Predator and CL could not provide any possible suspects.
Using the code search for the file, “ttgload.c” assigning to concern owner from GIT revision log.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/third_party/freetype2.git/+/5f18d867c0bf075153c8d6abb7e8d248ad469b56

@wl -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.

Note: As the suspect is out of chromium, adding suspect in CC.

Thank You.

Please send me the reproduce testcase privately; I don't have access to this file.

[This is, send to wl@gnu.org, please]

@mano --  could you please look into comment #2 and update.
Thank You

For more information, please see https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md.

The link referenced in the description is no longer valid.

Able to reproduce more easily by building FreeType like

$ CFLAGS="-fsanitize=undefined -fsanitize=signed-integer-overflow -g -fno-omit-frame-pointer" LDFLAGS="-fsanitize=undefined" CC="clang" CXX="clang++" ./configure && make

then building the freetype2-demos against that, then running

$ bin/ftbench -c 1 -f b -i 22 -j 22 -r 0 -s 64 -b a repro.ttf


The crazy values themselves are produced while hinting.

Deleted: repro.ttf 525 bytes

repro.ttf 525 bytes Download

Thanks for the reproducer!

An old but harmless bug.  Now fixed in git with commit 720ae67f35701819f6bf3fd9337dc89079a4ed27.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bf550ca82d643b4d4f62d75b323294e27b89874c

commit bf550ca82d643b4d4f62d75b323294e27b89874c
Author: Ben Wagner <bungeman@chromium.org>
Date: Mon Aug 13 11:13:40 2018

Roll src/third_party/freetype/src/ 578bcf103..96b5e5009 (23 commits)

https://chromium.googlesource.com/chromium/src/third_party/freetype2.git/+log/578bcf103a12..96b5e500909c

$ git log 578bcf103..96b5e5009 --date=short --no-merges --format='%ad %ae %s'
2018-08-10 bungeman * src/sfnt/sfobjs.c (sfnt_done_face): Fix memory leak (#54435).
2018-08-10 ramakrishnan.nikhil Minor formatting.
2018-08-10 wl * src/base/ftobjs.c (FT_Render_Glyph_Internal): Improve tracing.
2018-08-10 wl Fix clang warnings.
2018-08-09 apodtele [raster, smooth] Reinstate bitmap size limits.
2018-08-08 apodtele [pcf] Revert massive unsigning.
2018-08-08 wl [smooth] Improve tracing.
2018-08-08 wl Add internal functions `FT_Trace_Disable' and `FT_Trace_Enable'.
2018-08-08 wl Debugging improvements.
2018-08-08 apodtele [pcf] Massive unsigning (part 2).
2018-08-08 apodtele [pcf] Massive unsigning (part 1).
2018-08-07 apodtele * src/pcf/pcfread.c (pcf_get_bitmaps): Unsign `offsets' and `bitmapSizes'.
2018-08-06 wl More comment formattings.
2018-08-06 wl * devel/ftoption.h: Synchronize with main `ftoption.h'.
2018-08-06 apodtele [pcf] Use unsigned types.
2018-08-06 wl Minor comment formatting.
2018-08-05 wl * src/truetype/ttgload.c (compute_glyph_metrics): Fix overflow.
2018-08-04 wl Ditto.
2018-08-04 wl * src/truetype/ttinterp.c (opcode_name): Fix typos.
2018-08-04 wl Fix clang warnings.
2018-07-31 wl * src/cid/cidtoken.h: Handle `XUID' keyword.
2018-07-31 wl [cid] Trace PostScript dictionaries.
2018-07-31 wl Minor documentation improvement.

Created with:
  roll-dep src/third_party/freetype/src
R=bungeman@chromium.org,drott@chromium.org

CQ_INCLUDE_TRYBOTS=luci.chromium.try:linux_chromium_msan_rel_ng

Bug:  chromium:777151 , pdfium:1131 
Change-Id: Ib958a34663b7c1fa9dbdf63b54ac51cc21d14eea
PDFium-Issue:  pdfium:1133 
Reviewed-on: https://chromium-review.googlesource.com/1171575
Commit-Queue: Dominik Röttsches <drott@chromium.org>
Reviewed-by: Dominik Röttsches <drott@chromium.org>
Cr-Commit-Position: refs/heads/master@{#582548}
[modify] https://crrev.com/bf550ca82d643b4d4f62d75b323294e27b89874c/DEPS
[modify] https://crrev.com/bf550ca82d643b4d4f62d75b323294e27b89874c/third_party/freetype/BUILD.gn
[modify] https://crrev.com/bf550ca82d643b4d4f62d75b323294e27b89874c/third_party/freetype/README.chromium
[modify] https://crrev.com/bf550ca82d643b4d4f62d75b323294e27b89874c/third_party/freetype/include/freetype-custom-config/ftoption.h

ClusterFuzz has detected this issue as fixed in range 582547:582548.

Detailed report: https://clusterfuzz.com/testcase?key=6188964246716416

Fuzzer: libFuzzer_pdf_font_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  compute_glyph_metrics
  TT_Load_Glyph
  FT_Load_Glyph
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=483358:483512
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=582547:582548

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6188964246716416

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6188964246716416 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.