Inqq5ZMSNGzCUh5Ym6AUUsozRdaN2PWOrNJeb2T9HgzLChRDG2Ta6X2gg8FZ4_NYBnlTevmwbYXo7Qt-gb0dzAKNdrnpQVV5tFW9oQdG9sYm73eUutc18-J9M891AuDSAWp-HaxSFalUha1vJ5A59szw8B8vm67-zEutijDeLlLe4YGILvaTptBcJSQefJ4LjTOEwGv3Ysh9d8CK8ySDYa3EzNmnL03N1br77e4QCsEU1UNeVmaQc6yYyROCH2IlHNIt9egUmto3eqblMI3bIcxpjkW6wb7LycUDrWmp0kaStzk5yCRQEy-74wtgktSjU5k?testcase_id=5247994566017024


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Uhh still able to reproduce locally. What's up with clusterfuzz?

I just reproduced it locally as well on the current origin/master (as of now).

ClusterFuzz should create a new testcase. Are these testcases (https://clusterfuzz.com/v2/testcases?q=group%3A5600092376793088) related?

Ok, after redoing a fix (again), clusterfuzz just reopens the testcase.

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/f761a3aa4a001736249e1d7c3dce3b9dc8436a8d

commit f761a3aa4a001736249e1d7c3dce3b9dc8436a8d
Author: Nicolas Pena <npm@chromium.org>
Date: Wed Mar 29 20:48:07 2017

Fix undefined shift in JBig2_SddProc

Bug:  chromium:655535 
Change-Id: I114a9447a9af107e6056e6056e7514ba789e282b
Reviewed-on: https://pdfium-review.googlesource.com/3294
Commit-Queue: Nicolás Peña <npm@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>

[modify] https://crrev.com/f761a3aa4a001736249e1d7c3dce3b9dc8436a8d/core/fxcodec/jbig2/JBig2_SddProc.cpp

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/213f01205a77b293727cf77a30d7e912079def26

commit 213f01205a77b293727cf77a30d7e912079def26
Author: Nicolas Pena <npm@chromium.org>
Date: Thu Mar 30 14:38:58 2017

Use more unique_ptr and std::vector in JBig2_SddProc

- Used unique_ptr and vector to avoid FX_Free usage.
- Removed goto's.

Bug:  chromium:655535 
Change-Id: Iec17b9fd2432551bc41606f93837617d82085bf2
Reviewed-on: https://pdfium-review.googlesource.com/3290
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>

[modify] https://crrev.com/213f01205a77b293727cf77a30d7e912079def26/core/fxcodec/jbig2/JBig2_SddProc.cpp
[modify] https://crrev.com/213f01205a77b293727cf77a30d7e912079def26/core/fxcodec/jbig2/JBig2_SddProc.h

ClusterFuzz has detected this issue as fixed in range 460666:460680.

Detailed report: https://clusterfuzz.com/testcase?key=5247994566017024

Fuzzer: libfuzzer_pdf_codec_jbig2_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  CJBig2_SDDProc::decode_Huffman
  CJBig2_Context::parseSymbolDict
  CJBig2_Context::parseSegmentData
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=421422:421461
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=460666:460680

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95VomaqLrGi1ewTdzeX1vaxFRZXK85PUKc0QvSy8UR0Mtv3Inqq5ZMSNGzCUh5Ym6AUUsozRdaN2PWOrNJeb2T9HgzLChRDG2Ta6X2gg8FZ4_NYBnlTevmwbYXo7Qt-gb0dzAKNdrnpQVV5tFW9oQdG9sYm73eUutc18-J9M891AuDSAWp-HaxSFalUha1vJ5A59szw8B8vm67-zEutijDeLlLe4YGILvaTptBcJSQefJ4LjTOEwGv3Ysh9d8CK8ySDYa3EzNmnL03N1br77e4QCsEU1UNeVmaQc6yYyROCH2IlHNIt9egUmto3eqblMI3bIcxpjkW6wb7LycUDrWmp0kaStzk5yCRQEy-74wtgktSjU5k?testcase_id=5247994566017024


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.