Bug 787493, be more strict with refChild handling, r=bz a=akeybl
authorOlli Pettay <Olli.Pettay@helsinki.fi>
Thu, 20 Sep 2012 19:13:09 +0300
changeset 81996 03d28718012f2493039404e97e5af57b929b6071
parent 81995 62ad5b34715dd0a50b38eba04337083e61dc02fe
child 81997 277752f212a12b63e3666333811856a5aacbde19
push id272
push useramccreight@mozilla.com
push dateSat, 22 Sep 2012 18:08:29 +0000
reviewersbz, akeybl
bugs787493
milestone10.0.8esrpre
Bug 787493, be more strict with refChild handling, r=bz a=akeybl
content/base/src/nsGenericElement.cpp
--- a/content/base/src/nsGenericElement.cpp
+++ b/content/base/src/nsGenericElement.cpp
@@ -4074,16 +4074,20 @@ nsINode::ReplaceOrInsertBefore(bool aRep
                                            aNewChild->OwnerDoc());
     }
 
     // If we're inserting a fragment, fire for all the children of the
     // fragment
     if (nodeType == nsIDOMNode::DOCUMENT_FRAGMENT_NODE) {
       static_cast<nsGenericElement*>(aNewChild)->FireNodeRemovedForChildren();
     }
+    // Verify that our aRefChild is still sensible
+    if (aRefChild && aRefChild->GetNodeParent() != this) {
+      return NS_ERROR_DOM_NOT_FOUND_ERR;
+    }
   }
 
   nsIDocument* doc = OwnerDoc();
   nsIContent* newContent = static_cast<nsIContent*>(aNewChild);
   PRInt32 insPos;
 
   mozAutoDocUpdate batch(GetCurrentDoc(), UPDATE_CONTENT_MODEL, true);