Do you have a crash ID?

thestig, do you mind having a look and triaging further? Thanks!

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Crash/e9b6438ee0000000.

Actually, it's print preview's fault. Repros on Linux too.

Detailed report: https://clusterfuzz.com/testcase?key=6319911212417024

Job Type: mac_asan_chrome
Crash Type: Heap-use-after-free READ 8
Crash Address: 0x6130000c1570
Crash State:
  printing::PrintWebViewHelper::RenderPageContent
  printing::PrintWebViewHelper::RenderPage
  printing::PrintWebViewHelper::RenderPreviewPage
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95ecus9z4ljcDVcpOf94a8rs7ijeTwYmfhyz-_AGWwufEw7Yyx0SdGpyC0OSiNsfrky8eSlFwNJSI-KxzdQitn4LkVBdEhADleE-4k4c2c0BVxbhAZ_xkugEbjTKem5fDl7LsW0OKtAnv9UUgfc0aW8CYh3XVYE_ODaHHyEHKlPyu6TTd8lxELMxuZYjyZ6gNrVv4ScMvyDy9NTcHTj8OnpQJL-Nd56CmCykLx4QhdexK3LApEpOAYfhoEGWHT8Lgvqa2LxxcIFXEwzmXb6UPUk0UQOjfpYUGDNF_xvVoMj6vOypRAtvKA4YwZAl-XiW579ES8A0knnHlYd7csJVbd2CNd3I9NxhbYkN5M4nSDYm3mA-E4?testcase_id=6319911212417024


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://clusterfuzz.com/testcase?key=6319911212417024

Job Type: mac_asan_chrome
Crash Type: Heap-use-after-free READ 8
Crash Address: 0x6130000b33b0
Crash State:
  printing::PrintWebViewHelper::RenderPageContent
  printing::PrintWebViewHelper::RenderPage
  printing::PrintWebViewHelper::RenderPreviewPage
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=455700:456019

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94Rs2NLvzXotzI3yVs90kRYp5pruZNlsE4BPt52-U5CrDXoi1bVQapZ3SvorAsKsy7Fi0L4ouCcxxKV5WsF4WWBkDLR2PjxRqmT264ATBdAYvAAn6xyEQiS9tglKuwyTGnjE-q_8XKIQCbbCsS4G-u4pWdV2Q-XqlgUC1u7GOdBF9SNibceHyHdEK2la7O2TcCTYZXpzSfmG7PLjQryM-NLOXwGrrdwhT1k_IQN5XsVEodkEUlyNZ763EazMuweBBEClsq4Kr5HHtmhTvYfVejuIxJP1ih5atdAk5xCA4J8mvPeli-4wyfB-L94pnF2CtQnCf-XR_M583tDD5reH3xdr7KHbvwvSdvp7bIeZbhOqLBG7fJcfnmjzFpD3UBDj7OcFm2s-XAdZHbaTyLbXwB3QV2YKg?testcase_id=6319911212417024


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

+enne@ per the clusterfuzz regression guess:

Author: enne
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/d2501577f2df0764eda66614ddf429e230062562
Time: Thu Mar 09 19:59:17 2017
File pdf_metafile_skia.cc is changed in this cl (and is part of stack frame #5, "printing::PdfMetafileSkia::~PdfMetafileSkia"; frame #6, "~PdfMetafileSkia"; frame #7, "printing::PdfMetafileSkia::~PdfMetafileSkia")
File pdf_metafile_skia.cc is changed in this cl (and is part of stack frame #1, "PdfMetafileSkia"; frame #2, "printing::PdfMetafileSkia::PdfMetafileSkia")
Minimum distance from crash line to modified line: 53. (file: pdf_metafile_skia.cc, crashed on: 150, modified: 203).

Before r455840, the UAF still exists, just with a slightly different call stack. CF is probably confused by that.

Looking back, when PrintWebViewHelper was still a RenderViewObserver, this test case would have caused a NULL-dereference because some WebFrame pointer was NULL. Trying to fix that would result in a blank print preview. However, there would have been a renderer UAF eventually on shutdown if the older code avoided the NULL deref.

thestig: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

A friendly reminder that M59 Beta  launch is coming soon! Your bug is labelled as Release Block Beta. All fixes need to be merged into the release branch (3071) latest by tomorrow, 04/26 4:00 PM PT in order to make into the desktop Beta final build cut. Thank you!

Punting to stable.

https://codereview.chromium.org/2849483002/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9c0e322c8de168b121cd6ae8cba92cd3214e5b1f

commit 9c0e322c8de168b121cd6ae8cba92cd3214e5b1f
Author: thestig <thestig@chromium.org>
Date: Fri Apr 28 01:45:05 2017

Defer deletion in PrintWebViewHelper while handling IPC messages.

Also calculate modifiability only once in PrintPreviewContext.
This does less repeated work, and prevents accessing frames after
their deletion.

BUG= 707549 

Review-Url: https://codereview.chromium.org/2849483002
Cr-Commit-Position: refs/heads/master@{#467810}

[modify] https://crrev.com/9c0e322c8de168b121cd6ae8cba92cd3214e5b1f/components/printing/renderer/print_web_view_helper.cc
[modify] https://crrev.com/9c0e322c8de168b121cd6ae8cba92cd3214e5b1f/components/printing/renderer/print_web_view_helper.h

ClusterFuzz has detected this issue as fixed in range 467799:467817.

Detailed report: https://clusterfuzz.com/testcase?key=6319911212417024

Job Type: mac_asan_chrome
Crash Type: Heap-use-after-free READ 8
Crash Address: 0x6130000b33b0
Crash State:
  printing::PrintWebViewHelper::RenderPageContent
  printing::PrintWebViewHelper::RenderPage
  printing::PrintWebViewHelper::RenderPreviewPage
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=455700:456019
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=467799:467817

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6319911212417024


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6319911212417024 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Let's try for a M59 merge next week.

Lei, could you please take a look at  bug 716474 ?

Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b6b5a52b378f25b3d7c917c119c1da28c4c2900b

commit b6b5a52b378f25b3d7c917c119c1da28c4c2900b
Author: Lei Zhang <thestig@chromium.org>
Date: Wed May 03 22:54:35 2017

M59: Defer deletion in PrintWebViewHelper while handling IPC messages.

Also calculate modifiability only once in PrintPreviewContext.
This does less repeated work, and prevents accessing frames after
their deletion.

BUG= 707549 

Review-Url: https://codereview.chromium.org/2849483002
Cr-Commit-Position: refs/heads/master@{#467810}
(cherry picked from commit 9c0e322c8de168b121cd6ae8cba92cd3214e5b1f)

Review-Url: https://codereview.chromium.org/2857313002 .
Cr-Commit-Position: refs/branch-heads/3071@{#385}
Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641}

[modify] https://crrev.com/b6b5a52b378f25b3d7c917c119c1da28c4c2900b/components/printing/renderer/print_web_view_helper.cc
[modify] https://crrev.com/b6b5a52b378f25b3d7c917c119c1da28c4c2900b/components/printing/renderer/print_web_view_helper.h

Very nice!  The panel decided to award $3,000 for this bug :-)

 Issue 726680  has been merged into this issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot