As per  issue 672178 , assigning to dsinclair@. could you please take a look?
Thank you.

TIFF is XFA code, XFA is not enabled for any branch of chrome.

I looked at this a bit. It looks like libtiff is just allocating a lot of memory from TIFFReadDirEntryArray because |direntry| lies about its |tdir_count| and then we have:
*count=(uint32)direntry->tdir_count;
datasize=(*count)*typesize;
data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray");

There is also a basic sanity check regarding the dimensions, and we don't want to be more strict with that. So not much we can do as far as I can tell.

ClusterFuzz has detected this issue as fixed in range 453290:453333.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6307227796504576

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Out-of-memory (exceeds 2048 MB)
Crash Address: 
Crash State:
  pdf_codec_tiff_fuzzer
  
Sanitizer: memory (MSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=422909:423055
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=453290:453333

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv956BeJv6CcVBrk9Lw2ulsXLCrlMMsdHKMIgilKIBIeyl6cxQGjJEnCINbtP-sqapq2yUrKKaHLNLxejleWPBjo4Re5c5GwPSaD6Jp0DZ9Iz8a8MC70DuqGNP4zGGb0q9_NXfWf-EfmoDVgR75_d3XWRQnmPWyPcw8vDX04hXXBasP655QKkk_sYcxPU8x8geHMuxnOk9o4BOH38g64wgk_5f327MJ38aBATLQEdyEJZ5k5epho9FnEmoc7MVvOn6HboptZURbaHcLg1q1F9HSSyp_qQ-U6lWIraUqdlT83awUqaqEibxPaEys99RWqSK5aR7htK57CMa_l3DyQXNe0IPFvRlH046v8geI_WDVgyUpNtajA?testcase_id=6307227796504576


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6307227796504576 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This doesn't repro for me, npm@ can you give it a try.

It reproduces for me. But the cause is a big malloc in libtiff[1]. WontFix or WDYT?

[1] https://cs.chromium.org/chromium/src/third_party/pdfium/third_party/libtiff/tif_dirread.c?type=cs&q=tif_dirread.c:793&l=793

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/47b8f070dc11308e0bef3a157f6c70fbcad4093a

commit 47b8f070dc11308e0bef3a157f6c70fbcad4093a
Author: Nicolas Pena <npm@chromium.org>
Date: Wed Mar 29 19:20:57 2017

Do more checks before big allocs in TIFFReadDirEntryArray

This CL fixes the only caller to TIFFReadDirEntryData with potentially large
size so that we avoid big mallocs when we know we will fail. It does this as
follows:
- Avoid the unnecessary computations if datasize is very small. We don't want
to be slower in this case.
- If !isMapped(tif), we will Seek and Read. Check that ending position is
reachable. In the other case, do a simple check for out of bounds.

Bug:  chromium:681311 
Change-Id: Ia172d8b4d401753b7c8d5455dc1ada5335f6fa6b
Reviewed-on: https://pdfium-review.googlesource.com/3253
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>

[modify] https://crrev.com/47b8f070dc11308e0bef3a157f6c70fbcad4093a/third_party/libtiff/tif_dirread.c
[modify] https://crrev.com/47b8f070dc11308e0bef3a157f6c70fbcad4093a/third_party/libtiff/README.pdfium
[add] https://crrev.com/47b8f070dc11308e0bef3a157f6c70fbcad4093a/third_party/libtiff/0019-oom-TIFFReadDirEntryArray.patch

Upstream bug filed: http://bugzilla.maptools.org/show_bug.cgi?id=2675

ClusterFuzz has detected this issue as fixed in range 460637:460668.

Detailed report: https://clusterfuzz.com/testcase?key=6307227796504576

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Out-of-memory (exceeds 2048 MB)
Crash Address: 
Crash State:
  pdf_codec_tiff_fuzzer
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=422909:423055
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=460637:460668

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv956BeJv6CcVBrk9Lw2ulsXLCrlMMsdHKMIgilKIBIeyl6cxQGjJEnCINbtP-sqapq2yUrKKaHLNLxejleWPBjo4Re5c5GwPSaD6Jp0DZ9Iz8a8MC70DuqGNP4zGGb0q9_NXfWf-EfmoDVgR75_d3XWRQnmPWyPcw8vDX04hXXBasP655QKkk_sYcxPU8x8geHMuxnOk9o4BOH38g64wgk_5f327MJ38aBATLQEdyEJZ5k5epho9FnEmoc7MVvOn6HboptZURbaHcLg1q1F9HSSyp_qQ-U6lWIraUqdlT83awUqaqEibxPaEys99RWqSK5aR7htK57CMa_l3DyQXNe0IPFvRlH046v8geI_WDVgyUpNtajA?testcase_id=6307227796504576


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/cbe6d1662e2b76a343702fc77334f6e68b854427

commit cbe6d1662e2b76a343702fc77334f6e68b854427
Author: Nicolas Pena <npm@chromium.org>
Date: Mon Jun 26 19:22:32 2017

Add comment in libtiff patch

This CL adds a comment to point to the upstream bug of a patch fixing
an OOM. The fix is fine for us but not accepted upstream so it should
be ignored once upstream fixes the bug.

Bug:  chromium:681311 
Change-Id: I6986fb7c851e260e84f764449ff1ee46441e71b4
Reviewed-on: https://pdfium-review.googlesource.com/6953
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>

[modify] https://crrev.com/cbe6d1662e2b76a343702fc77334f6e68b854427/third_party/libtiff/README.pdfium