angler-fishThe Vulnerability History Project

parserInsertBefore: Bail out if the parent no longer contains the child.

      nextChild may be removed from the DOM tree during the
|parserRemoveChild(*newChild)| call which triggers unload events of newChild's 
descendant iframes. In order to maintain the integrity of the DOM tree, the
insertion of newChild must be aborted in this case.

This patch adds a return statement that rectifies the behavior in this
edge case.

BUG=519558

Review URL: https://codereview.chromium.org/1283263002

git-svn-id: svn://svn.chromium.org/blink/trunk@200690 bbb929c8-8fbe-4397-9dbb-9b2b20218538
by Stanley the Reindeer 2015-08-18 04:30:56 UTC
commit c71a21e6dda9025c2bf823c5aab791c2ae8cdfc2
Chromium Fix CVE-2015-6755
third_party/WebKit/LayoutTests/fast/parser/scriptexec-during-parserInsertBefore-expected.txt
-11
third_party/WebKit/LayoutTests/fast/parser/scriptexec-during-parserInsertBefore.html
-30
third_party/WebKit/Source/core/dom/ContainerNode.cpp
-3
expand_less