CVE-2018-20072: 
Google Chrome vulnerability analysis and mitigation

CVE-2018-20072 is a vulnerability discovered in Google Chrome's PDF handling component prior to version 73.0.3683.75. The vulnerability stems from insufficient data validation in the PDF processing functionality, which could allow remote attackers to perform out-of-bounds memory access through a specially crafted PDF file (NVD).

The vulnerability is related to insufficient validation in CPDF_Annot quad point methods, specifically in BoundingRectFromQuadPoints() and RectFromQuadPoints() functions. These methods failed to handle out-of-bound indices properly. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD, Chromium Issue).

While initially concerning, the actual security impact was determined to be Low according to Chromium's security severity assessment. In non-debug builds, subsequent GetNumberAt() calls are bounds-checked and do not show any memory corruption under address sanitizer (ASAN) builds of the vulnerable version (Chromium Issue).

The vulnerability was fixed in Google Chrome version 73.0.3683.75. The fix involved implementing proper validation in the CPDF_Annot quad point methods to handle out-of-bound indices gracefully. The patch was committed with the change ID: I548691dc4110ff509e94a9e961bd760fa10e505f (Chromium Issue).