Predator and CL could not provide any possible suspects.
Using the code search for the file, “cfx_widestring.cpp” assigning to concern owner from GIT revision log.

Suspecting Commit#
https://pdfium.googlesource.com/pdfium.git/+/475f43338d78ff889851967a09b7398574d95a44

@rharrison  -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.

Thank You.

This is unrelated to my change. I think what is happening here is that the code is attempting to get an arg from the arg list when there isn't an available element. I don't know this code well enough to understand why this would be occuring or how to prevent it.


Sending over to tsepez to look into, since he has worked with the vswprintf stuff before, so hopefully he has more context.

Looks to be a double va_list traversal in CFX_WideString::FormatV. D'oh.

ClusterFuzz has detected this issue as fixed in range 501477:501529.

Detailed report: https://clusterfuzz.com/testcase?key=6179650157150208

Fuzzer: ifratric_acrojs
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: Null-dereference
Crash Address: 0x00000003
Crash State:
  GuessSizeForVSWPrintf
  CFX_WideString::FormatV
  CFX_WideString::Format
  
Memory Tool: SYZYASAN

Regressed: https://clusterfuzz.com/revisions?job=windows_syzyasan_chrome&range=483471:483525
Fixed: https://clusterfuzz.com/revisions?job=windows_syzyasan_chrome&range=501477:501529

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6179650157150208

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6179650157150208 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

https://pdfium.googlesource.com/pdfium/+/f2ca50ffa2d26a6c023add24e92adbe6b28bfcc9 was the speculative fix despite what CF thinks as the fixed range.