This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

dsinclair, could you please help with triaging this?

This is similar to  crbug.com/771479 

Perhaps the fix needs to be done somewhere else. art-snake@, can you please check if it's the same thing?

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/fb6165ff8f8ad1d7725f63e509eb7f7543df231e

commit fb6165ff8f8ad1d7725f63e509eb7f7543df231e
Author: Henrique Nakashima <hnakashima@chromium.org>
Date: Tue Oct 10 20:23:26 2017

Fix dangling pointer to ID array in CPDF_SecurityHandler.

This was caused by breaking the reference from CPDF_SecurityHandler to
CPDF_Parser in https://pdfium-review.googlesource.com/c/pdfium/+/15290

The reference was replaced with a reference to the ID Array and a copy
of the password. The issue is that when parsing PDFs with multiple
trailers, the trailer containing the ID array may be replaced and
destroyed in CPDF_Parser::TrailerData::SetMainTrailer() after being
passed to CPDF_SecurityHandler, which would then have a dangling
pointer to it.

This CL changes the CPDF_SecurityHandler to hold a copy of the original
file ID instead of all the ID Array.

Bug:  chromium:771479 , chromium:772376 
Change-Id: Id98100502093d890fc2fe6a3da139f910daf38f4
Reviewed-on: https://pdfium-review.googlesource.com/15910
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>

[modify] https://crrev.com/fb6165ff8f8ad1d7725f63e509eb7f7543df231e/core/fpdfapi/parser/cpdf_security_handler.cpp
[modify] https://crrev.com/fb6165ff8f8ad1d7725f63e509eb7f7543df231e/core/fpdfapi/parser/cpdf_security_handler.h

ClusterFuzz has detected this issue as fixed in range 507774:507842.

Detailed report: https://clusterfuzz.com/testcase?key=5699266000715776

Fuzzer: ochang_neurofuzz_mutator
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x07a3fca0
Crash State:
  CPDF_SecurityHandler::~CPDF_SecurityHandler
  CPDF_Parser::~CPDF_Parser
  CPDF_Document::~CPDF_Document
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=506092:506169
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=507774:507842

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5699266000715776

Additional requirements: Requires Gestures

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5699266000715776 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Both regressed and fixed in M63, removing ReleaseBlock-Stable

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot