Setting serverity low, as it turns out, this can only overwrite the first byte of the adjacent m_wordsize field with a 0, which doesn't seem very useful. If the structure were re-shuffled someday, then this could be more serious.

I'll cobble a quick fix.  Note that ASAN can't catch these intra-field overflows, first thing I'm going to try is to put the inline array last and see if we get a hit.

CL at https://pdfium-review.googlesource.com/c/pdfium/+/29530

topanel, in case they want to argue for higher severity.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fb4fb2f860216f7076d1634dc08d1d88ade52659

commit fb4fb2f860216f7076d1634dc08d1d88ade52659
Author: pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Date: Tue Apr 03 19:33:43 2018

Roll src/third_party/pdfium/ 75304f915..232b918d1 (3 commits)

https://pdfium.googlesource.com/pdfium.git/+log/75304f915c5c..232b918d1f0f

$ git log 75304f915..232b918d1 --date=short --no-merges --format='%ad %ae %s'
2018-04-03 tsepez Re-arrange so inline vectors come last in structs.
2018-04-03 thestig Roll pdfium/third_party/freetype/src/ 713d68ee9..7109495c5 (21 commits)
2018-04-03 tsepez Off-by-one in CPDF_StreamParser::ParseNextElement()

Created with:
  roll-dep src/third_party/pdfium
BUG= chromium:828049 


The AutoRoll server is located here: https://pdfium-roll.skia.org

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.


TBR=dsinclair@chromium.org

Change-Id: I2892003f57e749fed8957a758722ec702d166bfd
Reviewed-on: https://chromium-review.googlesource.com/992888
Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#547792}
[modify] https://crrev.com/fb4fb2f860216f7076d1634dc08d1d88ade52659/DEPS

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Thanks pdknsk@ - the VRP panel decided to award $500 for this report.  Also, how would you like to be credited in the release notes?

Thanks. Please just credit me as pdknsk.

(An email I sent didn't show up. I guess you cannot email-reply to secret bugs.)

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot