Unable to find actual suspect through code search and also observing no possible suspect CL under regression range, hence adding appropriate label and requesting someone from dev team to look in to this issue.

Thanks!

This "regressed" because this check got added to ubsan. It's not horrible, in the sense that all the later code is loops with the predicate height > 0 and so 'origin' doesn't get used in the ub cases. On the other hand, FreeType probably still wants to fix this, so I'll open an issue.

Opened https://savannah.nongnu.org/bugs/index.php?53727 .

Fixed upstream with http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=2157d8fa6f7e12063ca166476ed2223d24234db7 . Will start a roll to get that into Chromium.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0f0cd846578444044d2fca2db50aa87432c1b17c

commit 0f0cd846578444044d2fca2db50aa87432c1b17c
Author: Ben Wagner <bungeman@chromium.org>
Date: Wed Apr 25 22:15:00 2018

Roll src/third_party/freetype/src/ 26ad1acbc..2157d8fa6 (21 commits)

https://chromium.googlesource.com/chromium/src/third_party/freetype2.git/+log/26ad1acbcb4c..2157d8fa6f7e

$ git log 26ad1acbc..2157d8fa6 --date=short --no-merges --format='%ad %ae %s'
2018-04-24 bungeman [base] Avoid undefined behaviour in lcd filtering code (#53727).
2018-04-22 wl * src/base/ftoutln.c (FT_Outline_Decompose): Improve error tracing.
2018-04-22 apodtele [base] Fix bitmap emboldening.
2018-04-22 wl Revert "[base] Fix bitmap copying where the new pitch is smaller."
2018-04-22 wl [base] Fix bitmap copying where the new pitch is smaller.
2018-04-22 wl Another fix for handling invalid format 2 cmaps.
2018-04-19 apodtele Documentation tweaks.
2018-04-19 wl [autofit] Add support for Georgian Mtavruli characters.
2018-04-19 wl Fix handling of invalid format 2 cmaps.
2018-04-17 wl [truetype] Integer overflow issues.
2018-04-16 wl CHANGES: Mention CVE-2018-6942.
2018-04-16 wl [truetype] Integer overflow issues.
2018-04-15 ankit97dhankhar [docmaker] Make it work with python3.
2018-04-15 apodtele [build] Use `info' function of make 3.81.
2018-04-15 wl [truetype]: Limit `SLOOP' bytecode argument to 16 bits.
2018-04-14 wl [truetype] Integer overflow issues.
2018-04-14 wl [autofit] Update to Unicode 11.0.0.
2018-04-07 madigens Modernize CMake build.
2018-04-09 wl [truetype] Integer overflow issues.
2018-04-06 apodtele [windows, wince] Clean up legacy project files.
2018-04-04 wl [cff, type1] Sanitize `BlueFuzz' and `BlueShift'.

Created with:
  roll-dep src/third_party/freetype/src
R=bungeman@chromium.org,drott@chromium.org
BUG= chromium:834853 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_chromium_msan_rel_ng

PDFium-Issue:  pdfium:1070 
ChromiumOS-Issue:  chromium:836302 
Change-Id: Ibd486fc3983625a7a621ffd0680118c9794585ac
Reviewed-on: https://chromium-review.googlesource.com/1025069
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Ben Wagner <bungeman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#553786}
[modify] https://crrev.com/0f0cd846578444044d2fca2db50aa87432c1b17c/DEPS
[modify] https://crrev.com/0f0cd846578444044d2fca2db50aa87432c1b17c/third_party/freetype/README.chromium

I tested UBSAN locally.

ClusterFuzz has detected this issue as fixed in range 553785:553791.

Detailed report: https://clusterfuzz.com/testcase?key=5294927463055360

Fuzzer: libFuzzer_pdfium_xfa_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Pointer-overflow
Crash Address: 
Crash State:
  ft_lcd_filter_fir
  ft_smooth_render_generic
  FT_Render_Glyph_Internal
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=551565:551569
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=553785:553791

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5294927463055360

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5294927463055360 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.