From f00525a6f623acdba5d6198caaaa78de33e0fea4 Mon Sep 17 00:00:00 2001
From: Alexei Gradinari <alex2grad@gmail.com>
Date: Thu, 21 Jul 2016 11:36:44 -0400
Subject: pjproject: fixed a few bugs

This patch fixes the issue in pjsip_tx_data_dec_ref()
when tx_data_destroy can be called more than once,
and checks if invalid value (e.g. NULL) is passed to.

This patch updates array limit checks and docs
in pjsip_evsub_register_pkg() and pjsip_endpt_add_capability().

Change-Id: I4c7a132b9664afaecbd6bf5ea4c951e43e273e40
---
 .../0001-r5397-pjsip_generic_array_max_count.patch | 58 ++++++++++++++++++++++
 .../patches/0001-r5400-pjsip_tx_data_dec_ref.patch | 24 +++++++++
 2 files changed, 82 insertions(+)
 create mode 100644 third-party/pjproject/patches/0001-r5397-pjsip_generic_array_max_count.patch
 create mode 100644 third-party/pjproject/patches/0001-r5400-pjsip_tx_data_dec_ref.patch

(limited to 'third-party')

diff --git a/third-party/pjproject/patches/0001-r5397-pjsip_generic_array_max_count.patch b/third-party/pjproject/patches/0001-r5397-pjsip_generic_array_max_count.patch
new file mode 100644
index 000000000..3cc328afe
--- /dev/null
+++ b/third-party/pjproject/patches/0001-r5397-pjsip_generic_array_max_count.patch
@@ -0,0 +1,58 @@
+This patch updates array limit checks and docs
+in pjsip_evsub_register_pkg() and pjsip_endpt_add_capability().
+
+Index: pjsip/include/pjsip/sip_endpoint.h
+===================================================================
+--- a/pjsip/include/pjsip/sip_endpoint.h	(revision 5396)
++++ b/pjsip/include/pjsip/sip_endpoint.h	(revision 5397)
+@@ -583,7 +583,8 @@
+  * @param hname	    If htype specifies PJSIP_H_OTHER, then the header name
+  *		    must be supplied in this argument. Otherwise the value
+  *		    must be set to NULL.
+- * @param count	    The number of tags in the array.
++ * @param count	    The number of tags in the array. The value must not
++ *		    be greater than PJSIP_GENERIC_ARRAY_MAX_COUNT.
+  * @param tags	    Array of tags describing the capabilities or extensions
+  *		    to be added to the appropriate header.
+  *
+Index: pjsip/include/pjsip-simple/evsub.h
+===================================================================
+--- a/pjsip/include/pjsip-simple/evsub.h	(revision 5396)
++++ b/pjsip/include/pjsip-simple/evsub.h	(revision 5397)
+@@ -246,7 +246,8 @@
+  *			registered.
+  * @param event_name	Event package identification.
+  * @param expires	Default subscription expiration time, in seconds.
+- * @param accept_cnt	Number of strings in Accept array.
++ * @param accept_cnt	Number of strings in Accept array. The value must
++ *			not be greater than PJSIP_GENERIC_ARRAY_MAX_COUNT.
+  * @param accept	Array of Accept value.
+  *
+  * @return		PJ_SUCCESS on success.
+Index: pjsip/src/pjsip/sip_endpoint.c
+===================================================================
+--- a/pjsip/src/pjsip/sip_endpoint.c	(revision 5396)
++++ b/pjsip/src/pjsip/sip_endpoint.c	(revision 5397)
+@@ -371,6 +371,7 @@
+ 
+     /* Check arguments. */
+     PJ_ASSERT_RETURN(endpt!=NULL && count>0 && tags, PJ_EINVAL);
++    PJ_ASSERT_RETURN(count <= PJSIP_GENERIC_ARRAY_MAX_COUNT, PJ_ETOOMANY);
+     PJ_ASSERT_RETURN(htype==PJSIP_H_ACCEPT || 
+ 		     htype==PJSIP_H_ALLOW ||
+ 		     htype==PJSIP_H_SUPPORTED,
+Index: pjsip/src/pjsip-simple/evsub.c
+===================================================================
+--- a/pjsip/src/pjsip-simple/evsub.c	(revision 5396)
++++ b/pjsip/src/pjsip-simple/evsub.c	(revision 5397)
+@@ -412,7 +412,9 @@
+     unsigned i;
+ 
+     PJ_ASSERT_RETURN(pkg_mod && event_name, PJ_EINVAL);
+-    PJ_ASSERT_RETURN(accept_cnt < PJ_ARRAY_SIZE(pkg->pkg_accept->values), 
++    
++    /* Make sure accept_cnt < PJ_ARRAY_SIZE(pkg->pkg_accept->values) */
++    PJ_ASSERT_RETURN(accept_cnt <= PJSIP_GENERIC_ARRAY_MAX_COUNT, 
+ 		     PJ_ETOOMANY);
+ 
+     /* Make sure evsub module has been initialized */
diff --git a/third-party/pjproject/patches/0001-r5400-pjsip_tx_data_dec_ref.patch b/third-party/pjproject/patches/0001-r5400-pjsip_tx_data_dec_ref.patch
new file mode 100644
index 000000000..b5c11db45
--- /dev/null
+++ b/third-party/pjproject/patches/0001-r5400-pjsip_tx_data_dec_ref.patch
@@ -0,0 +1,24 @@
+This patch fixes the issue in pjsip_tx_data_dec_ref()
+when tx_data_destroy can be called more than once,
+and checks if invalid value (e.g. NULL) is passed to.
+
+Index: pjsip/src/pjsip/sip_transport.c
+===================================================================
+--- a/pjsip/src/pjsip/sip_transport.c	(revision 5399)
++++ b/pjsip/src/pjsip/sip_transport.c	(revision 5400)
+@@ -491,8 +491,13 @@
+  */
+ PJ_DEF(pj_status_t) pjsip_tx_data_dec_ref( pjsip_tx_data *tdata )
+ {
+-    pj_assert( pj_atomic_get(tdata->ref_cnt) > 0);
+-    if (pj_atomic_dec_and_get(tdata->ref_cnt) <= 0) {
++    pj_atomic_value_t ref_cnt;
++    
++    PJ_ASSERT_RETURN(tdata && tdata->ref_cnt, PJ_EINVAL);
++
++    ref_cnt = pj_atomic_dec_and_get(tdata->ref_cnt);
++    pj_assert( ref_cnt >= 0);
++    if (ref_cnt == 0) {
+ 	tx_data_destroy(tdata);
+ 	return PJSIP_EBUFDESTROYED;
+     } else {
-- 
cgit v1.2.3