angler-fishThe Vulnerability History Project

parserInsertBefore and parserRemoveChild should check newChild for a parent.

      parserRemoveChild can run script in obscure cases involving the adoption
agency changing the children of a script element, this script can then
move the element the parser is trying to insert back into the page so that
parserInsertBefore would then insert the newChild in the tree again. This
means the child ends up being inserted twice which can result in a use
after free if one is removed and a GC happens.

To fix this we run the removal in a loop inside the insert methods until
the child really is removed. We probably want to file a spec bug about this
too.

BUG=478745

Review URL: https://codereview.chromium.org/1117973003

git-svn-id: svn://svn.chromium.org/blink/trunk@194835 bbb929c8-8fbe-4397-9dbb-9b2b20218538
by Karla the Camel 2015-05-02 01:30:08 UTC
commit bd8876ce0ef6868d012e50db57803db91d8562ae
Chromium VCC CVE-2015-6755
third_party/WebKit/LayoutTests/fast/parser/execute-script-during-adoption-agency-removal-expected.txt
-1
third_party/WebKit/LayoutTests/fast/parser/execute-script-during-adoption-agency-removal.html
-27
third_party/WebKit/Source/core/dom/ContainerNode.cpp
+5 -13
third_party/WebKit/Source/core/dom/ContainerNode.h
+1 -1
third_party/WebKit/Source/core/html/parser/HTMLConstructionSite.cpp
+6
expand_less