From: George Joseph Date: Tue, 22 Jan 2019 15:02:37 +0000 (-0700) Subject: pjproject_bundled: Add patch for double free issue in timer heap X-Git-Tag: 16.2.0-rc1~19 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9c11399be3ae48bed620ea5775c435e671495b25;p=thirdparty%2Fasterisk.git pjproject_bundled: Add patch for double free issue in timer heap Fixed #2172: Avoid double reference counter decrements in timer in the scenario of race condition between pj_timer_heap_cancel() and pj_timer_heap_poll(). Change-Id: If000e9438c83ac5084b678eb811e902c035bd2d8 --- diff --git a/third-party/pjproject/patches/0020-Fixed-2172-Avoid-double-reference-counter-decrements.patch b/third-party/pjproject/patches/0020-Fixed-2172-Avoid-double-reference-counter-decrements.patch new file mode 100644 index 0000000000..e394506271 --- /dev/null +++ b/third-party/pjproject/patches/0020-Fixed-2172-Avoid-double-reference-counter-decrements.patch @@ -0,0 +1,42 @@ +From 1fed39fe1488abd654a5488b5e6ad59b4b973331 Mon Sep 17 00:00:00 2001 +From: nanang +Date: Tue, 8 Jan 2019 09:07:47 +0000 +Subject: [PATCH 1/5] Fixed #2172: Avoid double reference counter decrements in + timer in the scenario of race condition between pj_timer_heap_cancel() and + pj_timer_heap_poll(). + +--- + pjlib/src/pj/timer.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/pjlib/src/pj/timer.c b/pjlib/src/pj/timer.c +index 90a95e37b..7bae084ef 100644 +--- a/pjlib/src/pj/timer.c ++++ b/pjlib/src/pj/timer.c +@@ -580,13 +580,16 @@ static int cancel_timer(pj_timer_heap_t *ht, + + lock_timer_heap(ht); + count = cancel(ht, entry, flags | F_DONT_CALL); +- if (flags & F_SET_ID) { +- entry->id = id_val; +- } +- if (entry->_grp_lock) { +- pj_grp_lock_t *grp_lock = entry->_grp_lock; +- entry->_grp_lock = NULL; +- pj_grp_lock_dec_ref(grp_lock); ++ if (count > 0) { ++ /* Timer entry found & cancelled */ ++ if (flags & F_SET_ID) { ++ entry->id = id_val; ++ } ++ if (entry->_grp_lock) { ++ pj_grp_lock_t *grp_lock = entry->_grp_lock; ++ entry->_grp_lock = NULL; ++ pj_grp_lock_dec_ref(grp_lock); ++ } + } + unlock_timer_heap(ht); + +-- +2.20.1 +