[PaintWorklet] Speculate fix for a null-deference in CSSPaintDefinition::Paint

It appears that under certain conditions (ASAN), the |script_state_| in the CSSPaintDefinition is nullptr. Notice that the |script_state_| itself is a scroped_refptr, it being null indicates that the CSSPaintDefinition object itself is null. The cluster fuzz seems to be able to repro this with a 29KB minimized test case and I can never repro it locally with the same build args. This CL is a speculate fix, and let's wait for fuzzer to tell us whether the problem is fixed by this or not. Bug: 806082 Change-Id: Iad22be412709d697d42e111cbf74de972b094918 Reviewed-on: https://chromium-review.googlesource.com/891598Reviewed-by: Stephen McGruer <smcgruer@chromium.org> Commit-Queue: Xida Chen <xidachen@chromium.org> Cr-Commit-Position: refs/heads/master@{#532932}

[PaintWorklet] Speculate fix for a null-deference in CSSPaintDefinition::Paint
It appears that under certain conditions (ASAN), the |script_state_| in the CSSPaintDefinition is nullptr. Notice that the |script_state_| itself is a scroped_refptr, it being null indicates that the CSSPaintDefinition object itself is null. The cluster fuzz seems to be able to repro this with a 29KB minimized test case and I can never repro it locally with the same build args. This CL is a speculate fix, and let's wait for fuzzer to tell us whether the problem is fixed by this or not. Bug: 806082 Change-Id: Iad22be412709d697d42e111cbf74de972b094918 Reviewed-on: https://chromium-review.googlesource.com/891598Reviewed-by: Stephen McGruer <smcgruer@chromium.org> Commit-Queue: Xida Chen <xidachen@chromium.org> Cr-Commit-Position: refs/heads/master@{#532932}
14f4cf3d · Xida Chen · Commit Bot · 0531e1c1 · 14f4cf3d
Commit 14f4cf3d authored Jan 30, 2018 by Xida Chen Committed by Commit Bot Jan 30, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

third_party/WebKit/Source/modules/csspaint/PaintWorklet.cpp third_party/WebKit/Source/modules/csspaint/PaintWorklet.cpp +2 -0

No files found.
--- a/third_party/WebKit/Source/modules/csspaint/PaintWorklet.cpp
+++ b/third_party/WebKit/Source/modules/csspaint/PaintWorklet.cpp
@@ -102,6 +102,8 @@ scoped_refptr<Image> PaintWorklet::Paint(const String& name,
  PaintWorkletGlobalScopeProxy* proxy =
      PaintWorkletGlobalScopeProxy::From(FindAvailableGlobalScope());
  CSSPaintDefinition* paint_definition = proxy->FindDefinition(name);
+  if (!paint_definition)
+    return nullptr;
  return paint_definition->Paint(observer, container_size, data);
 }