angler-fishThe Vulnerability History Project

parserRemoveChild: Avoid unintended DOM modifications after user script run.

      Surprisingly, ContainerNode::parserRemoveChild may run arbitrary user script during its DOM modification if its target contained iframes.
Before this CL, this could lead to corrupt DOM tree, as the target node could be moved during parserRemoveChild execution.

This CL adds a bail-out if stmt after disconnecting child frame to abort if precondition has changed.

BUG=516377

Review URL: https://codereview.chromium.org/1277793002

git-svn-id: svn://svn.chromium.org/blink/trunk@200098 bbb929c8-8fbe-4397-9dbb-9b2b20218538
by Darrell the Humboldt Penguin 2015-08-06 06:10:13 UTC
commit 2c36e1fa592c341f27f758cf8b6770957c9bfdd4
Chromium Fix CVE-2015-1291 Fix CVE-2016-1630
third_party/WebKit/LayoutTests/fast/parser/scriptexec-during-parserRemoveChild-expected.txt
-11
third_party/WebKit/LayoutTests/fast/parser/scriptexec-during-parserRemoveChild.html
-17
third_party/WebKit/Source/core/dom/ContainerNode.cpp
+3 -6
expand_less