Don't crash if HTMLCanvasElement::toBlob() is called in a detached document

Bug: 1083623 Test: fast/canvas/canvas-toBlob-in-detached-document.html Change-Id: I9286d6e6e568a1faf7dcb99e2ea4b252b88aff0b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2207792 Commit-Queue: Kentaro Hara <haraken@chromium.org> Auto-Submit: Nate Chapin <japhet@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Cr-Commit-Position: refs/heads/master@{#769920}

Don't crash if HTMLCanvasElement::toBlob() is called in a detached document
Bug: 1083623 Test: fast/canvas/canvas-toBlob-in-detached-document.html Change-Id: I9286d6e6e568a1faf7dcb99e2ea4b252b88aff0b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2207792 Commit-Queue: Kentaro Hara <haraken@chromium.org> Auto-Submit: Nate Chapin <japhet@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Cr-Commit-Position: refs/heads/master@{#769920}
c3ef6722 · Nate Chapin · Commit Bot · 7a4d669b · c3ef6722 · c3ef6722
Commit c3ef6722 authored May 19, 2020 by Nate Chapin Committed by Commit Bot May 19, 2020
4 changed files
--- a/third_party/blink/renderer/core/html/canvas/canvas_async_blob_creator.cc
+++ b/third_party/blink/renderer/core/html/canvas/canvas_async_blob_creator.cc
@@ -174,6 +174,7 @@ CanvasAsyncBlobCreator::CanvasAsyncBlobCreator(
      callback_(callback),
      script_promise_resolver_(resolver) {
  DCHECK(image);
+  DCHECK(context);
  mime_type_ = ImageEncoderUtils::ToEncodingMimeType(
      encode_options_->type(),

--- a/third_party/blink/renderer/core/html/canvas/html_canvas_element.cc
+++ b/third_party/blink/renderer/core/html/canvas/html_canvas_element.cc
@@ -1003,6 +1003,9 @@ void HTMLCanvasElement::toBlob(V8BlobCallback* callback,
    return;
  }
+  if (!GetExecutionContext())
+    return;
  if (!IsPaintable()) {
    // If the canvas element's bitmap has no pixels
    GetDocument()

--- a/third_party/blink/web_tests/fast/canvas/canvas-toBlob-in-detached-document-expected.txt
+++ b/third_party/blink/web_tests/fast/canvas/canvas-toBlob-in-detached-document-expected.txt
+PASS if no crash.
--- a/third_party/blink/web_tests/fast/canvas/canvas-toBlob-in-detached-document.html
+++ b/third_party/blink/web_tests/fast/canvas/canvas-toBlob-in-detached-document.html
+<body>
+PASS if no crash.
+<div id="d">
+<iframe id="i"></iframe>
+<canvas id="c"></canvas>
+</div>
+<script>
+if (window.testRunner)
+  testRunner.dumpAsText();
+var canvas = document.getElementById("c");
+i.contentDocument.body.appendChild(d);
+canvas.toBlob(() => {});
+</script>
+</body>