[Backport] Security bug 379715150

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/6032156:
[M126-LTS] Use temporary variable to prevent heap-use-after-free

There is a UAF in stable as DecoderBuffer::side_data() returns a
temporary object. Raw pointers into its owned members will be dangling
(seen in next line)

Also, this was fixed in
https://chromium-review.googlesource.com/c/chromium/src/+/5893004 but
that is in M132, not M131.
Bug: 379715150

Change-Id: I52e95503c4c5daaed58514a1d007335c1a3cab74
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6032156
Reviewed-by: Thomas Guilbert <[email protected]>
Commit-Queue: Syed AbuTalib <[email protected]>
Reviewed-by: Dale Curtis <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1385358}
(cherry picked from commit b857e972de828077fe6a4595335d27530879191f)
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/615715
Reviewed-by: Anu Aliyas <[email protected]>

Author: SyedAbuTalib

chromium/media/gpu/v4l2/legacy/v4l2_stateful_workaround.cc

@@ -229,16 +229,14 @@ CreateV4L2StatefulWorkarounds(V4L2Device::Type device_type,
 
 bool AppendVP9SuperFrameIndex(scoped_refptr<DecoderBuffer>& buffer) {
   DCHECK(buffer->has_side_data());
-  DCHECK(!buffer->side_data()->spatial_layers.empty());
+  std::vector<uint32_t> frame_sizes = buffer->side_data()->spatial_layers;
+  DCHECK(!frame_sizes.empty());
 
-  const size_t num_of_layers = buffer->side_data()->spatial_layers.size();
-  if (num_of_layers > 3u) {
+  if (frame_sizes.size() > 3u) {
     LOG(ERROR) << "The maximum number of spatial layers in VP9 is three";
     return false;
   }
 
-  const uint32_t* cue_data = buffer->side_data()->spatial_layers.data();
-  std::vector<uint32_t> frame_sizes(cue_data, cue_data + num_of_layers);
   std::vector<uint8_t> superframe_index = CreateSuperFrameIndex(frame_sizes);
   const size_t vp9_superframe_size =
       buffer->data_size() + superframe_index.size();