From 237e1bbf76a412b3e75fbe36ecd792fb8dbc51b6 Mon Sep 17 00:00:00 2001
From: sprang <sprang@webrtc.org>
Date: Mon, 6 Feb 2017 03:02:15 -0800
Subject: [PATCH] Fix potential use after free in H264 packetizer.

BUG=webrtc:7116

Review-Url: https://codereview.webrtc.org/2677073002
Cr-Commit-Position: refs/heads/master@{#16442}
---
 webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc b/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc
index 99f5d6ca54..5d631b504d 100644
--- a/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc
+++ b/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc
@@ -293,6 +293,7 @@ void RtpPacketizerH264::NextAggregatePacket(RtpPacketToSend* rtp_packet) {
   // STAP-A NALU header.
   buffer[0] = (packet->header & (kFBit | kNriMask)) | H264::NaluType::kStapA;
   size_t index = kNalHeaderSize;
+  bool is_last_fragment = packet->last_fragment;
   while (packet->aggregated) {
     const Fragment& fragment = packet->source_fragment;
     // Add NAL unit length field.
@@ -303,11 +304,12 @@ void RtpPacketizerH264::NextAggregatePacket(RtpPacketToSend* rtp_packet) {
     index += fragment.length;
     packets_.pop();
     input_fragments_.pop_front();
-    if (packet->last_fragment)
+    if (is_last_fragment)
       break;
     packet = &packets_.front();
+    is_last_fragment = packet->last_fragment;
   }
-  RTC_CHECK(packet->last_fragment);
+  RTC_CHECK(is_last_fragment);
   rtp_packet->SetPayloadSize(index);
 }