From 77738f17453f58d5321ab5e2285fcb0118413667 Mon Sep 17 00:00:00 2001
From: Richard Fuchs <rfuchs@sipwise.com>
Date: Fri, 3 Nov 2023 15:08:02 -0400
Subject: [PATCH] MT#55283 fix use-after-free

Grab the correct list link when inserting in the middle of the list.

Change-Id: I4ae484ba05f5e4be827101193952653c21c47ad3
(cherry picked from commit 3f5a22d2a53f0e2cb6e9577c8cde89e6d7411c62)
---
 daemon/codec.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/daemon/codec.c b/daemon/codec.c
index dae8e038c..05aeef7ac 100644
--- a/daemon/codec.c
+++ b/daemon/codec.c
@@ -4266,11 +4266,14 @@ static void codec_store_add_raw_link(struct codec_store *cs, struct rtp_payload_
 			STR_FMT(&pt->encoding_with_full_params), link);
 	g_hash_table_insert(cs->codecs, GINT_TO_POINTER(pt->payload_type), pt);
 	__rtp_payload_type_add_name(cs->codec_names, pt);
-	if (!link)
+	if (!link) {
 		g_queue_push_tail(&cs->codec_prefs, pt);
-	else
+		pt->prefs_link = cs->codec_prefs.tail;
+	}
+	else {
 		g_queue_insert_before(&cs->codec_prefs, link, pt);
-	pt->prefs_link = cs->codec_prefs.tail;
+		pt->prefs_link = link->prev;
+	}
 	if (!cs->supp_link && pt->codec_def && pt->codec_def->supplemental)
 		cs->supp_link = pt->prefs_link;
 }