VULNERABILITY DETAILS
Same like  Issue 752829  but this time opj_free() tries to free heap memory returned by FX_Alloc().

This issue affects the following functions.
1. sycc444_to_rgb
2. sycc422_to_rgb
3. sycc420_to_rgb
4. color_apply_conversion

Let's take function sycc422_to_rgb for example. In this function, the value of img->comps[*].data will be updated to a heap buffer returned by FX_Alloc.

static void sycc422_to_rgb(opj_image_t* img) {
  // skipped...

  int *d0, *d1, *d2, *r, *g, *b;
  d0 = r = FX_Alloc(int, max_size.ValueOrDie());
  d1 = g = FX_Alloc(int, max_size.ValueOrDie());
  d2 = b = FX_Alloc(int, max_size.ValueOrDie());
  
  // skipped...
  
  FX_Free(img->comps[0].data);
  img->comps[0].data = d0;      // --> returned by FX_Alloc()
  FX_Free(img->comps[1].data);
  img->comps[1].data = d1;      // --> returned by FX_Alloc()
  FX_Free(img->comps[2].data);
  img->comps[2].data = d2;      // --> returned by FX_Alloc()
  
  // skipped...
}

However, in function opj_image_destroy of file image.c, the pointer will be freed by function opj_free().

void OPJ_CALLCONV opj_image_destroy(opj_image_t *image) {
	if(image) {
		if(image->comps) {
			OPJ_UINT32 compno;

			/* image components */
			for(compno = 0; compno < image->numcomps; compno++) {
				opj_image_comp_t *image_comp = &(image->comps[compno]);
				if(image_comp->data) {
					opj_free(image_comp->data);     // --> opj_free()
				}
			}
			opj_free(image->comps);
		}

		if(image->icc_profile_buf) {
			opj_free(image->icc_profile_buf);
		}

		opj_free(image);
	}
}

VERSION
Chrome Version: latest pdfium
Operating System: All

REPRODUCTION CASE
Same as  Issue 752829 , by replace FX_Free with free in function sycc422_to_rgb, we can trigger the crash easily.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]