Bug 787493, be more strict with refChild handling, r=bz
authorOlli Pettay <Olli.Pettay@helsinki.fi>
Thu, 20 Sep 2012 19:13:09 +0300
changeset 107695 7748dba7f579a800e4420dfbe29ce33311bd9412
parent 107694 6a2d1a3556b94d4bac0d0283dfe6152110d7af79
child 107696 f8d30ea0974c940e915b2b8bc5539a182374c7b1
push id82
push usershu@rfrn.org
push dateFri, 05 Oct 2012 13:20:22 +0000
reviewersbz
bugs787493
milestone18.0a1
Bug 787493, be more strict with refChild handling, r=bz
content/base/src/nsINode.cpp
--- a/content/base/src/nsINode.cpp
+++ b/content/base/src/nsINode.cpp
@@ -1570,16 +1570,20 @@ nsINode::ReplaceOrInsertBefore(bool aRep
                                            aNewChild->OwnerDoc());
     }
 
     // If we're inserting a fragment, fire for all the children of the
     // fragment
     if (nodeType == nsIDOMNode::DOCUMENT_FRAGMENT_NODE) {
       static_cast<nsGenericElement*>(aNewChild)->FireNodeRemovedForChildren();
     }
+    // Verify that our aRefChild is still sensible
+    if (aRefChild && aRefChild->GetNodeParent() != this) {
+      return NS_ERROR_DOM_NOT_FOUND_ERR;
+    }
   }
 
   nsIDocument* doc = OwnerDoc();
   nsIContent* newContent = static_cast<nsIContent*>(aNewChild);
   if (newContent->IsRootOfAnonymousSubtree()) {
     // This is anonymous content.  Don't allow its insertion
     // anywhere, since it might have UnbindFromTree calls coming
     // its way.