From 47ecbdba682e327d560534ca4f4cb30bd8b029a4 Mon Sep 17 00:00:00 2001
From: Richard Fuchs <rfuchs@sipwise.com>
Date: Wed, 8 Apr 2026 10:31:29 -0400
Subject: [PATCH] MT#55283 fix possible UAF

Closes #2059

Change-Id: I364e14ae2b944ebd2839490c61279a14501e02e2
---
 daemon/jitter_buffer.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/daemon/jitter_buffer.c b/daemon/jitter_buffer.c
index 251f801be..7d8d9e377 100644
--- a/daemon/jitter_buffer.c
+++ b/daemon/jitter_buffer.c
@@ -440,6 +440,7 @@ int buffer_packet(struct media_packet *mp, const str *s) {
 		jb->dtmf_mult_factor=0;
 	}
 
+	unsigned long ts = ntohl(mp->rtp->timestamp);
 
 	if (jb->first_send) {
 		if(rtpe_config.jb_clock_drift) {
@@ -450,7 +451,6 @@ int buffer_packet(struct media_packet *mp, const str *s) {
 	}
 	else {
 		// store data from first packet and use for successive packets and queue the first packet
-		unsigned long ts = ntohl(mp->rtp->timestamp);
 		payload_type =  (mp->rtp->m_pt & 0x7f);
 		int clockrate = get_clock_rate(mp, payload_type);
 		if(!clockrate){
@@ -472,12 +472,13 @@ int buffer_packet(struct media_packet *mp, const str *s) {
 	}
 
 	// packet consumed?
-	if (ret == 0)
+	if (ret == 0) {
 		p = NULL;
+		mp = NULL;
+	}
 	
 	// Update adaptive jitter buffer statistics
 	if (rtpe_config.jb_adaptive && jb->first_send && jb->rtptime_delta && jb->clock_rate) {
-		unsigned long ts = ntohl(mp->rtp->timestamp);
 		long ts_diff = (uint32_t)ts - (uint32_t)jb->first_send_ts;
 		int64_t expected_arrival = jb->first_send + (ts_diff * 1000000LL / jb->clock_rate);