pjproject: fixed a few bugs

This patch fixes the issue in pjsip_tx_data_dec_ref() when tx_data_destroy can be called more than once, and checks if invalid value (e.g. NULL) is passed to. This patch updates array limit checks and docs in pjsip_evsub_register_pkg() and pjsip_endpt_add_capability(). Change-Id: I4c7a132b9664afaecbd6bf5ea4c951e43e273e40
2025-10-03 19:16:46 +00:00 · 2016-07-21 11:36:44 -04:00
parent d4242d6250
commit f00525a6f6
2 changed files with 82 additions and 0 deletions
--- a/third-party/pjproject/patches/0001-r5400-pjsip_tx_data_dec_ref.patch
+++ b/third-party/pjproject/patches/0001-r5400-pjsip_tx_data_dec_ref.patch
@@ -0,0 +1,24 @@
+This patch fixes the issue in pjsip_tx_data_dec_ref()
+when tx_data_destroy can be called more than once,
+and checks if invalid value (e.g. NULL) is passed to.
+
+Index: pjsip/src/pjsip/sip_transport.c
+===================================================================
+--- a/pjsip/src/pjsip/sip_transport.c	(revision 5399)
+++ b/pjsip/src/pjsip/sip_transport.c	(revision 5400)
+@@ -491,8 +491,13 @@
+  */
+ PJ_DEF(pj_status_t) pjsip_tx_data_dec_ref( pjsip_tx_data *tdata )
+ {
+-    pj_assert( pj_atomic_get(tdata->ref_cnt) > 0);
+-    if (pj_atomic_dec_and_get(tdata->ref_cnt) <= 0) {
+    pj_atomic_value_t ref_cnt;
+    
+    PJ_ASSERT_RETURN(tdata && tdata->ref_cnt, PJ_EINVAL);
+
+    ref_cnt = pj_atomic_dec_and_get(tdata->ref_cnt);
+    pj_assert( ref_cnt >= 0);
+    if (ref_cnt == 0) {
+ 	tx_data_destroy(tdata);
+ 	return PJSIP_EBUFDESTROYED;
+     } else {