Check that SVGImage is loaded in ImageNotifyFinished()

This check was added to ImageLoader::ImageNotifyFinished() in
https://codereview.chromium.org/2888953004. Add the same check
to StyleFetchedImage::ImageNotifyFinished().

Change-Id: Ia9c201c456cdb2e27d8a9abcc9b2dcded0ac8597
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2644114Reviewed-by: Eric Willigers <ericwilligers@chromium.org>
Commit-Queue: Wan-Teh Chang <wtc@google.com>
Cr-Commit-Position: refs/heads/master@{#846123}

third_party/blink/renderer/core/style/style_fetched_image.cc

@@ -142,8 +142,15 @@ void StyleFetchedImage::ImageNotifyFinished(ImageResourceContent*) {
   if (image_ && image_->HasImage()) {
     Image& image = *image_->GetImage();
 
-    if (auto* svg_image = DynamicTo<SVGImage>(image))
+    if (auto* svg_image = DynamicTo<SVGImage>(image)) {
+      // SVG's document should be completely loaded before access control
+      // checks, which can occur anytime after ImageNotifyFinished()
+      // (See SVGImage::CurrentFrameHasSingleSecurityOrigin()).
+      // We check the document is loaded here to catch violation of the
+      // assumption reliably.
+      svg_image->CheckLoaded();
       svg_image->UpdateUseCounters(*document_);
+    }
   }
 
   if (LocalDOMWindow* window = document_->domWindow())