Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.) 

Author: kcwu
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/4dd613cb51c1d77ac2998f760325ed5b93f4ebf0
Time: Fri Sep 23 09:26:51 2016 -0700
The CL last changed line 49 of file fx_codec_fax.cpp, which is stack frame 9. 

Author: rbpotter
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/8d94b6687f27e1238f352939434704f75b330c1d
Time: Fri Jan 06 08:10:18 2017 -0800
The CL last changed line 89 of file fx_codec_fax.cpp, which is stack frame 10. 

Author: thestig
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/2ab466e3a59d845422e06e50bc38d4bf31ac1adf
Time: Mon Sep 26 16:14:28 2016 -0700
The CL last changed line 292 of file fx_codec_fax.cpp, which is stack frame 11.

=================
Currently its impacting head.
Suspecting the below from above CL list.
Review-Url: https://codereview.chromium.org/2360283004
kcwu@: Could you please take a look into this.

I don't have time to help recently, reassign.

npm@ can you take a look?

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/8ba662443cd7bc3bdad1699cf014c2ecb432e453

commit 8ba662443cd7bc3bdad1699cf014c2ecb432e453
Author: Nicolas Pena <npm@chromium.org>
Date: Mon Mar 13 18:48:08 2017

Check run lengths in FaxG4GetRow

The spec says a1 is to the right of a0, a2 to the right of a1. I think that
means that the run lengths have to be positive, but that certainly means that
they cannot be negative.

BUG= chromium:699340 

Change-Id: Ic07a272e63610f7a66c5073179cdb2768f80e2b8
Reviewed-on: https://pdfium-review.googlesource.com/2963
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>

[modify] https://crrev.com/8ba662443cd7bc3bdad1699cf014c2ecb432e453/core/fxcodec/codec/fx_codec_fax.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ead4ab4ffb0784d727e827d901d708b38a1cefe1

commit ead4ab4ffb0784d727e827d901d708b38a1cefe1
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Mon Mar 13 23:26:31 2017

Roll src/third_party/pdfium/ 9818dc150..4ca5ba4de (5 commits)

https://pdfium.googlesource.com/pdfium.git/+log/9818dc150132..4ca5ba4dec65

$ git log 9818dc150..4ca5ba4de --date=short --no-merges --format='%ad %ae %s'
2017-03-13 npm Fix boundary value negation in bmp_read_header
2017-03-13 dsinclair Add utf-8 flag to win build.
2017-03-10 thestig Make most PDFium code pass Clang plugin's auto raw check.
2017-03-13 npm Fix some nits in fx_codec_fax
2017-03-13 npm Check run lengths in FaxG4GetRow

Created with:
  roll-dep src/third_party/pdfium
BUG= 628559 , 699340 

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2749553004
Cr-Commit-Position: refs/heads/master@{#456539}

[modify] https://crrev.com/ead4ab4ffb0784d727e827d901d708b38a1cefe1/DEPS

ClusterFuzz has detected this issue as fixed in range 456526:456561.

Detailed report: https://clusterfuzz.com/testcase?key=4790989131874304

Fuzzer: libfuzzer_pdf_codec_fax_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  start_pos >= 0
  FindBit
  FaxG4FindB1B2
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=455091:455226
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=456526:456561

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94KM6vZ3K0-jfbALTju-i4hHim69g8EAvAYyAHULAYaYoKpsX3eFG16AjE17DXGZGm5eaEpPK7FFTNso-bJRgJEDndrND0MtFaHGa_f1_WPIgOar7ct3A1Ra80ph-HNGDx05ajAj3HhQlbNB8L6ovPI-yuB7IgF9rJd0aZ37sIncY4kZLo0NcnVFv7Hhv9uSHlmUkCqabdX0sVl_viBfQvcvRof6yi4J0AYj4TyUs59PBZoTADO8TyDPiIil3Uiyo0ZILWe7RKCX7zJxzph0i6YBaTgl-80NquTVE6GSDvVBnKlFEnMg6ZkGHO4PJkKBKcgQELP91RB4cv5j1_GvNkpXZ9ztobcxFHFaVQu8f94ReoVJvw?testcase_id=4790989131874304


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4790989131874304 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.