Predator and CL did not provide any possible suspects.
Using Code Search for the file, "blink::CSSValueList::item" assigning to the concern owner.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/db478183363dad5b460070122b991a8302a1f98a


@fs -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d3173fb3e213e658abf34667f130b55b6baac395

commit d3173fb3e213e658abf34667f130b55b6baac395
Author: fs <fs@opera.com>
Date: Wed Feb 08 14:54:59 2017

SVGTransformList.consolidate() should return null on an empty list

SVGTransformList.consolidate() returns an SVGTransform with type
"unknown", which is an invalid object that other parts of the code
couldn't cope with. The specification:

 https://svgwg.org/svg2-draft/coords.html#__svg__SVGTransformList__consolidate

say that 'null' should be returned in this case though, so do that
instead.

Rewrite svg/dom/SVGTransformList-empty-list-consolidation.html to use
actually assert this part of the contract, and also convert it use
testharness.js while at it.

BUG= 688306 ,  688303 

Review-Url: https://codereview.chromium.org/2681803004
Cr-Commit-Position: refs/heads/master@{#448994}

[delete] https://crrev.com/e398e7fd334c08a2cfb805b25b0792fb15e674d3/third_party/WebKit/LayoutTests/svg/dom/SVGTransformList-empty-list-consolidation-expected.txt
[modify] https://crrev.com/d3173fb3e213e658abf34667f130b55b6baac395/third_party/WebKit/LayoutTests/svg/dom/SVGTransformList-empty-list-consolidation.html
[add] https://crrev.com/d3173fb3e213e658abf34667f130b55b6baac395/third_party/WebKit/LayoutTests/svg/dom/svgtransformlist-empty-consolidate-and-initialize-crash-expected.txt
[add] https://crrev.com/d3173fb3e213e658abf34667f130b55b6baac395/third_party/WebKit/LayoutTests/svg/dom/svgtransformlist-empty-consolidate-and-initialize-crash.html
[modify] https://crrev.com/d3173fb3e213e658abf34667f130b55b6baac395/third_party/WebKit/Source/core/svg/SVGTransformList.cpp

ClusterFuzz has detected this issue as fixed in range 448978:449020.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5753491420348416

Fuzzer: lcamtuf_cross_fuzz
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  i < size() in Vector.h
  blink::CSSValueList::item
  blink::TransformBuilder::createTransformOperations
  
Sanitizer: cfi (CFI)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=447381:447444
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=448978:449020

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95ek43V2uj47MyYN3BJ48DoehRPXIaand2ghNyEAizNEiDVc9o-phNpZ7Y-SOwACzwC6JCJaHsTbpJJjP-ktt-hbG5hcG_cF3icfEbwC2KHu2pJFuQ5-ORDO65V1wk8j_jwDDJ7wX5r5PizTGw6soQWL8uT2jGA6h_NbaHZA9JBgWhq6Jg8inqOYKFA_G2OwJFDJw9fUmmV84s6PLFl_n013xHtJk14RmbSB1SMIPYeWkYfmnjSkZy-JNnyXSZS2qnJgY-fPweXbvjgxlS_QIQd472X7z_QMFhfc4REJsjl0xA_qQKUKtnGUMwzQy1t0WzePKM0elMZ5VVv564_hihL3Y7b3d1GQmHVFAnLQpoqz98F1wg?testcase_id=5753491420348416


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.