This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

palmer@, I wonder if you can take a look at this crash as it might be introduced by this line https://pdfium-review.googlesource.com/c/3097/6/core/fxcrt/cfx_string_data_template.h#38

Thank you!

There's a memset(0) implied in some of the old FX_Allocs(), which we shouldn't have needed; time to look for what might be touching it.

Marty - would you please doublecheck that msan provides an interceptor for vswprintf() ?  This should have written the bytes in question.

Ok, msan code is something like:

INTERCEPTOR(int, vswprintf, void *str, uptr size, void *format, va_list ap) {
  ENSURE_MSAN_INITED();
  int res = REAL(vswprintf)(str, size, format, ap);
  if (res >= 0) {
    __msan_unpoison(str, 4 * (res + 1));
  }
  return res;
}

but vswprintf will return -1 on out of space even after copying the N-1 chars.
At which point, there is no way to tell if we ran out of space vs. other error AFAIK.

It doesn't seem to be documented, but is there any chance errno is sent to ENOMEM in the case of OOM?

No, we're in a corner for which there is no escape as far as I can tell.  The safe thing is just to pre-zero it before the call to vswprintf(), since it
isn't a common occurrence vs the ordinary string ops.

See https://pdfium-review.googlesource.com/3292

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b443952729c145d91777734b31a4e83ca2ba8ef7

commit b443952729c145d91777734b31a4e83ca2ba8ef7
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Thu Mar 30 05:07:50 2017

Roll src/third_party/pdfium/ 9ad342b60..75b11e43c (12 commits)

https://pdfium.googlesource.com/pdfium.git/+log/9ad342b60490..75b11e43c284

$ git log 9ad342b60..75b11e43c --date=short --no-merges --format='%ad %ae %s'
2017-03-29 thestig Erase unused freetype files.
2017-03-29 tsepez Account for character size in last CFX_WideString patch.
2017-03-29 rbpotter Quick fix for blank preview
2017-03-29 tsepez Avoid guessing vsnprintf() buffer length.
2017-03-29 dsinclair Move xfa/fxbarcode fxbarcode/
2017-03-29 dsinclair Remove fgas/localization directory
2017-03-29 npm Fix undefined shift in JBig2_SddProc
2017-03-29 dsinclair Rename fgas/localization files to match contents
2017-03-29 tsepez Fix MSAN uninitialized value report.
2017-03-29 dsinclair Rename CFX_Unitime to CFX_DateTime
2017-03-29 dsinclair Split xfa_object.h apart.
2017-03-29 npm Do more checks before big allocs in TIFFReadDirEntryArray

Created with:
  roll-dep src/third_party/pdfium
BUG= 701057 , 705912 

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2786863002
Cr-Commit-Position: refs/heads/master@{#460668}

[modify] https://crrev.com/b443952729c145d91777734b31a4e83ca2ba8ef7/DEPS

ClusterFuzz has detected this issue as fixed in range 460664:460672.

Detailed report: https://clusterfuzz.com/testcase?key=6416773529468928

Fuzzer: ifratric_acrojs
Job Type: linux_msan_pdfium
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  CFX_WideString::ReleaseBuffer
  CFX_WideString::FormatV
  CFX_WideString::Format
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_pdfium&range=459701:459786
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_pdfium&range=460664:460672

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97HcFcuk0dDCi03jUBHZvYLpU53EUB2vUfrnK02u6-SoLRSpIt2I4wSKf-8IeAanUKsJnHJymOplweN19UZCR-8Yup0VBj1qEUgsY6LIZmxYTTpy5QkRTCw2mQaILzP771cXzU9Px1rh6hOVQfQnfo1Nqj_7FLaZUVUuC6JZsjV0O08dpqjBLhnqUg5HrnPA2BkXz5jNLr427BtX2n4D5FXnnt3_QmsgOVwBBxTO4amNOYKIBWuk0HLkSzsEuAPcsLea8fQp8FRDswISBau0i4Cez-mn0o_zXal7tmTIStGS2lO1gd8-vrjStAzbvLjb8DJwBaY5gn9S0bfTm9Lh7bZ0l0VH4BgqPHs1oaO7pV_Y4dTfpsyPC2xDYHNZDD0thJSEPT9gFMOOTUUHXX0X-ynS7MJOw?testcase_id=6416773529468928


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot