Add sanity checks to PrintingMessageFilter::OnUpdatePrintSettings().

OnUpdatePrintSettings() handles an IPC message with a base::Value. Bad
base::Value inputs can trigger crashes, as found by the ipc_fuzzer. Add
some sanity checks to prevent one such crash.

Bug: 1013764
Change-Id: I41bdece8766152065808c55260ec1e9884cc4673
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2154367Reviewed-by: Rebekah Potter <rbpotter@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Cr-Commit-Position: refs/heads/master@{#760237}

chrome/browser/printing/printing_message_filter.cc

@@ -139,7 +139,7 @@ bool PrintingMessageFilter::OnMessageReceived(const IPC::Message& message) {
 void PrintingMessageFilter::OnGetDefaultPrintSettings(IPC::Message* reply_msg) {
   DCHECK_CURRENTLY_ON(BrowserThread::IO);
   if (!is_printing_enabled_.GetValue()) {
-    // Reply with NULL query.
+    // Reply with null query.
     OnGetDefaultPrintSettingsReply(nullptr, reply_msg);
     return;
   }
@@ -229,10 +229,18 @@ void PrintingMessageFilter::OnUpdatePrintSettings(int document_cookie,
                                                   base::Value job_settings,
                                                   IPC::Message* reply_msg) {
   if (!is_printing_enabled_.GetValue()) {
-    // Reply with NULL query.
+    // Reply with null query.
     OnUpdatePrintSettingsReply(nullptr, reply_msg);
     return;
   }
+
+  if (!job_settings.is_dict() ||
+      !job_settings.FindIntKey(kSettingPrinterType)) {
+    // Reply with null query.
+    OnUpdatePrintSettingsReply(nullptr, reply_msg);
+    return;
+  }
+
   std::unique_ptr<PrinterQuery> printer_query =
       queue_->PopPrinterQuery(document_cookie);
   if (!printer_query) {