XFA is not enabled on any branch of Chrome.

This looks like a zlib bug rather than libtiff. So I'm postponing and hope that we can upgrade zlib to a newer version, since we don't have local patches for zlib yet.

zlib was updated and this still reproduces. Will look into it.

Since we don't have zlib patches yet, filed bug upstream for now:
https://github.com/madler/zlib/issues/245

FYI, if https://pdfium-review.googlesource.com/c/3350/ lands, then we can just patch one copy and get the fix in Chromium and PDFium.

My upstream issue was closed because I did not share the testcase and they said there was nothing wrong. How do we handle that?

zlib did a patch for this, but it did not fix it yet. Should the testcase be shared with them?

How do we get permission to share clusterfuzz tests? Do we need to cleanup the test case in some way (I'm guessing it's an image file so not sure what we can do there?)

Sorry for the delayed reply, didn't catch this. It seems reasonable to share the test case in this case. They won't have access to CF, but it's fine to download it and share it.

Ok, will share the testcase. They might not like it because it is libtiff and the problem is in zlib. If they do not respond I suppose we could patch our version in third_party/zlib/

Waiting on upstream.

Detailed report: https://clusterfuzz.com/testcase?key=5213622392586240

Fuzzer: pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_msan
Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  Cr_z_inflate
  PixarLogDecode
  _TIFFReadEncodedTileAndAllocBuffer
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5213622392586240


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Detailed report: https://clusterfuzz.com/testcase?key=5213622392586240

Fuzzer: pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_msan
Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  Cr_z_inflate
  PixarLogDecode
  _TIFFReadEncodedTileAndAllocBuffer
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5213622392586240


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Detailed report: https://clusterfuzz.com/testcase?key=5213622392586240

Fuzzer: pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_msan
Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  Cr_z_inflate
  PixarLogDecode
  _TIFFReadEncodedTileAndAllocBuffer
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=398314:399191

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5213622392586240


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Thanks for the triple report CF. I guess I'll patch our copy of zlib, upstream never got back to me.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/23af53e80e562441db3d061816468eeda17025a6

commit 23af53e80e562441db3d061816468eeda17025a6
Author: Nicolas Pena <npm@chromium.org>
Date: Tue Aug 08 17:33:32 2017

Zlib patch: prevent uninitialized use of state->check

This CL fixes a security bug in zlib. It was reported upstream long ago
and the testcase was shared upstream but it's yet unsolved. As a fix,
state->check is set to the same value as the adler32 of an empty string.

Upstream bug: https://github.com/madler/zlib/issues/245

Bug:  chromium:697481 
Change-Id: I916c33edd37a9d2957426d8428bd20d05294dafe
Reviewed-on: https://chromium-review.googlesource.com/601193
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Adam Langley <agl@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#492687}
[rename] https://crrev.com/23af53e80e562441db3d061816468eeda17025a6/third_party/zlib/0000-build.patch
[rename] https://crrev.com/23af53e80e562441db3d061816468eeda17025a6/third_party/zlib/0001-simd.patch
[add] https://crrev.com/23af53e80e562441db3d061816468eeda17025a6/third_party/zlib/0002-uninitializedcheck.patch
[modify] https://crrev.com/23af53e80e562441db3d061816468eeda17025a6/third_party/zlib/README.chromium
[modify] https://crrev.com/23af53e80e562441db3d061816468eeda17025a6/third_party/zlib/inflate.c

ClusterFuzz has detected this issue as fixed in range 492539:492735.

Detailed report: https://clusterfuzz.com/testcase?key=5213622392586240

Fuzzer: pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_msan
Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  Cr_z_inflate
  PixarLogDecode
  _TIFFReadEncodedTileAndAllocBuffer
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=398314:399191
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=492539:492735

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5213622392586240


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5213622392586240 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/b1a794a9a2e5fcb8d69665bd347b349fecfe4877

commit b1a794a9a2e5fcb8d69665bd347b349fecfe4877
Author: Nicolas Pena <npm@chromium.org>
Date: Fri Aug 11 21:07:35 2017

Roll zlib to 718f686

Bug:  chromium:697481 
Change-Id: I7ec0feb8f2012f3d17dfa55b2636f7331b400efe
Reviewed-on: https://pdfium-review.googlesource.com/10790
Reviewed-by: Nicolás Peña <npm@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>

[modify] https://crrev.com/b1a794a9a2e5fcb8d69665bd347b349fecfe4877/DEPS

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f4b484415281f09d0bbc0880f5d41dbdde96c209

commit f4b484415281f09d0bbc0880f5d41dbdde96c209
Author: Adenilson Cavalcanti <adenilson.cavalcanti@arm.com>
Date: Thu Aug 31 21:10:52 2017

Zlib patch: prevent uninitialized use of state->check

No need to call the Adler32 checksum function, just set the
struct field to the expected value.

Upstream bug: madler/zlib#245

Bug:  chromium:697481 
Change-Id: Ib972cc2507c8e7ca0b0b48464db33880ef960fb8
Reviewed-on: https://chromium-review.googlesource.com/644505
Commit-Queue: Adenilson Cavalcanti <cavalcantii@chromium.org>
Reviewed-by: Mike Klein <mtklein@chromium.org>
Cr-Commit-Position: refs/heads/master@{#498998}
[modify] https://crrev.com/f4b484415281f09d0bbc0880f5d41dbdde96c209/third_party/zlib/0002-uninitializedcheck.patch
[modify] https://crrev.com/f4b484415281f09d0bbc0880f5d41dbdde96c209/third_party/zlib/contrib/arm/inflate.c
[modify] https://crrev.com/f4b484415281f09d0bbc0880f5d41dbdde96c209/third_party/zlib/inflate.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4e96bed9f68c0d6ae106c1042a3041eafcf59b9a

commit 4e96bed9f68c0d6ae106c1042a3041eafcf59b9a
Author: Mike Klein <mtklein@chromium.org>
Date: Sat Sep 16 00:01:52 2017

Revert "Zlib patch: prevent uninitialized use of state->check"

This reverts commit f4b484415281f09d0bbc0880f5d41dbdde96c209.

Reason for revert: need to revert previous CL, which this depends on (because it added contrib/arm/inflate.c).

Original change's description:
> Zlib patch: prevent uninitialized use of state->check
> 
> No need to call the Adler32 checksum function, just set the
> struct field to the expected value.
> 
> Upstream bug: madler/zlib#245
> 
> Bug:  chromium:697481 
> Change-Id: Ib972cc2507c8e7ca0b0b48464db33880ef960fb8
> Reviewed-on: https://chromium-review.googlesource.com/644505
> Commit-Queue: Adenilson Cavalcanti <cavalcantii@chromium.org>
> Reviewed-by: Mike Klein <mtklein@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#498998}

TBR=scroggo@chromium.org,agl@chromium.org,cavalcantii@chromium.org,npm@chromium.org,cblume@chromium.org,mtklein@chromium.org,adenilson.cavalcanti@arm.com

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  chromium:697481 
Change-Id: I12c6ca6867d1d7e97c9f372f2d592ed75d51f093
Reviewed-on: https://chromium-review.googlesource.com/669480
Reviewed-by: Mike Klein <mtklein@chromium.org>
Commit-Queue: Mike Klein <mtklein@chromium.org>
Cr-Commit-Position: refs/heads/master@{#502449}
[modify] https://crrev.com/4e96bed9f68c0d6ae106c1042a3041eafcf59b9a/third_party/zlib/0002-uninitializedcheck.patch
[modify] https://crrev.com/4e96bed9f68c0d6ae106c1042a3041eafcf59b9a/third_party/zlib/contrib/arm/inflate.c
[modify] https://crrev.com/4e96bed9f68c0d6ae106c1042a3041eafcf59b9a/third_party/zlib/inflate.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ee376c65abdd5afe787bfb63af9f2e82fdc35c2e

commit ee376c65abdd5afe787bfb63af9f2e82fdc35c2e
Author: Adenilson Cavalcanti <adenilson.cavalcanti@arm.com>
Date: Thu Sep 28 04:31:06 2017

Zlib patch: prevent uninitialized use of state->check

No need to call the Adler32 checksum function, just set
the struct field to the expected value.

Plus some cleanup in the README file (the idea is that this 
file won't be touched for new patches).

Upstream bug: madler/zlib#245

Bug:  697481 
Change-Id: Ic495c92c9ca1b5ab8a4d23a8ae29141f4617c091
Reviewed-on: https://chromium-review.googlesource.com/688501
Reviewed-by: Chris Blume <cblume@chromium.org>
Commit-Queue: Chris Blume <cblume@chromium.org>
Cr-Commit-Position: refs/heads/master@{#504897}
[modify] https://crrev.com/ee376c65abdd5afe787bfb63af9f2e82fdc35c2e/third_party/zlib/inflate.c
[modify] https://crrev.com/ee376c65abdd5afe787bfb63af9f2e82fdc35c2e/third_party/zlib/patches/0002-uninitializedcheck.patch
[modify] https://crrev.com/ee376c65abdd5afe787bfb63af9f2e82fdc35c2e/third_party/zlib/patches/README

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot