Bug 1404180 - Don't allow associating form elements by ID to <form>s across anonymous subtree boundaries. r=smaug

MozReview-Commit-ID: KRJjrkL4FgZ

--HG--
extra : amend_source : 80cd5e00804a8b2a5fd4e51b0f7ea9160dd63b1c

dom/html/nsGenericHTMLElement.cpp

@@ -2319,7 +2319,9 @@ nsGenericHTMLFormElement::UpdateFormOwner(bool aBindToTree,
                      "element should be equals to the current element "
                      "associated with the id in @form!");
 
-        if (element && element->IsHTMLElement(nsGkAtoms::form)) {
+        if (element &&
+            element->IsHTMLElement(nsGkAtoms::form) &&
+            nsContentUtils::IsInSameAnonymousTree(this, element)) {
           SetForm(static_cast<HTMLFormElement*>(element), aBindToTree);
         }
       }

layout/style/crashtests/1404180-1.html

@@ -0,0 +1,22 @@
+<script>
+function jsfuzzer() {
+  try { htmlvar00016.appendChild(htmlvar00017); } catch(e) { }
+  try { htmlvar00016.form.setAttribute("novalidate", "novalidate"); } catch(e) { }
+  try { htmlvar00017.appendChild(htmlvar00036); } catch(e) { }
+  try { svgvar00007.appendChild(htmlvar00008); } catch(e) { }
+}
+</script>
+<body onload=jsfuzzer()>
+<form id="htmlvar00007">
+<legend id="htmlvar00008">
+<output id="htmlvar00016"></output>
+</legend>
+<link id="htmlvar00017"></link>
+<svg>
+<path id="svgvar00006">
+<animateTransform id="svgvar00007"/>
+</path>
+<use xlink:href="#svgvar00006">
+<table id="htmlvar00036">
+<th>
+<output form="htmlvar00007">

layout/style/crashtests/crashtests.list

@@ -239,4 +239,5 @@ load 1403465.html
 load 1403592.html
 load 1403615.html
 load 1403712.html
+load 1404180-1.html
 load 1404316.html