[Backport] CVE-2021-21206: Use after free in Blink

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2821879:
Forbid script execution while updating the paint lifecycle.

(cherry picked from commit 5425d3b100fab533ea9ddc2ed8fbfc4870db0587)

Bug: 1196781
Change-Id: Idc8d24792d5c413691977b09ca821de4e13887ad
Commit-Queue: Adrian Taylor <[email protected]>
Commit-Queue: Robert Flack <[email protected]>
Reviewed-by: Xianzhu Wang <[email protected]>
Cr-Original-Commit-Position: refs/heads/master@{#870275}
Reviewed-by: Robert Flack <[email protected]>
Reviewed-by: Achuith Bhandarkar <[email protected]>
Reviewed-by: Victor-Gabriel Savu <[email protected]>
Commit-Queue: Jana Grill <[email protected]>
Cr-Commit-Position: refs/branch-heads/4240@{#1601}
Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>

Author: Jana Grill

chromium/third_party/blink/renderer/core/frame/local_frame_view.cc

@@ -2766,11 +2766,14 @@ void LocalFrameView::RunPaintLifecyclePhase() {
         for (PaintLayerScrollableArea* area : *animating_scrollable_areas)
           area->UpdateCompositorScrollAnimations();
       }
-      frame_view.GetLayoutView()
-          ->GetDocument()
-          .GetDocumentAnimations()
-          .UpdateAnimations(DocumentLifecycle::kPaintClean,
-                            paint_artifact_compositor_.get());
+      {
+        ScriptForbiddenScope forbid_script;
+        frame_view.GetLayoutView()
+            ->GetDocument()
+            .GetDocumentAnimations()
+            .UpdateAnimations(DocumentLifecycle::kPaintClean,
+                              paint_artifact_compositor_.get());
+      }
     });
 
     // Initialize animation properties in the newly created paint property