dsinclair: can you take a look please? Thanks!

XFA is not enabled in any branch of chromium.

Using ASAN with the test case shows a heap-buffer-overflow. We may want to sanitize that first.

https://pdfium-review.googlesource.com/c/2990/

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/6e0b25b9456871be5d2e6dcb418cc6daac04ff7a

commit 6e0b25b9456871be5d2e6dcb418cc6daac04ff7a
Author: Lei Zhang <thestig@chromium.org>
Date: Wed Mar 15 01:37:08 2017

Fix an integer underflow in the BMP decoder.

Make RLE error handling more consistent.

BUG= chromium:700576 

Change-Id: I37290ede666ba3e0a697d9d6eb209f869a07293d
Reviewed-on: https://pdfium-review.googlesource.com/2990
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

[modify] https://crrev.com/6e0b25b9456871be5d2e6dcb418cc6daac04ff7a/core/fxcodec/lbmp/fx_bmp.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/17a0101f47569f80a539f7379b739134897f4842

commit 17a0101f47569f80a539f7379b739134897f4842
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Wed Mar 15 03:51:33 2017

Roll src/third_party/pdfium/ 193e6ca5e..6e0b25b94 (2 commits)

https://pdfium.googlesource.com/pdfium.git/+log/193e6ca5e48e..6e0b25b94568

$ git log 193e6ca5e..6e0b25b94 --date=short --no-merges --format='%ad %ae %s'
2017-03-13 thestig Fix an integer underflow in the BMP decoder.
2017-03-14 dsinclair Replace FX_POSITION in GFGAS_FontMgr with bool

Created with:
  roll-dep src/third_party/pdfium
BUG= 700576 

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2747343002
Cr-Commit-Position: refs/heads/master@{#456983}

[modify] https://crrev.com/17a0101f47569f80a539f7379b739134897f4842/DEPS

ClusterFuzz has detected this issue as fixed in range 456940:456984.

Detailed report: https://clusterfuzz.com/testcase?key=5241195556241408

Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x0000028afe80
Crash State:
  Bad-cast to CFX_DIBitmap from invalid vptr
  CCodec_ProgressiveDecoder::ReSampleScanline
  CCodec_ProgressiveDecoder::BmpReadScanline
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=434175:434379
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=456940:456984

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94HMZM3_gFWw8hO9rAB70Au353XWD3YAWfIOxEVsgc_NbYLzz5a1rDShHqgoZnY6R1zDOOFcY4NtMfCCgflV0CbBFpTg3LxnVwBnxexyF-EswqIL6l8IQzpw1ukarokStjP_r3nRQkoFdcBgvME9ibVNWEUz2_L00llHEmVlLWCyhyzlpCguJbFLtK9hHwXjASx3XDomaCzd2g_8SVF6mhGIDRFk1e_lIWn2qacBWmtouzrkJ9nj8saFKPQT93Oi0mSSSm5SDWRtOmZ2IBWQuPb6Qh3bJ0ew0hVRXMhogG_pQ_IqwbOb-Uxe5iMwkgLaSyPdGLOFVWA7SyUHtgWgzx0-7aRya6d_fbY8ZqeNwpZuQn8JC8?testcase_id=5241195556241408


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5241195556241408 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

 Issue 697889  has been merged into this issue.

 Issue 700764  has been merged into this issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot