Ticket #701 (closed defect: fixed)

Opened 10 years ago

Last modified 10 years ago

Possible heap corruption in pjmedia/pasound.c callback's thread (thanks Paulo Sousa for the detail report).

Reported by: nanang Owned by: nanang
Priority: normal Milestone: release-1.1
Component: pjmedia Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported:

Description (last modified by nanang) (diff)

Here is quoted report:

We ran into a intermittent problem with memory corruption on the Windows version of the application, that we traced to sound stream handling in "pasound.c".


For each call, the application is calling "pjmedia_snd_port_create()" at the start of the call and "pjmedia_snd_port_destroy()" at the end of the call. After the second call, the application got corrupted heap sections.


We noticed that after the second call, the thread that is receiving sound frames by PortAudio? through "PaPlayerCallback?()" had an invalid structure in it's TLS when calling pj_thread_this(). On the second call, the thread was not being registered, so the initial thread register was referencing the memory pool of the first call.


So, basically callback's thread cases to be handled are:

  • The thread may be changed in the middle of a session, e.g: in MacOS it happens when plugging/unplugging headphone.
  • The same thread may be reused in consecutive sessions. The first session will leave TLS set, but release the TLS data address, so the second session must re-register the callback's thread.

Change History

comment:1 Changed 10 years ago by nanang

  • Description modified (diff)

In r2426: Updated PA callbacks to check their thread registration status using both: manual flag and actual/TLS status.

comment:2 Changed 10 years ago by nanang

  • Status changed from new to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.