This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

dsinclair@, you modified CFDE_CSSSyntaxParser::DoSyntaxParse() https://pdfium-review.googlesource.com/#/c/2217/ , although I don't know enough to tell if it's plausible that this caused the issue.

Could you look into whether it does, or recommend someone who can?

A friendly reminder that M57 Beta launch is coming soon on February 2nd! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged into the release branch (2987) ASAP so it gets enough baking time in Dev (before Beta promotion). Thank you!

This is XFA, XFA is not enabled on any branch of chrome.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f7df5a8d56df8bd055539f334976322142b3cec5

commit f7df5a8d56df8bd055539f334976322142b3cec5
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Thu Jan 26 16:36:58 2017

Roll src/third_party/pdfium/ 5c1673db6..cff5618d4 (1 commit).

https://pdfium.googlesource.com/pdfium.git/+log/5c1673db6dea..cff5618d4e84

$ git log 5c1673db6..cff5618d4 --date=short --no-merges --format='%ad %ae %s'
2017-01-25 dsinclair Fix CSS fuzzer input size

BUG= 682551 

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2653223006
Cr-Commit-Position: refs/heads/master@{#446347}

[modify] https://crrev.com/f7df5a8d56df8bd055539f334976322142b3cec5/DEPS

ClusterFuzz has detected this issue as fixed in range 446320:446401.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5839342716321792

Fuzzer: libfuzzer_pdf_css_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Global-buffer-overflow READ 4
Crash Address: 0x0000021ab9e4
Crash State:
  CFDE_CSSTextBuf::GetChar
  CFDE_CSSSyntaxParser::DoSyntaxParse
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=444295:444490
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=446320:446401

Minimized Testcase (0.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97TGch8FckNUYYi7m8vGQuZigLfGhxPfyc3f3pbY-5jdQcPzCIydBpP3ZsjKzQafLgQwGjBYei_2ssppD5XsbBtM8L1uJQJS45PTBdS_Y3g497ul-Lt_yo0mOkpUmCau6ZbpyvphvRtOhdZxXeCRttkD9bCb7C9yTkh6SJUloE0IwtRaiHuxxsvRdWxAg_Rsy4PoffpuHquSGhS8eRInW98DFKZEfaMOnwyFXCpSdf2WTMTN7PoAUBT0uIjiX_-iARjJf-v-okf8tiXZX_Z5f1GFail-5Fq4Sjf_ilXHYGNFlHS7ucIjBUG1bgycF4Dc9rAuC5DDTWEyLXFxErbyNAifvw882SF0MGAXgpuiTNW5Pl34F4?testcase_id=5839342716321792

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5839342716321792 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot