Predator and CL did not provide any possible suspects.
As the fuzzer, "pdf_fm2js_fuzzer" assigning to related to owner who worked on similar fuzzer.

@dsinclair -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

XFA issue.

Repros for me with the following build config:

is_component_build = false                                                                                                               
is_debug = false                                                                                                                         
is_msan = true                                                                                                                           
msan_track_origins = 2                                                                                                                   
use_prebuilt_instrumented_libraries = true                                                                                               
use_libfuzzer=true                                                                                                                       
pdf_enable_xfa = true

pdf_fm2js_fuzzer -rss_limit_mb=2048 $input

https://pdfium-review.googlesource.com/c/5550/

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/2eef64cba5c8e08a9e625f4aba5a7fbdc8e62bad

commit 2eef64cba5c8e08a9e625f4aba5a7fbdc8e62bad
Author: Dan Sinclair <dsinclair@chromium.org>
Date: Tue May 16 16:00:10 2017

Do not walk off end of formcalc string

The fm2js code takes a pointer to the input string and then walks along
that pointer. There are currently no checks to verify we haven't walked
off the end of the pointer into random memory.

If this happens, we can end up allocating large chunks of memory and
copying random bits.

BUG= chromium:721533 

Change-Id: Ia61fe96c1ff9eb9ded63cf8326b7be44986bd9e1
Reviewed-on: https://pdfium-review.googlesource.com/5550
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Nicolás Peña <npm@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>

[modify] https://crrev.com/2eef64cba5c8e08a9e625f4aba5a7fbdc8e62bad/xfa/fxfa/fm2js/xfa_lexer.cpp
[modify] https://crrev.com/2eef64cba5c8e08a9e625f4aba5a7fbdc8e62bad/xfa/fxfa/fm2js/xfa_error.h
[modify] https://crrev.com/2eef64cba5c8e08a9e625f4aba5a7fbdc8e62bad/xfa/fxfa/fm2js/xfa_error.cpp
[modify] https://crrev.com/2eef64cba5c8e08a9e625f4aba5a7fbdc8e62bad/xfa/fxfa/fm2js/xfa_lexer.h

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/2eef64cba5c8e08a9e625f4aba5a7fbdc8e62bad

commit 2eef64cba5c8e08a9e625f4aba5a7fbdc8e62bad
Author: Dan Sinclair <dsinclair@chromium.org>
Date: Tue May 16 16:00:10 2017

Do not walk off end of formcalc string

The fm2js code takes a pointer to the input string and then walks along
that pointer. There are currently no checks to verify we haven't walked
off the end of the pointer into random memory.

If this happens, we can end up allocating large chunks of memory and
copying random bits.

BUG= chromium:721533 

Change-Id: Ia61fe96c1ff9eb9ded63cf8326b7be44986bd9e1
Reviewed-on: https://pdfium-review.googlesource.com/5550
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Nicolás Peña <npm@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>

[modify] https://crrev.com/2eef64cba5c8e08a9e625f4aba5a7fbdc8e62bad/xfa/fxfa/fm2js/xfa_lexer.cpp
[modify] https://crrev.com/2eef64cba5c8e08a9e625f4aba5a7fbdc8e62bad/xfa/fxfa/fm2js/xfa_error.h
[modify] https://crrev.com/2eef64cba5c8e08a9e625f4aba5a7fbdc8e62bad/xfa/fxfa/fm2js/xfa_error.cpp
[modify] https://crrev.com/2eef64cba5c8e08a9e625f4aba5a7fbdc8e62bad/xfa/fxfa/fm2js/xfa_lexer.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5228a2833da014443b36abc4e1c15e035d5d4d69

commit 5228a2833da014443b36abc4e1c15e035d5d4d69
Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org>
Date: Wed May 17 02:50:16 2017

Roll src/third_party/pdfium/ 58854942e..d3a3cc24a (5 commits)

https://pdfium.googlesource.com/pdfium.git/+log/58854942e06d..d3a3cc24a034

$ git log 58854942e..d3a3cc24a --date=short --no-merges --format='%ad %ae %s'
2017-05-16 thestig Handle when XFA parser error handlers cannot format error messages.
2017-05-16 dsinclair Add formcalc lexer tests.
2017-05-16 dsinclair Update formcalc return types
2017-05-16 dsinclair Do not walk off end of formcalc string
2017-05-16 dsinclair Minor xfa_lexer.cpp cleanup

Created with:
  roll-dep src/third_party/pdfium
BUG= 708428 , 721533 


Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls


TBR=dsinclair@chromium.org

Change-Id: I3fe337c83eaa5f58ee723b5111bc9dcc2b2adcd9
Reviewed-on: https://chromium-review.googlesource.com/506659
Reviewed-by: <pdfium-deps-roller@chromium.org>
Commit-Queue: <pdfium-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#472296}
[modify] https://crrev.com/5228a2833da014443b36abc4e1c15e035d5d4d69/DEPS

ClusterFuzz has detected this issue as fixed in range 472279:472301.

Detailed report: https://clusterfuzz.com/testcase?key=6358066684755968

Fuzzer: libfuzzer_pdf_fm2js_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Out-of-memory (exceeds 2048 MB)
Crash Address: 
Crash State:
  pdf_fm2js_fuzzer
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=395689:395794
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=472279:472301

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6358066684755968


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.