malaykeshav, can you have a look at this?

I /believe/ this isn't exploitable as it can only happen when useMockTheme() is running for layout tests.

Likely regressing changelist: https://chromium.googlesource.com/chromium/src/+/b195fcd2e028db859a382323fad3c6910e3205c4

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/63903481bbfd5173416a223bf160fc106f62d1b7

commit 63903481bbfd5173416a223bf160fc106f62d1b7
Author: malaykeshav <malaykeshav@chromium.org>
Date: Thu Sep 22 23:08:20 2016

Security fix while computing dropdown menu arrow width

There is no clean way to set the size for the dropdown menu arrow dynamically
without causing security bugs. Since this is only for tests, using a fixed
width works with _most_ of the test cases while the rest have minor changes
that are acceptable for layout tests.

Context: https://codereview.chromium.org/2340633002

BUG= 649095 ,  649056 ,  649058 ,  649132 ,  640256 
COMPONENT=ThemePainterDefault, Menu List Arrow
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2

Review-Url: https://codereview.chromium.org/2359753003
Cr-Commit-Position: refs/heads/master@{#420492}

[modify] https://crrev.com/63903481bbfd5173416a223bf160fc106f62d1b7/third_party/WebKit/LayoutTests/TestExpectations
[modify] https://crrev.com/63903481bbfd5173416a223bf160fc106f62d1b7/third_party/WebKit/Source/core/paint/ThemePainterDefault.cpp

ClusterFuzz has detected this issue as fixed in range 420473:420516.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5522512559734784

Fuzzer: bj_broddelwerk
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::BoxPainter::paint
  blink::SVGRootPainter::paintReplaced
  blink::LayoutSVGRoot::paintReplaced
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=419848:419954
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=420473:420516

Minimized Testcase (0.07 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97466TVIoe3PkPnmSdgUaFo2hv9JBK8QGI8iMJZxMwlc-ED9xRY4Ofr_mgM5dLlCEGr0LMvlUOZA3U-A_CNzE6Wa-AUyVBQLn9cxFxqTZsRjpmWjWn4bL1FKhIDNjTLR4jB_nnyoE4aWJk_IuTfOgnO0ImE1g?testcase_id=5522512559734784
<svg>
<g>
<style>
*{image-rendering:nonzero;-webkit-appearance:menulist;


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot