Check for invalid element id when deserializing CompositorProxyTag

third_party/WebKit/Source/bindings/core/v8/serialization/V8ScriptValueDeserializer.cpp

Index: third_party/WebKit/Source/bindings/core/v8/serialization/V8ScriptValueDeserializer.cpp
diff --git a/third_party/WebKit/Source/bindings/core/v8/serialization/V8ScriptValueDeserializer.cpp b/third_party/WebKit/Source/bindings/core/v8/serialization/V8ScriptValueDeserializer.cpp
index 516ec902c1aa37efdce1418070c8f6eb78751b06..1d9fc82d3c758b7eae9c2bc8be836b79122b663f 100644
--- a/third_party/WebKit/Source/bindings/core/v8/serialization/V8ScriptValueDeserializer.cpp
+++ b/third_party/WebKit/Source/bindings/core/v8/serialization/V8ScriptValueDeserializer.cpp
@@ -208,8 +208,8 @@ ScriptWrappable* V8ScriptValueDeserializer::readDOMObject(
       const uint32_t validPropertiesMask = static_cast<uint32_t>(
           (1u << CompositorMutableProperty::kNumProperties) - 1);
       if (!RuntimeEnabledFeatures::compositorWorkerEnabled() ||
-          !readUint64(&element) || !readUint32(&properties) || !properties ||
-          (properties & ~validPropertiesMask))
+          !readUint64(&element) || !readUint32(&properties) || element == 0 ||
+          !properties || (properties & ~validPropertiesMask))
         return nullptr;
       return CompositorProxy::create(m_scriptState->getExecutionContext(),
                                      element, properties);