summaryrefslogtreecommitdiff
path: root/third-party/pjproject/patches/0001-r5400-pjsip_tx_data_dec_ref.patch
diff options
context:
space:
mode:
Diffstat (limited to 'third-party/pjproject/patches/0001-r5400-pjsip_tx_data_dec_ref.patch')
-rw-r--r--third-party/pjproject/patches/0001-r5400-pjsip_tx_data_dec_ref.patch24
1 files changed, 24 insertions, 0 deletions
diff --git a/third-party/pjproject/patches/0001-r5400-pjsip_tx_data_dec_ref.patch b/third-party/pjproject/patches/0001-r5400-pjsip_tx_data_dec_ref.patch
new file mode 100644
index 000000000..b5c11db45
--- /dev/null
+++ b/third-party/pjproject/patches/0001-r5400-pjsip_tx_data_dec_ref.patch
@@ -0,0 +1,24 @@
+This patch fixes the issue in pjsip_tx_data_dec_ref()
+when tx_data_destroy can be called more than once,
+and checks if invalid value (e.g. NULL) is passed to.
+
+Index: pjsip/src/pjsip/sip_transport.c
+===================================================================
+--- a/pjsip/src/pjsip/sip_transport.c (revision 5399)
++++ b/pjsip/src/pjsip/sip_transport.c (revision 5400)
+@@ -491,8 +491,13 @@
+ */
+ PJ_DEF(pj_status_t) pjsip_tx_data_dec_ref( pjsip_tx_data *tdata )
+ {
+- pj_assert( pj_atomic_get(tdata->ref_cnt) > 0);
+- if (pj_atomic_dec_and_get(tdata->ref_cnt) <= 0) {
++ pj_atomic_value_t ref_cnt;
++
++ PJ_ASSERT_RETURN(tdata && tdata->ref_cnt, PJ_EINVAL);
++
++ ref_cnt = pj_atomic_dec_and_get(tdata->ref_cnt);
++ pj_assert( ref_cnt >= 0);
++ if (ref_cnt == 0) {
+ tx_data_destroy(tdata);
+ return PJSIP_EBUFDESTROYED;
+ } else {
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-26 15:25:08 +0000