[Backport] Security bug 1102408

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2283901:
Fix UAF in SelectType

This fixes the UAF detected by ClusterFuzz in [1], caused by [2].
The test case added here is a minimized version of the clusterfuzz
case, and I verified that it crashes (ASAN UAF) before this patch
and no longer crashes after.

[1] https://clusterfuzz.com/testcase-detail/6224868955193344
[2] https://chromium-review.googlesource.com/c/chromium/src/+/1912682

Fixed: 1102408
Change-Id: Ieb6a9582ff5b9676596048920bbcff881fdc2eb2
Commit-Queue: Mason Freed <masonfreed@chromium.org>
Auto-Submit: Mason Freed <masonfreed@chromium.org>
Reviewed-by: Kent Tamura <tkent@chromium.org>
Cr-Commit-Position: refs/heads/master@{#785970}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 1 insertions, 1 deletions

diff --git a/chromium/third_party/blink/renderer/core/html/forms/html_select_element.cc b/chromium/third_party/blink/renderer/core/html/forms/html_select_element.cc
index a02e8b059ac..931b8fb3c60 100644
--- a/chromium/third_party/blink/renderer/core/html/forms/html_select_element.cc
+++ b/chromium/third_party/blink/renderer/core/html/forms/html_select_element.cc
@@ -1587,7 +1587,7 @@ void HTMLSelectElement::ListBoxDefaultEventHandler(Event& event) {
 
       if (Page* page = GetDocument().GetPage()) {
         page->GetAutoscrollController().StartAutoscrollForSelection(
-            layout_object);
+            GetLayoutObject());
       }
     }
     // Mousedown didn't happen in this element.