Predator and CL did not provide any possible suspects.
Using Code Search for the file, "LocalFrame.cpp" assigning to concern owner from GIT Blame.

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/64819bf38f1754e6677f2be17335a2b8f8103060

@rbyers -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

It's likely the ImageCapture code that's most relevant here, assigning to one of the ImageCapture OWNERS.

Thanks. It is most likely that GetFrame() is returning nullptr here which means that the frame has been detached. I will look into whether this code is reachable in this state and what checks we need to add to ensure that we don't try to call GetInterfaceProvider() in this case.

It appears that CanvasCaptureMediaStreamTrack::CanvasCaptureMediaStreamTrack constructs a MediaStreamTrack (and in turn an ImageCapture) based on the ExecutionContext of the HTMLCanvasElement which may be from a detached frame so I will resolve this issue by adding the necessary checks before attempting to use the frame.

Basic fix out for review: https://chromium-review.googlesource.com/c/592649/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/88d43ade0a4fc555a46be1794abfafd8f4aec919

commit 88d43ade0a4fc555a46be1794abfafd8f4aec919
Author: Reilly Grant <reillyg@chromium.org>
Date: Wed Aug 02 02:32:12 2017

Check for detached frame when creating ImageCapture

An ImageCapture object may be created from an HTMLElement that is part
of a context that has already been destroyed. Check to see if the frame
has been detached before trying to access the interface provider.

Bug:  749499 
Change-Id: I25838392413b218212fe2cb16a119d4379bea659
Reviewed-on: https://chromium-review.googlesource.com/592649
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Reilly Grant <reillyg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#491233}
[add] https://crrev.com/88d43ade0a4fc555a46be1794abfafd8f4aec919/third_party/WebKit/LayoutTests/imagecapture/detached-HTMLCanvasElement.html
[modify] https://crrev.com/88d43ade0a4fc555a46be1794abfafd8f4aec919/third_party/WebKit/Source/modules/imagecapture/ImageCapture.cpp

ClusterFuzz has detected this issue as fixed in range 491211:491244.

Detailed report: https://clusterfuzz.com/testcase?key=4848851357007872

Fuzzer: lcamtuf_cross_fuzz
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x0000002c
Crash State:
  blink::LocalFrame::GetInterfaceProvider
  blink::ImageCapture::ImageCapture
  blink::ImageCapture::Create
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=486641:486689
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=491211:491244

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4848851357007872


See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4848851357007872 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.