Fix move group to new window context menu UAF

Fixes a bug where clicking the "Move group to new window" button in the
Saved Tab Group button context menu would cause a use after free,
causing the browser to crash.

Change-Id: I4a71f911dde126ba57d6f9f81d65d5adf43177d0
Bug: 1424995
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4345092
Reviewed-by: Taylor Bergquist <tbergquist@chromium.org>
Commit-Queue: Darryl James <dljames@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1118246}

chrome/browser/ui/views/bookmarks/saved_tab_groups/saved_tab_group_button.cc

@@ -9,6 +9,7 @@
 #include <vector>
 
 #include "base/check.h"
+#include "base/cxx20_to_address.h"
 #include "base/functional/bind.h"
 #include "base/functional/callback_forward.h"
 #include "chrome/app/vector_icons/vector_icons.h"
@@ -273,12 +274,21 @@ void SavedTabGroupButton::TabMenuItemPressed(const GURL& url, int event_flags) {
 }
 
 void SavedTabGroupButton::MoveGroupToNewWindowPressed(int event_flags) {
-  if (!local_group_id_.has_value()) {
-    service_->OpenSavedTabGroupInBrowser(base::to_address(browser_), guid_);
+  Browser* browser = nullptr;
+
+  if (local_group_id_.has_value()) {
+    // Find the browser which contains `local_group_id_` if it is open already.
+    browser =
+        service_->listener()->GetBrowserWithTabGroupId(local_group_id_.value());
+  } else {
+    // Open the group in the current browser if it is closed.
+    browser = base::to_address(browser_);
+    service_->OpenSavedTabGroupInBrowser(browser, guid_);
   }
 
+  // Move the open group to a new browser window.
   const SavedTabGroup* group = service_->model()->Get(guid_);
-  browser_->tab_strip_model()->delegate()->MoveGroupToNewWindow(
+  browser->tab_strip_model()->delegate()->MoveGroupToNewWindow(
       group->local_group_id().value());
 }