From d49980322109a8957df07c9a1e886258906d9958 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sun, 10 Aug 2014 12:20:36 +0900
Subject: [PATCH] Fix another heap-use-after-free bug

---
 lib/nghttp2_session.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
index fa8c6169..71f64c82 100644
--- a/lib/nghttp2_session.c
+++ b/lib/nghttp2_session.c
@@ -1798,6 +1798,13 @@ static int session_prep_frame(nghttp2_session *session,
       return framerv;
     }
     if(framerv < 0) {
+      rv = nghttp2_stream_detach_data(stream, &session->ob_pq,
+                                      session->last_cycle);
+
+      if(nghttp2_is_fatal(rv)) {
+        return rv;
+      }
+
       return framerv;
     }
     return 0;