Similar to  issue 642071  and  issue 527094 .

I'll test it locally as suggested in https://bugs.chromium.org/p/chromium/issues/detail?id=527094#c6

Interesting. This is what I've got locally:

ASAN_OPTIONS=redzone=16:symbolize=1:detect_stack_use_after_return=1:alloc_dealloc_mismatch=0:print_scariness=1:check_malloc_usable_size=0:max_uar_stack_size_log=16:use_sigaltstack=1:strict_memcmp=0:detect_container_overflow=1:coverage=0:detect_odr_violation=0:allocator_may_return_null=1:handle_segv=1:fast_unwind_on_fatal=0 asan-linux-release-428014/chrome --js-flags="--expose-gc --verify-heap" ./fuzz-18-00e1a41da67c60b9bec19aeecc54068b2caebb3a.3gp
[116623:116640:0104/134254:ERROR:file_path_watcher_linux.cc(252)] inotify_init() failed: Too many open files
[116623:116651:0104/134254:ERROR:web_database_backend.cc(113)] Cannot initialize the web database: 2
[116623:116623:0104/134254:ERROR:desktop_window_tree_host_x11.cc(1153)] Not implemented reached in virtual void views::DesktopWindowTreeHostX11::InitModalType(ui::ModalType)
=================================================================
==116623==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000774e8 at pc 0x7f14401b5175 bp 0x7ffc918fea30 sp 0x7ffc918fea28
READ of size 8 at 0x6070000774e8 thread T0 (chrome)
SCARINESS: 23 (8-byte-read-heap-buffer-overflow)
    #0 0x7f14401b5174 in WebDataRequestManager::CancelRequest(int) components/webdata/common/web_data_request_manager.cc:103:6
    #1 0x7f14413b6a03 in CancelPendingQuery components/autofill/core/browser/personal_data_manager.cc:1230:16
    #2 0x7f14413b6a03 in autofill::PersonalDataManager::~PersonalDataManager() components/autofill/core/browser/personal_data_manager.cc:300
    #3 0x7f14413b7e0a in autofill::PersonalDataManager::~PersonalDataManager() components/autofill/core/browser/personal_data_manager.cc:298:45
    #4 0x7f14401911a4 in KeyedServiceFactory::Disassociate(base::SupportsUserData*) components/keyed_service/core/keyed_service_factory.cc:107:5
    #5 0x7f144019187f in KeyedServiceFactory::ContextDestroyed(base::SupportsUserData*) components/keyed_service/core/keyed_service_factory.cc:119:3
    #6 0x7f1440197d9a in DependencyManager::DestroyContextServices(base::SupportsUserData*) components/keyed_service/core/dependency_manager.cc:103:14
    #7 0x7f143afe4975 in ProfileImpl::~ProfileImpl() chrome/browser/profiles/profile_impl.cc:705:51
    #8 0x7f143afe53ca in ProfileImpl::~ProfileImpl() chrome/browser/profiles/profile_impl.cc:676:29
    #9 0x7f143afd2a46 in ProfileDestroyer::DestroyProfileWhenAppropriate(Profile*) chrome/browser/profiles/profile_destroyer.cc:65:7
    #10 0x7f143aae4094 in ~ProfileInfo chrome/browser/profiles/profile_manager.cc:1553:3
    #11 0x7f143aae4094 in depart base/memory/linked_ptr.h:144
    #12 0x7f143aae4094 in linked_ptr<ProfileManager::ProfileInfo>::~linked_ptr() base/memory/linked_ptr.h:82
    #13 0x7f143aae5dc5 in ~pair buildtools/third_party/libc++/trunk/include/utility:280:30
    #14 0x7f143aae5dc5 in ~__value_type buildtools/third_party/libc++/trunk/include/map:653
    #15 0x7f143aae5dc5 in __destroy<std::__1::__value_type<base::FilePath, linked_ptr<ProfileManager::ProfileInfo> > > buildtools/third_party/libc++/trunk/include/memory:1673
    #16 0x7f143aae5dc5 in destroy<std::__1::__value_type<base::FilePath, linked_ptr<ProfileManager::ProfileInfo> > > buildtools/third_party/libc++/trunk/include/memory:1536
    #17 0x7f143aae5dc5 in std::__1::__tree<std::__1::__value_type<base::FilePath, linked_ptr<ProfileManager::ProfileInfo> >, std::__1::__map_value_compare<base::FilePath, std::__1::__value_type<base::FilePath, linked_ptr<ProfileManager::ProfileInfo> >, std::__1::less<base::FilePath>, true>, std::__1::allocator<std::__1::__value_type<base::FilePath, linked_ptr<ProfileManager::ProfileInfo> > > >::destroy(std::__1::__tree_node<std::__1::__value_type<base::FilePath, linked_ptr<ProfileManager::ProfileInfo> >, void*>*) buildtools/third_party/libc++/trunk/include/__tree:1431
    #18 0x7f143aae5abc in ~__tree buildtools/third_party/libc++/trunk/include/__tree:1419:5
    #19 0x7f143aae5abc in ~map buildtools/third_party/libc++/trunk/include/__tree:1105
    #20 0x7f143aae5abc in ProfileManager::~ProfileManager() chrome/browser/profiles/profile_manager.cc:351
    #21 0x7f143aace54a in ProfileManager::~ProfileManager() chrome/browser/profiles/profile_manager.cc:350:35
    #22 0x7f143b506367 in operator() buildtools/third_party/libc++/trunk/include/memory:2529:13
    #23 0x7f143b506367 in reset buildtools/third_party/libc++/trunk/include/memory:2735
    #24 0x7f143b506367 in BrowserProcessImpl::StartTearDown() chrome/browser/browser_process_impl.cc:320
    #25 0x7f143b300427 in ChromeBrowserMainParts::PostMainMessageLoopRun() chrome/browser/chrome_browser_main.cc:2047:21
    #26 0x7f14385eb6f1 in content::BrowserMainLoop::ShutdownThreadsAndCleanUp() content/browser/browser_main_loop.cc:1009:13
    #27 0x7f14385f7799 in content::BrowserMainRunnerImpl::Shutdown() content/browser/browser_main_runner.cc:211:19
    #28 0x7f14385dadca in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:48:16
    #29 0x7f143a90a553 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:776:12
    #30 0x7f143a904a8d in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:20:28
    #31 0x7f1434c323d2 in ChromeMain chrome/app/chrome_main.cc:97:12
    #32 0x7f1429719f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #33 0x7f1434b5f710 in _start (/usr/local/google/home/mmoroz/sheriff/677970/asan-linux-release-428014/chrome+0x2fc9710)

0x6070000774e8 is located 8 bytes to the left of 72-byte region [0x6070000774f0,0x607000077538)
allocated by thread T0 (chrome) here:
    #0 0x7f1434c2f0bb in operator new(unsigned long) (/usr/local/google/home/mmoroz/sheriff/677970/asan-linux-release-428014/chrome+0x30990bb)
    #1 0x7f1443600696 in WebDataServiceWrapper::WebDataServiceWrapper(base::FilePath const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, scoped_refptr<base::SingleThreadTaskRunner> const&, scoped_refptr<base::SingleThreadTaskRunner> const&, base::Callback<void (syncer::ModelType), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&, void (* const&)(WebDataServiceWrapper::ErrorType, sql::InitStatus, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&)) components/webdata_services/web_data_service_wrapper.cc:94:23
    #2 0x7f143ab72652 in WebDataServiceFactory::BuildServiceInstanceFor(content::BrowserContext*) const chrome/browser/web_data_service_factory.cc:166:14
    #3 0x7f1441d5ea2b in BrowserContextKeyedServiceFactory::BuildServiceInstanceFor(base::SupportsUserData*) const components/keyed_service/content/browser_context_keyed_service_factory.cc:95:7
    #4 0x7f144019004b in KeyedServiceFactory::GetServiceForContext(base::SupportsUserData*, bool) components/keyed_service/core/keyed_service_factory.cc:91:15
    #5 0x7f143ab7205f in GetForProfile chrome/browser/web_data_service_factory.cc:85:22
    #6 0x7f143ab7205f in WebDataServiceFactory::GetAutofillWebDataForProfile(Profile*, ServiceAccessType) chrome/browser/web_data_service_factory.cc:107
    #7 0x7f143ae76c1b in autofill::PersonalDataManagerFactory::BuildServiceInstanceFor(content::BrowserContext*) const chrome/browser/autofill/personal_data_manager_factory.cc:51:17
    #8 0x7f1441d5ea2b in BrowserContextKeyedServiceFactory::BuildServiceInstanceFor(base::SupportsUserData*) const components/keyed_service/content/browser_context_keyed_service_factory.cc:95:7
    #9 0x7f144019004b in KeyedServiceFactory::GetServiceForContext(base::SupportsUserData*, bool) components/keyed_service/core/keyed_service_factory.cc:91:15
    #10 0x7f1441adf260 in AutofillPrivateEventRouter chrome/browser/extensions/api/autofill_private/autofill_private_event_router.cc:37:20
    #11 0x7f1441adf260 in extensions::AutofillPrivateEventRouter::Create(content::BrowserContext*) chrome/browser/extensions/api/autofill_private/autofill_private_event_router.cc:83
    #12 0x7f1441d5ea2b in BrowserContextKeyedServiceFactory::BuildServiceInstanceFor(base::SupportsUserData*) const components/keyed_service/content/browser_context_keyed_service_factory.cc:95:7
    #13 0x7f144019004b in KeyedServiceFactory::GetServiceForContext(base::SupportsUserData*, bool) components/keyed_service/core/keyed_service_factory.cc:91:15
    #14 0x7f14401978dc in DependencyManager::CreateContextServices(base::SupportsUserData*, bool) components/keyed_service/core/dependency_manager.cc:73:16
    #15 0x7f1441d5d0d4 in BrowserContextDependencyManager::DoCreateBrowserContextServices(content::BrowserContext*, bool) components/keyed_service/content/browser_context_dependency_manager.cc:47:22
    #16 0x7f143afe7663 in ProfileImpl::OnLocaleReady() chrome/browser/profiles/profile_impl.cc:845:7
    #17 0x7f143afe0373 in ProfileImpl::OnPrefsLoaded(Profile::CreateMode, bool) chrome/browser/profiles/profile_impl.cc:870:3
    #18 0x7f143afdf830 in ProfileImpl::ProfileImpl(base::FilePath const&, Profile::Delegate*, Profile::CreateMode, base::SequencedTaskRunner*) chrome/browser/profiles/profile_impl.cc:497:5
    #19 0x7f143afdcb2c in Profile::CreateProfile(base::FilePath const&, Profile::Delegate*, Profile::CreateMode) chrome/browser/profiles/profile_impl.cc:316:14
    #20 0x7f143aae2825 in ProfileManager::CreateProfileHelper(base::FilePath const&) chrome/browser/profiles/profile_manager.cc:1226:10
    #21 0x7f143aad22d0 in ProfileManager::CreateAndInitializeProfile(base::FilePath const&) chrome/browser/profiles/profile_manager.cc:1303:22
    #22 0x7f143aad176f in ProfileManager::GetProfile(base::FilePath const&) chrome/browser/profiles/profile_manager.cc:462:10
    #23 0x7f14429abae8 in GetStartupProfile(base::FilePath const&, base::CommandLine const&) chrome/browser/ui/startup/startup_browser_creator.cc:895:39
    #24 0x7f143b2fb07e in CreatePrimaryProfile chrome/browser/chrome_browser_main.cc:463:13
    #25 0x7f143b2fb07e in ChromeBrowserMainParts::PreMainMessageLoopRunImpl() chrome/browser/chrome_browser_main.cc:1637
    #26 0x7f143b2f979c in ChromeBrowserMainParts::PreMainMessageLoopRun() chrome/browser/chrome_browser_main.cc:1269:18
    #27 0x7f14385ea5fb in content::BrowserMainLoop::PreMainMessageLoopRun() content/browser/browser_main_loop.cc:959:13
    #28 0x7f143938d081 in Run base/callback.h:64:12
    #29 0x7f143938d081 in content::StartupTaskRunner::RunAllTasksNow() content/browser/startup_task_runner.cc:45
    #30 0x7f14385e46fb in content::BrowserMainLoop::CreateStartupTasks() content/browser/browser_main_loop.cc:849:25
    #31 0x7f14385f6c51 in content::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const&) content/browser/browser_main_runner.cc:140:17
    #32 0x7f14385dad33 in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:42:32
    #33 0x7f143a90a553 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:776:12

SUMMARY: AddressSanitizer: heap-buffer-overflow components/webdata/common/web_data_request_manager.cc:103:6 in WebDataRequestManager::CancelRequest(int)
Shadow bytes around the buggy address:
  0x0c0e80006e40: 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 00 00
  0x0c0e80006e50: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e80006e60: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c0e80006e70: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c0e80006e80: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c0e80006e90: 00 00 00 00 00 00 00 00 00 00 fa fa fa[fa]00 00
  0x0c0e80006ea0: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
  0x0c0e80006eb0: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x0c0e80006ec0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e80006ed0: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c0e80006ee0: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==116623==ABORTING

Looks like missing user profile is the issue in c#2. With --user-data-dir it doesn't crash:

ASAN_OPTIONS=redzone=16:symbolize=1:detect_stack_use_after_return=1:alloc_dealloc_mismatch=0:print_scariness=1:check_malloc_usable_size=0:max_uar_stack_size_log=16:use_sigaltstack=1:strict_memcmp=0:detect_container_overflow=1:coverage=0:detect_odr_violation=0:allocator_may_return_null=1:handle_segv=1:fast_unwind_on_fatal=0 asan-linux-release-428014/chrome -user-data-dir=$PWD/profile --js-flags="--expose-gc --verify-heap" ./fuzz-18-00e1a41da67c60b9bec19aeecc54068b2caebb3a.3gp
[117837:117852:0104/134714:ERROR:file_path_watcher_linux.cc(252)] inotify_init() failed: Too many open files
mmoroz@mmoroz0:~/sheriff/677970$

However, is it ok to have heap-buffer-overflow when --user-data-dir is not specified?

skuhne@, could you please take a look and help to triage that?

ClusterFuzz has detected this issue as fixed in range 443972:443979.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4658112620658688

Fuzzer: ochang_media_mutator
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: Heap-double-free
Crash Address: 0x603000515440
Crash State:
  g_error_free
  g_error_free
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=443972:443979

Minimized Testcase (0.15 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97ogeQJ4ekTfs0is_w01UVcvLuGSnRztmrJ5_lZA83MldaDEZAjL-8cB484ule49bjYY97Bk1hgNPzRzh7zqfYpjKgaxutmxQ2UEM_PN3tDXWS2dKf_s0NCwj5jn53saIf_xRlDSv1G8YamJSEXD9CiKT0wUg?testcase_id=4658112620658688
H@TP/1.1 404 Not Found
Date: Wed, 13 May 2015 16:31:22 GMT
Server: Apache
Content-Length: 14
Connection close
Content-Type: text/html

Page not found


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4658112620658688 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot