diff options
Diffstat (limited to 'third-party/pjproject/patches/0001-r5400-pjsip_tx_data_dec_ref.patch')
-rw-r--r-- | third-party/pjproject/patches/0001-r5400-pjsip_tx_data_dec_ref.patch | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/third-party/pjproject/patches/0001-r5400-pjsip_tx_data_dec_ref.patch b/third-party/pjproject/patches/0001-r5400-pjsip_tx_data_dec_ref.patch new file mode 100644 index 000000000..b5c11db45 --- /dev/null +++ b/third-party/pjproject/patches/0001-r5400-pjsip_tx_data_dec_ref.patch @@ -0,0 +1,24 @@ +This patch fixes the issue in pjsip_tx_data_dec_ref() +when tx_data_destroy can be called more than once, +and checks if invalid value (e.g. NULL) is passed to. + +Index: pjsip/src/pjsip/sip_transport.c +=================================================================== +--- a/pjsip/src/pjsip/sip_transport.c (revision 5399) ++++ b/pjsip/src/pjsip/sip_transport.c (revision 5400) +@@ -491,8 +491,13 @@ + */ + PJ_DEF(pj_status_t) pjsip_tx_data_dec_ref( pjsip_tx_data *tdata ) + { +- pj_assert( pj_atomic_get(tdata->ref_cnt) > 0); +- if (pj_atomic_dec_and_get(tdata->ref_cnt) <= 0) { ++ pj_atomic_value_t ref_cnt; ++ ++ PJ_ASSERT_RETURN(tdata && tdata->ref_cnt, PJ_EINVAL); ++ ++ ref_cnt = pj_atomic_dec_and_get(tdata->ref_cnt); ++ pj_assert( ref_cnt >= 0); ++ if (ref_cnt == 0) { + tx_data_destroy(tdata); + return PJSIP_EBUFDESTROYED; + } else { |