Fix UAF in SelectType

This fixes the UAF detected by ClusterFuzz in [1], caused by [2].
The test case added here is a minimized version of the clusterfuzz
case, and I verified that it crashes (ASAN UAF) before this patch
and no longer crashes after.

[1] https://clusterfuzz.com/testcase-detail/6224868955193344
[2] https://chromium-review.googlesource.com/c/chromium/src/+/1912682

Fixed: 1102408
Change-Id: Ieb6a9582ff5b9676596048920bbcff881fdc2eb2
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2283901
Commit-Queue: Mason Freed <masonfreed@chromium.org>
Auto-Submit: Mason Freed <masonfreed@chromium.org>
Reviewed-by: Kent Tamura <tkent@chromium.org>
Cr-Commit-Position: refs/heads/master@{#785970}

third_party/blink/renderer/core/html/forms/select_type.cc

@@ -755,7 +755,7 @@ bool ListBoxSelectType::DefaultEventHandler(const Event& event) {
 
       if (Page* page = select_->GetDocument().GetPage()) {
         page->GetAutoscrollController().StartAutoscrollForSelection(
-            layout_object);
+            select_->GetLayoutObject());
       }
     }
     // Mousedown didn't happen in this element.

third_party/blink/web_tests/fast/forms/select/select-change-layout-object-crash-expected.txt

+PASS - this test passes if it does not crash (ASAN)

third_party/blink/web_tests/fast/forms/select/select-change-layout-object-crash.html

+<style>
+.c:hover { display: block; }
+</style>
+
+<select id=target autofocus=autofocus size=2 class=c></select>
+
+<script>
+if (window.testRunner)
+	testRunner.dumpAsText();
+
+window.onload = function() {
+    eventSender.beginDragWithFiles( ["resources/file-for-drag-to-navigate.html"]);
+    eventSender.mouseMoveTo(target.offsetLeft + 5, target.offsetTop + 5);
+};
+</script>
+
+<p>PASS - this test passes if it does not crash (ASAN)</p>