Fix heap use-after-free in PrintingMessageFilter

chrome/browser/printing/printing_message_filter.h

Index: chrome/browser/printing/printing_message_filter.h
diff --git a/chrome/browser/printing/printing_message_filter.h b/chrome/browser/printing/printing_message_filter.h
index 86651d47f3407867923a3c68b17f752da65bb045..3931928eec7df811fbd0f3ee44458d0c3fd23c27 100644
--- a/chrome/browser/printing/printing_message_filter.h
+++ b/chrome/browser/printing/printing_message_filter.h
@@ -12,6 +12,7 @@
 
 #include "base/macros.h"
 #include "build/build_config.h"
+#include "components/keyed_service/core/keyed_service_shutdown_notifier.h"
 #include "components/prefs/pref_member.h"
 #include "content/public/browser/browser_message_filter.h"
 #include "printing/features/features.h"
@@ -40,11 +41,19 @@ class PrintingMessageFilter : public content::BrowserMessageFilter {
   // content::BrowserMessageFilter methods.
   void OverrideThreadForMessage(const IPC::Message& message,
                                 content::BrowserThread::ID* thread) override;
+
   bool OnMessageReceived(const IPC::Message& message) override;
 
  private:
+  friend class base::DeleteHelper<PrintingMessageFilter>;
+  friend class content::BrowserThread;
+
   ~PrintingMessageFilter() override;
 
+  void OnDestruct() const override;
+
+  void ShutdownOnUIThread();
+
 #if defined(OS_ANDROID)
   // Used to ask the browser allocate a temporary file for the renderer
   // to fill in resulting PDF in renderer.
@@ -87,8 +96,10 @@ class PrintingMessageFilter : public content::BrowserMessageFilter {
                         bool* cancel);
 #endif
 
-  std::unique_ptr<BooleanPrefMember, content::BrowserThread::DeleteOnUIThread>
-      is_printing_enabled_;
+  std::unique_ptr<KeyedServiceShutdownNotifier::Subscription>
+      printing_shutdown_notifier_;
+
+  BooleanPrefMember is_printing_enabled_;
 
   const int render_process_id_;