From /third_party/WebKit/Source/core/dom/Document.cpp: `` PassRefPtrWillBeRawPtr Document::adoptNode(PassRefPtrWillBeRawPtr source, ExceptionState& exceptionState) { EventQueueScope scope;
switch (source->nodeType()) {
(…) default: (…) if (source->parentNode()) { source->parentNode()->removeChild(source. get(), exceptionState); if (exceptionState. hadException()) return nullptr; } }
this->adoptIfNeeded(*source);
return source;
} ``
This code expects that |removeChild(source. get(), exceptionState)| will either detach the source node or throw an exception if it can’t be done. However, the child can be reattached immediately after removal (through HTMLScriptElement::childrenChanged) if the parent node is a pending script whose type has recently changed to valid. In such case, ContainerNode::removeChild doesn’t throw any exception. Consequently, the adopted node will end up in a wrong tree scope, which may lead to GC crashes and inconsistent frame states.
Chrome 45.0.2454.101 (Stable) Chrome 46.0.2490.64 (Beta) Chrome 47.0.2526.5 (Dev) Chromium 48.0.2531.0 (Release build compiled today)
`` ```
Attachment: CVE-2015-6770