malaykeshav, can you have a look at this?

I /believe/ this isn't exploitable as it can only happen when useMockTheme() is running for layout tests.

Likely regressing changelist: https://chromium.googlesource.com/chromium/src/+/b195fcd2e028db859a382323fad3c6910e3205c4

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/63903481bbfd5173416a223bf160fc106f62d1b7

commit 63903481bbfd5173416a223bf160fc106f62d1b7
Author: malaykeshav <malaykeshav@chromium.org>
Date: Thu Sep 22 23:08:20 2016

Security fix while computing dropdown menu arrow width

There is no clean way to set the size for the dropdown menu arrow dynamically
without causing security bugs. Since this is only for tests, using a fixed
width works with _most_ of the test cases while the rest have minor changes
that are acceptable for layout tests.

Context: https://codereview.chromium.org/2340633002

BUG= 649095 ,  649056 ,  649058 ,  649132 ,  640256 
COMPONENT=ThemePainterDefault, Menu List Arrow
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2

Review-Url: https://codereview.chromium.org/2359753003
Cr-Commit-Position: refs/heads/master@{#420492}

[modify] https://crrev.com/63903481bbfd5173416a223bf160fc106f62d1b7/third_party/WebKit/LayoutTests/TestExpectations
[modify] https://crrev.com/63903481bbfd5173416a223bf160fc106f62d1b7/third_party/WebKit/Source/core/paint/ThemePainterDefault.cpp

ClusterFuzz has detected this issue as fixed in range 420473:420516.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4586212667162624

Fuzzer: inferno_twister
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x05e72ee2c000
Crash State:
  Bad-cast to blink::LayoutBox from blink::LayoutInline
  blink::LayoutBox::firstChildBox
  blink::ThemePainterDefault::setupMenuListArrow
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=419848:419954
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=420473:420516

Minimized Testcase (0.10 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94SwB61tyXVQrXSDgXfVn6jKHBjGqbGhst_1OZhrIuCqC3wqfThpxaqekpA3o5fbGrgIwp-J5vKMc7ZeR5mwZOg0LWMd18T3UHuXKzmusV8SSYIJkIWCIlm3evqtYb4UtE24s8ERqQFO3uRM7S81c9C870x1A?testcase_id=4586212667162624
<style>#bug:not(*|div) {
    -webkit-appearance: menulist-button;
</style>
<p id=bug><a>h#y	Xs:8	3yI{Ho 9go


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot