Fixes use-after-free in MojoDemuxerStreamImpl.

media/mojo/clients/mojo_renderer_impl.h

Index: media/mojo/clients/mojo_renderer_impl.h
diff --git a/media/mojo/clients/mojo_renderer_impl.h b/media/mojo/clients/mojo_renderer_impl.h
index 9b60afe5b494cfaf46542be3f3de43818b836637..a3a286d5d3c6772c75ee81e2468843ace77dd374 100644
--- a/media/mojo/clients/mojo_renderer_impl.h
+++ b/media/mojo/clients/mojo_renderer_impl.h
@@ -19,6 +19,7 @@ class SingleThreadTaskRunner;
 namespace media {
 
 class DemuxerStreamProvider;
+class MojoDemuxerStreamImpl;
 class VideoOverlayFactory;
 class VideoRendererSink;
 
@@ -88,13 +89,17 @@ class MojoRendererImpl : public Renderer, public mojom::RendererClient {
   // Rendering of a new overlay is only needed when video natural size changes.
   VideoRendererSink* video_renderer_sink_;
 
-  // Provider of audio/video DemuxerStreams. Must be valid throughout the
-  // lifetime of |this|.
-  DemuxerStreamProvider* demuxer_stream_provider_;
-
   // Client of |this| renderer passed in Initialize.
   media::RendererClient* client_;
 
+  // Mojo demuxer streams.
+  // Owned by MojoRendererImpl instead of remote mojom::Renderer
+  // becuase these demuxer streams need to be destroyed as soon as |this| is
+  // destroyed. The local demuxer streams returned by DemuxerStreamProvider
+  // cannot be used after |this| is destroyed.
+  std::unique_ptr<MojoDemuxerStreamImpl> audio_stream_;
+  std::unique_ptr<MojoDemuxerStreamImpl> video_stream_;
+
   // This class is constructed on one thread and used exclusively on another
   // thread. This member is used to safely pass the RendererPtr from one thread
   // to another. It is set in the constructor and is consumed in Initialize().