ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5314343278477312

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5808830782111744

This sounds similar to Issue 646671

dcheng@ -- do you want to take a stab at this or help find the owner?
thestig@ -- your CL touched that line last: http://crrev.com/2508923003

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5314343278477312

Job Type: linux_asan_chrome_mp
Crash Type: Heap-use-after-free READ 8
Crash Address: 0x61a00009fc88
Crash State:
  PrintPreviewHandler::HandleGetPreview
  content::WebUIImpl::ProcessWebUIMessage
  bool IPC::MessageT<ViewHostMsg_WebUISend_Meta, std::__1::tuple<GURL, std::__1::b
  
Sanitizer: address (ASAN)

Recommended Security Severity: Critical

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv978LCtynPSNHrJmwFLvN_iGTF0JhMNfDZcyecn9cXI8_1-ecgLZjKkHFu8qrc7xjFTY-pFUAQY_sCo6BarVQ_tGKLW_4VseqH4IyMPyGfbsDozSprLVCM8kxFo27xGLETnb0J3uIH9x0MmrreJWa3I7iRZ2MSbFnF6x3Mdriykete3VNE0xWZZG2ptD08p0d12r0MxKZ_ODhpeKfXVGmr47u_zC4f1ZC0AIKzQEi9ERMvobSqQ1tcUyykaUSylA_cIrJQffRlyYUcGUGZZ6cLdhtmMWJFdRgT01o65lkXkUQfn1RmMWNNSw5MMxYcAbSi2kwKJW1BzYKRUbqMrcsB6ziIvRvseit6amcUt_K_ewoNCrOuo?testcase_id=5314343278477312


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

A recommended severity was added to this bug. Please change the severity if it is inaccurate.

This looks like  bug 694382 , actually.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/746da1cc6b2fbc2f725934542eedc49b41e5f17b

commit 746da1cc6b2fbc2f725934542eedc49b41e5f17b
Author: thestig <thestig@chromium.org>
Date: Thu Mar 16 06:18:21 2017

Properly clean up in PrintViewManager::RenderFrameCreated().

BUG= 694382 , 698622 

Review-Url: https://codereview.chromium.org/2742853003
Cr-Commit-Position: refs/heads/master@{#457363}

[modify] https://crrev.com/746da1cc6b2fbc2f725934542eedc49b41e5f17b/chrome/browser/printing/print_view_manager.cc
[add] https://crrev.com/746da1cc6b2fbc2f725934542eedc49b41e5f17b/chrome/browser/printing/print_view_manager_unittest.cc
[modify] https://crrev.com/746da1cc6b2fbc2f725934542eedc49b41e5f17b/chrome/test/BUILD.gn

Note for release managers: This bug also causes  issue 702085 , where users of the PDF Viewer extension will have all navigations and network requests fail if they click Back while the extension's print preview dialog is open (until Chrome restarts or the extension process is killed or restarted).  I assume it will be merged anyway due to the critical severity (which thestig@ confirmed), but I just wanted to note the additional impact in case it affects respin decisions.

Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

M58 merge from last week: https://chromium.googlesource.com/chromium/src/+/23107311dcb2bc1ecfa1c0fbe63f5f210c154049

I haven't seen any bug reports related to the merge on M58+, so requesting a M57 merge.

+awhalley@ for M57 merge review.

govind@ - got 3 days of beta coverage from #17, looks good for 57

Approving merge to M57 branch 2987 based on comment #12, #19 and #22. Please merge before 4:00 PM PT Monday (03/27). Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8839f8f3d22dc169ede6edad06d75735dbf3c34a

commit 8839f8f3d22dc169ede6edad06d75735dbf3c34a
Author: Lei Zhang <thestig@chromium.org>
Date: Mon Mar 27 03:40:04 2017

M57: Properly clean up in PrintViewManager::RenderFrameCreated().

BUG= 694382 , 698622 

Review-Url: https://codereview.chromium.org/2742853003
Cr-Commit-Position: refs/heads/master@{#457363}
(cherry picked from commit 746da1cc6b2fbc2f725934542eedc49b41e5f17b)

Review-Url: https://codereview.chromium.org/2775133002 .
Cr-Commit-Position: refs/branch-heads/2987@{#881}
Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943}

[modify] https://crrev.com/8839f8f3d22dc169ede6edad06d75735dbf3c34a/chrome/browser/printing/print_view_manager.cc
[add] https://crrev.com/8839f8f3d22dc169ede6edad06d75735dbf3c34a/chrome/browser/printing/print_view_manager_unittest.cc
[modify] https://crrev.com/8839f8f3d22dc169ede6edad06d75735dbf3c34a/chrome/test/BUILD.gn

Verified the issue on Win 10 and Ubuntu 14.04 using 58.0.3029.40 & 57.0.2987.130 and its working fine.

Deleted: 698622_Mar_28.ogv 783 KB

	698622_Mar_28.ogv 783 KB View Download

Very nice!  The panel decided to award $8,000 for this bug, and also award a $1,337 bonus! (though they noted the initial report was rather bare - see g.co/ChromeBugRewards for what we consider a high quality report).  Thanks!

Thanks for the award and thanks for the bonus :)

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot