From 8414ca191ec3bea551aeb829f1b40a77d210f81e Mon Sep 17 00:00:00 2001
From: George Joseph <gjoseph@digium.com>
Date: Tue, 22 Jan 2019 08:02:37 -0700
Subject: [PATCH] pjproject_bundled:  Add patch for double free issue in timer
 heap

Fixed #2172: Avoid double reference counter decrements in
timer in the scenario of race condition between
pj_timer_heap_cancel() and pj_timer_heap_poll().

Change-Id: If000e9438c83ac5084b678eb811e902c035bd2d8
---
 ...-double-reference-counter-decrements.patch | 42 +++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 third-party/pjproject/patches/0020-Fixed-2172-Avoid-double-reference-counter-decrements.patch

diff --git a/third-party/pjproject/patches/0020-Fixed-2172-Avoid-double-reference-counter-decrements.patch b/third-party/pjproject/patches/0020-Fixed-2172-Avoid-double-reference-counter-decrements.patch
new file mode 100644
index 0000000000..e394506271
--- /dev/null
+++ b/third-party/pjproject/patches/0020-Fixed-2172-Avoid-double-reference-counter-decrements.patch
@@ -0,0 +1,42 @@
+From 1fed39fe1488abd654a5488b5e6ad59b4b973331 Mon Sep 17 00:00:00 2001
+From: nanang <nanang@localhost>
+Date: Tue, 8 Jan 2019 09:07:47 +0000
+Subject: [PATCH 1/5] Fixed #2172: Avoid double reference counter decrements in
+ timer in the scenario of race condition between pj_timer_heap_cancel() and
+ pj_timer_heap_poll().
+
+---
+ pjlib/src/pj/timer.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/pjlib/src/pj/timer.c b/pjlib/src/pj/timer.c
+index 90a95e37b..7bae084ef 100644
+--- a/pjlib/src/pj/timer.c
++++ b/pjlib/src/pj/timer.c
+@@ -580,13 +580,16 @@ static int cancel_timer(pj_timer_heap_t *ht,
+ 
+     lock_timer_heap(ht);
+     count = cancel(ht, entry, flags | F_DONT_CALL);
+-    if (flags & F_SET_ID) {
+-	entry->id = id_val;
+-    }
+-    if (entry->_grp_lock) {
+-	pj_grp_lock_t *grp_lock = entry->_grp_lock;
+-	entry->_grp_lock = NULL;
+-	pj_grp_lock_dec_ref(grp_lock);
++    if (count > 0) {
++	/* Timer entry found & cancelled */
++	if (flags & F_SET_ID) {
++	    entry->id = id_val;
++	}
++	if (entry->_grp_lock) {
++	    pj_grp_lock_t *grp_lock = entry->_grp_lock;
++	    entry->_grp_lock = NULL;
++	    pj_grp_lock_dec_ref(grp_lock);
++	}
+     }
+     unlock_timer_heap(ht);
+ 
+-- 
+2.20.1
+
-- 
GitLab