From 5615f900a1fe9ff228c85f283839db5957c0cb26 Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw@amazon.co.uk>
Date: Fri, 26 Jul 2024 08:47:50 +0100
Subject: [PATCH] Fix use-after-free in audio frag overlap

Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
---
 chime/chime-call-audio.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/chime/chime-call-audio.c b/chime/chime-call-audio.c
index a74fc0f..95a2682 100644
--- a/chime/chime-call-audio.c
+++ b/chime/chime-call-audio.c
@@ -341,6 +341,7 @@ static gboolean idle_send_ack(gpointer _audio)
 static gboolean insert_frag(struct message_buf *m, gint32 start, gint32 end)
 {
 	struct message_frag **f = &m->frags, *nf;
+//	printf("Insert frag %d-%d\n", start, end);
 	while (*f) {
 		if (end < (*f)->start) {
 			/* Insert before *f */
@@ -352,8 +353,8 @@ static gboolean insert_frag(struct message_buf *m, gint32 start, gint32 end)
 			/* ... and merge subsequent frags that we now touch */
 			if (end > (*f)->end) {
 				(*f)->end = end;
-				nf = (*f)->next;
-				while ((*f)->next && nf->start <= (*f)->end) {
+				while ((nf = (*f)->next) &&
+				       nf->start <= (*f)->end) {
 					(*f)->end = nf->end;
 					(*f)->next = nf->next;
 					g_free(nf);
-- 
2.51.0