Security fix while computing dropdown menu arrow width

There is no clean way to set the size for the dropdown menu arrow dynamically
without causing security bugs. Since this is only for tests, using a fixed
width works with _most_ of the test cases while the rest have minor changes
that are acceptable for layout tests.

Context: https://codereview.chromium.org/2340633002

BUG=649095, 649056, 649058, 649132, 640256
COMPONENT=ThemePainterDefault, Menu List Arrow
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2

Review-Url: https://codereview.chromium.org/2359753003
Cr-Commit-Position: refs/heads/master@{#420492}

third_party/WebKit/LayoutTests/TestExpectations

@@ -264,6 +264,12 @@ crbug.com/567837 virtual/scalefactor200/fast/hidpi/static/gesture-scroll-amount.
 crbug.com/567837 virtual/scalefactor150/fast/hidpi/static/mousewheel-scroll-amount.html [ Skip ]
 crbug.com/567837 virtual/scalefactor150/fast/hidpi/static/gesture-scroll-amount.html [ Skip ]
 
+crbug.com/640256 [ Linux Win ] fast/forms/color/color-suggestion-picker-appearance-zoom125.html [ NeedsRebaseline ]
+crbug.com/640256 [ Linux Win ] fast/forms/color/color-suggestion-picker-appearance-zoom200.html [ NeedsRebaseline ]
+crbug.com/640256 [ Linux Win ] fast/forms/color/color-suggestion-picker-appearance.html [ NeedsRebaseline ]
+crbug.com/640256 [ Linux Win ] fast/forms/color/color-suggestion-picker-one-row-appearance.html [ NeedsRebaseline ]
+crbug.com/640256 [ Linux Win ] fast/forms/color/color-suggestion-picker-two-row-appearance.html [ NeedsRebaseline ]
+
 # TODO(ojan): These tests aren't flaky. See crbug.com/517144.
 # Release trybots run asserts, but the main waterfall ones don't. So, even
 # though this is a non-flaky assert failure, we need to mark it [ Pass Crash ].

third_party/WebKit/Source/core/paint/ThemePainterDefault.cpp

@@ -42,7 +42,10 @@ namespace blink {
 namespace {
 
 const unsigned defaultButtonBackgroundColor = 0xffdddddd;
-const unsigned dropdownMenuListArrowPadding = 3;
+const unsigned mockDropdownMenuListArrowPadding = 3;
+// This is equal to the padding provided by the LayoutMenuList which is
+// calculated based on |menuListArrowPaddingSize| in LayoutThemeDefault.
+const unsigned mockDropdownMenuListArrowWidth = 18;
 
 bool useMockTheme()
 {
@@ -263,10 +266,8 @@ void ThemePainterDefault::setupMenuListArrow(const LayoutBox& box, const IntRect
     if (useMockTheme()) {
         // The size and position of the drop-down button is different between
         // the mock theme and the regular aura theme.
-        int extraPadding = dropdownMenuListArrowPadding * box.styleRef().effectiveZoom();
-        // The width available for the arrow is based on the padding provided
-        // in the child LayoutBox.
-        int arrowBoxWidth = ((box.styleRef().direction() == RTL) ? box.firstChildBox()->paddingLeft() : box.firstChildBox()->paddingRight()).toInt();
+        int extraPadding = mockDropdownMenuListArrowPadding * box.styleRef().effectiveZoom();
+        int arrowBoxWidth = mockDropdownMenuListArrowWidth * box.styleRef().effectiveZoom();
         int arrowSize = std::min(arrowBoxWidth, rect.height()) - 2 * extraPadding;
         extraParams.menuList.arrowX = (box.styleRef().direction() == RTL) ? rect.x() + extraPadding + (arrowSize / 2) : right - (arrowSize / 2) - extraPadding;
         extraParams.menuList.arrowSize = arrowSize;