thestig@: Can you PTAL or suggest a better owner?

Guessing https://pdfium.googlesource.com/pdfium/+/0811da801dd72e2e0af2d7b9d1e866162df2cee1

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

XFA -> Not RBS.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/ddb9b7cdd19b63a81c4a094239e85f84acefaa17

commit ddb9b7cdd19b63a81c4a094239e85f84acefaa17
Author: Ryan Harrison <rharrison@chromium.org>
Date: Fri Aug 11 21:03:14 2017

Add checks of index operations on string classes

Specifically the index parameter passed in to GetAt(), SetAt() and
operator[] are now being tested to be in bounds.

BUG= chromium:752480 ,  pdfium:828 

Change-Id: I9e94d58c98a8eaaaae53cd0e3ffe2123ea17d8c4
Reviewed-on: https://pdfium-review.googlesource.com/10651
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>

[modify] https://crrev.com/ddb9b7cdd19b63a81c4a094239e85f84acefaa17/core/fxcrt/cfx_bytestring.cpp
[modify] https://crrev.com/ddb9b7cdd19b63a81c4a094239e85f84acefaa17/xfa/fxfa/fm2js/cxfa_fmexpression.cpp
[modify] https://crrev.com/ddb9b7cdd19b63a81c4a094239e85f84acefaa17/core/fpdfdoc/cpdf_variabletext.cpp
[modify] https://crrev.com/ddb9b7cdd19b63a81c4a094239e85f84acefaa17/core/fxcrt/cfx_widestring_unittest.cpp
[modify] https://crrev.com/ddb9b7cdd19b63a81c4a094239e85f84acefaa17/core/fxcrt/cfx_widestring.cpp
[modify] https://crrev.com/ddb9b7cdd19b63a81c4a094239e85f84acefaa17/core/fpdfapi/font/cpdf_cmapparser.cpp
[modify] https://crrev.com/ddb9b7cdd19b63a81c4a094239e85f84acefaa17/core/fxcrt/cfx_bytestring_unittest.cpp
[modify] https://crrev.com/ddb9b7cdd19b63a81c4a094239e85f84acefaa17/core/fxcrt/cfx_widestring.h
[modify] https://crrev.com/ddb9b7cdd19b63a81c4a094239e85f84acefaa17/core/fpdftext/cpdf_textpage.cpp
[modify] https://crrev.com/ddb9b7cdd19b63a81c4a094239e85f84acefaa17/fxbarcode/oned/BC_OnedCode128Writer.cpp
[modify] https://crrev.com/ddb9b7cdd19b63a81c4a094239e85f84acefaa17/core/fxcrt/cfx_bytestring.h
[modify] https://crrev.com/ddb9b7cdd19b63a81c4a094239e85f84acefaa17/core/fxcrt/cfx_string_c_template.h

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/05ea7e1ae677d0d5872f7ccbaf28f594ad6d94d9

commit 05ea7e1ae677d0d5872f7ccbaf28f594ad6d94d9
Author: Ryan Harrison <rharrison@chromium.org>
Date: Fri Aug 11 21:17:14 2017

Remove potential out of bounds call to GetAt()

Since m_pos is passed into GetAt() on the underlying string in
getCurrentChar(), the value of it needs to confirmed to be valid after
decrementing. Some types were changed to reflect the values being
stored.

BUG= chromium:752480 

Change-Id: Ib6d6f52326defd31785e70a17049a08b64dbe069
Reviewed-on: https://pdfium-review.googlesource.com/10652
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>

[modify] https://crrev.com/05ea7e1ae677d0d5872f7ccbaf28f594ad6d94d9/fxbarcode/datamatrix/BC_EncoderContext.h
[modify] https://crrev.com/05ea7e1ae677d0d5872f7ccbaf28f594ad6d94d9/fxbarcode/datamatrix/BC_C40Encoder.cpp
[modify] https://crrev.com/05ea7e1ae677d0d5872f7ccbaf28f594ad6d94d9/fxbarcode/datamatrix/BC_EncoderContext.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c413b67b391115e2b8ff57f62a203401c27bed84

commit c413b67b391115e2b8ff57f62a203401c27bed84
Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org>
Date: Sat Aug 12 06:09:56 2017

Roll src/third_party/pdfium/ d27998f65..d3002340c (5 commits)

https://pdfium.googlesource.com/pdfium.git/+log/d27998f65262..d3002340caad

$ git log d27998f65..d3002340c --date=short --no-merges --format='%ad %ae %s'
2017-08-11 asweintraub Add a new public method to get the the origin of a character.
2017-08-11 rharrison Add 'testing' to a path that got missed
2017-08-11 rharrison Remove potential out of bounds call to GetAt()
2017-08-11 npm Roll zlib to 718f686
2017-08-11 rharrison Add checks of index operations on string classes

Created with:
  roll-dep src/third_party/pdfium
BUG= 752480 , 752480 


Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls


TBR=dsinclair@chromium.org

Change-Id: I1d712b536af34a7e91428bf855b4f319bea73945
Reviewed-on: https://chromium-review.googlesource.com/612586
Reviewed-by: <pdfium-deps-roller@chromium.org>
Commit-Queue: <pdfium-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#493965}
[modify] https://crrev.com/c413b67b391115e2b8ff57f62a203401c27bed84/DEPS

ClusterFuzz has detected this issue as fixed in range 493953:493966.

Detailed report: https://clusterfuzz.com/testcase?key=5423657953525760

Fuzzer: libFuzzer_pdf_cfx_barcode_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x605000001a0c
Crash State:
  CFX_WideString::GetAt
  CBC_EncoderContext::getCurrentChar
  CBC_C40Encoder::BacktrackOneCharacter
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=491642:491675
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=493953:493966

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5423657953525760

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5423657953525760 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/32489a0eb4b5b71e7951c1e165e69209655eacee

commit 32489a0eb4b5b71e7951c1e165e69209655eacee
Author: Ryan Harrison <rharrison@chromium.org>
Date: Tue Aug 22 21:32:26 2017

Bypass asserts in string [] operator for empty strings

The previous behaviour of [] on an empty string was to return 0
regardless of the index. We wanted to make this more strict, hence the
current behaviour. This has led to a number of crashes due to code
depending on the old behaviour. Reverting to the old behaviour until
we have time to correct the call sites using empty strings.

Bug= chromium:752480 ,  pdfium:828 

Change-Id: I511eea4148de85bf7f4694351e7a030b1a37f0de
Reviewed-on: https://pdfium-review.googlesource.com/11630
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Nicolás Peña <npm@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>

[modify] https://crrev.com/32489a0eb4b5b71e7951c1e165e69209655eacee/core/fxcrt/cfx_bytestring.h
[modify] https://crrev.com/32489a0eb4b5b71e7951c1e165e69209655eacee/core/fxcrt/cfx_widestring.h

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot