And another.

May be related to  bug 736105 .

We may flip Skia off again in the near future.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The skia path code has been disabled now. Removing release block label.

ClusterFuzz has detected this issue as fixed in range 481576:482713.

Detailed report: https://clusterfuzz.com/testcase?key=5391008601997312

Fuzzer: libFuzzer_pdfium_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x612000003dbc
Crash State:
  SkiaState::ClipRestore
  CFX_SkiaDeviceDriver::RestoreState
  CFX_RenderDevice::RestoreState
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=481514:481576
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=481576:482713

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5391008601997312


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5391008601997312 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Skia Paths were disabled.

bug is in core/fxge/skia/fx_skia_device.cpp:

@@ -936,2 +1031,2 @@ class SkiaState {
-    if (m_commandIndex < count - 1) {
+    if (m_commandIndex < count) {

 Issue 736105  has been merged into this issue.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Feature triggering bug has been turned off; bug remains open to track fixing underlying bug.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Issue 737041 has been merged into this issue.

Users experienced this crash on the following builds:

Linux Dev 61.0.3141.7 -  1.06 CPM, 1 reports, 1 clients (signature SkiaState::SetClip)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This code has been disabled, removing RBS.

Fixed here: https://pdfium-review.googlesource.com/c/7276/

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot