[Backport] CVE-2021-21188: Use after free in Blink.

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2636213:
Test for persistent execution context during Animatable::animate.

Prior to the patch, the validity of the execution context was only
checked on entry to the method; however, the execution context can
be invalidated during the course of parsing keyframes or options.
The parsing of options is upstream of Animatable::animate and caught by
the existing check, but invalidation during keyframe parsing could fall
through triggering a crash.

Bug: 1161739
Change-Id: Ic0fc927d1d6ce902592bf92261fd4c506e96afac
Commit-Queue: Kevin Ellis <[email protected]>
Reviewed-by: Robert Flack <[email protected]>
Cr-Commit-Position: refs/heads/master@{#844622}
Reviewed-by: Jüri Valdmann <[email protected]>

Author: Kevin Ellis

chromium/third_party/blink/renderer/core/animation/element_animation.cc

@@ -36,12 +36,21 @@ Animation* ElementAnimation::animate(
   if (exception_state.HadException())
     return nullptr;
 
+  // Creation of the keyframe effect parses JavaScript, which could result
+  // in destruction of the execution context. Recheck that it is still valid.
+  if (!element.GetExecutionContext())
+    return nullptr;
+
   Timing timing =
       TimingInput::Convert(options, &element.GetDocument(), exception_state);
   if (exception_state.HadException())
     return nullptr;
 
   Animation* animation = animateInternal(element, effect, timing);
+
+  if (!animation)
+    return nullptr;
+
   if (options.IsKeyframeAnimationOptions())
     animation->setId(options.GetAsKeyframeAnimationOptions().id());
   return animation;
@@ -56,6 +65,10 @@ Animation* ElementAnimation::animate(ScriptState* script_state,
                            script_state, exception_state);
   if (exception_state.HadException())
     return nullptr;
+
+  if (!element.GetExecutionContext())
+    return nullptr;
+
   return animateInternal(element, effect, Timing());
 }