pjproject_bundled: Add patch for double free issue in timer heap
[asterisk/asterisk.git] / third-party / pjproject / patches / 0020-Fixed-2172-Avoid-double-reference-counter-decrements.patch
1 From 1fed39fe1488abd654a5488b5e6ad59b4b973331 Mon Sep 17 00:00:00 2001
2 From: nanang <nanang@localhost>
3 Date: Tue, 8 Jan 2019 09:07:47 +0000
4 Subject: [PATCH 1/5] Fixed #2172: Avoid double reference counter decrements in
5  timer in the scenario of race condition between pj_timer_heap_cancel() and
6  pj_timer_heap_poll().
7
8 ---
9  pjlib/src/pj/timer.c | 17 ++++++++++-------
10  1 file changed, 10 insertions(+), 7 deletions(-)
11
12 diff --git a/pjlib/src/pj/timer.c b/pjlib/src/pj/timer.c
13 index 90a95e37b..7bae084ef 100644
14 --- a/pjlib/src/pj/timer.c
15 +++ b/pjlib/src/pj/timer.c
16 @@ -580,13 +580,16 @@ static int cancel_timer(pj_timer_heap_t *ht,
17  
18      lock_timer_heap(ht);
19      count = cancel(ht, entry, flags | F_DONT_CALL);
20 -    if (flags & F_SET_ID) {
21 -       entry->id = id_val;
22 -    }
23 -    if (entry->_grp_lock) {
24 -       pj_grp_lock_t *grp_lock = entry->_grp_lock;
25 -       entry->_grp_lock = NULL;
26 -       pj_grp_lock_dec_ref(grp_lock);
27 +    if (count > 0) {
28 +       /* Timer entry found & cancelled */
29 +       if (flags & F_SET_ID) {
30 +           entry->id = id_val;
31 +       }
32 +       if (entry->_grp_lock) {
33 +           pj_grp_lock_t *grp_lock = entry->_grp_lock;
34 +           entry->_grp_lock = NULL;
35 +           pj_grp_lock_dec_ref(grp_lock);
36 +       }
37      }
38      unlock_timer_heap(ht);
39  
40 -- 
41 2.20.1
42