Possible suspect is 
https://chromium.googlesource.com/chromium/src/+/8a2aa879982c582f811a9d9ef75286b8d27aab84
tkent@, could you please take a look and help us to find correct owner if it is not related your changes.

Testcase:
<script>
window.fuzzervars = {};
function GetVariable(var_type) { if(window.fuzzervars[var_type]) { return window.fuzzervars[var_type][0]; } else { return null; }}
function SetVariable(var_name, var_type) { if(!window.fuzzervars[var_type]) window.fuzzervars[var_type] = []; window.fuzzervars[var_type].push(var_name); }
function jsfuzzer() {
 /* Document*/ var var00009 = document; 
 SetVariable(var00009, 'Document'); SetVariable(var00009, 'Node');   
 var00042 = GetVariable('Document');  
 /* Selection*/ var var00131 = var00042.getSelection(); 
 var00166 = GetVariable('Node');  
 var00131.setPosition(var00166); 
 /* Range*/ var var00182 = var00131.getRangeAt(0); 
 /* boolean*/ var var00283 = var00182.isPointInRange(htmlvar00015,2147483648); 
}
</script>
<body onload=jsfuzzer()<menu id="htmlvar00015">


My CL isn't a culprit.  The problem exists for years, and my CL might make the testcase workable.

The right fix is to change |offset| arguments in Range.idl from |long| to |unsigned long|.

Yes, it is also unsigned in https://dom.spec.whatwg.org/#interface-range.
Seems to be straight forward and since nobody has done it yet, I will do it.

To fix it properly offsets in Range, Selection should be made unsigned.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f5558c7534d4d34c0848d692432e7f0a919eb247

commit f5558c7534d4d34c0848d692432e7f0a919eb247
Author: tkent <tkent@chromium.org>
Date: Tue Feb 21 12:19:38 2017

Range: node offsets should be unsigned.

BUG= 658716 

Review-Url: https://codereview.chromium.org/2701413003
Cr-Commit-Position: refs/heads/master@{#451739}

[modify] https://crrev.com/f5558c7534d4d34c0848d692432e7f0a919eb247/third_party/WebKit/LayoutTests/editing/selection/extend-expected.txt
[modify] https://crrev.com/f5558c7534d4d34c0848d692432e7f0a919eb247/third_party/WebKit/LayoutTests/fast/text/selection-exceptions-expected.txt
[modify] https://crrev.com/f5558c7534d4d34c0848d692432e7f0a919eb247/third_party/WebKit/LayoutTests/fast/text/selection-exceptions.html
[modify] https://crrev.com/f5558c7534d4d34c0848d692432e7f0a919eb247/third_party/WebKit/Source/core/dom/NodeWithIndex.h
[modify] https://crrev.com/f5558c7534d4d34c0848d692432e7f0a919eb247/third_party/WebKit/Source/core/dom/Range.cpp
[modify] https://crrev.com/f5558c7534d4d34c0848d692432e7f0a919eb247/third_party/WebKit/Source/core/dom/Range.h
[modify] https://crrev.com/f5558c7534d4d34c0848d692432e7f0a919eb247/third_party/WebKit/Source/core/dom/Range.idl
[modify] https://crrev.com/f5558c7534d4d34c0848d692432e7f0a919eb247/third_party/WebKit/Source/core/dom/RangeBoundaryPoint.h
[modify] https://crrev.com/f5558c7534d4d34c0848d692432e7f0a919eb247/third_party/WebKit/Source/core/dom/RangeTest.cpp
[modify] https://crrev.com/f5558c7534d4d34c0848d692432e7f0a919eb247/third_party/WebKit/Source/core/dom/StaticRangeTest.cpp
[modify] https://crrev.com/f5558c7534d4d34c0848d692432e7f0a919eb247/third_party/WebKit/Source/core/editing/InputMethodControllerTest.cpp
[modify] https://crrev.com/f5558c7534d4d34c0848d692432e7f0a919eb247/third_party/WebKit/Source/core/editing/VisibleSelectionTest.cpp
[modify] https://crrev.com/f5558c7534d4d34c0848d692432e7f0a919eb247/third_party/WebKit/Source/core/editing/iterators/CharacterIteratorTest.cpp
[modify] https://crrev.com/f5558c7534d4d34c0848d692432e7f0a919eb247/third_party/WebKit/Source/web/tests/TextFinderTest.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6031878959db66b36eedb04639f7124e1ab78d7c

commit 6031878959db66b36eedb04639f7124e1ab78d7c
Author: tkent <tkent@chromium.org>
Date: Wed Feb 22 08:31:59 2017

Range and Selection: Do not accept offsets larger than 2^31-1.

Our code can't handle such large offsets correctly at this moment.

BUG=391673, 658716 

Review-Url: https://codereview.chromium.org/2707233002
Cr-Commit-Position: refs/heads/master@{#451931}

[modify] https://crrev.com/6031878959db66b36eedb04639f7124e1ab78d7c/third_party/WebKit/LayoutTests/fast/text/selection-exceptions-expected.txt
[modify] https://crrev.com/6031878959db66b36eedb04639f7124e1ab78d7c/third_party/WebKit/LayoutTests/fast/text/selection-exceptions.html
[modify] https://crrev.com/6031878959db66b36eedb04639f7124e1ab78d7c/third_party/WebKit/Source/core/dom/Range.cpp

ClusterFuzz has detected this issue as fixed in range 451738:451747.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5050838323298304

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::Range::checkNodeWOffset
  blink::Range::isPointInRange
  isPointInRangeMethod
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=451738:451747

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94upkjvUf3G38p13Vbb6fDVruZJN9uzs1VdEh-FR8oJCV-afqqOJFPhhpX2so-7FDtlKwn0QKrYTaWFCfekxw6kzQEHRrkpql-aEJS3BFVwJQjbysYDowec6Rj3E5qiockqWFyldjs1ztxOIbqn_T9OhxogMg?testcase_id=5050838323298304


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.