Dan, please take a look or assign it to the right person. Thanks!

XFA code, not enabled in Chrome.

Code is downcasting to a class that is narrower than the object in question, however all the members used in the code are from the actual objects superclass(es) and thus are present in the actual object.
Hence severity low, as no stray accesses happens.

ClusterFuzz has detected this issue as fixed in range 470448:470475.

Detailed report: https://clusterfuzz.com/testcase?key=5460063748882432

Fuzzer: libfuzzer_pdfium_xfa_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x0000055b1e50
Crash State:
  Bad-cast to CXFA_ContainerLayoutItem from CXFA_FFSubForm
  CXFA_LayoutPageMgr::MergePageSetContents
  CXFA_LayoutPageMgr::SyncLayoutData
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=462191:462244
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=470448:470475

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5460063748882432


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5460063748882432 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

https://pdfium.googlesource.com/pdfium/+/6ee22ea9bba71054592fda2e3ed8d6f33045893e is the fix FTR. "Bug:  718498 " doesn't register correctly with Bugdroid.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot