Opened 16 years ago
Closed 16 years ago
#701 closed defect (fixed)
Possible heap corruption in pjmedia/pasound.c callback's thread (thanks Paulo Sousa for the detail report).
Reported by: | nanang | Owned by: | nanang |
---|---|---|---|
Priority: | normal | Milestone: | release-1.1 |
Component: | pjmedia | Version: | trunk |
Keywords: | Cc: | ||
Backport to 1.x milestone: | Backported: |
Description (last modified by nanang)
Here is quoted report:
We ran into a intermittent problem with memory corruption on the Windows version of the application, that we traced to sound stream handling in "pasound.c".
For each call, the application is calling "pjmedia_snd_port_create()" at the start of the call and "pjmedia_snd_port_destroy()" at the end of the call. After the second call, the application got corrupted heap sections.
We noticed that after the second call, the thread that is receiving sound frames by PortAudio? through "PaPlayerCallback?()" had an invalid structure in it's TLS when calling pj_thread_this(). On the second call, the thread was not being registered, so the initial thread register was referencing the memory pool of the first call.
So, basically callback's thread cases to be handled are:
- The thread may be changed in the middle of a session, e.g: in MacOS it happens when plugging/unplugging headphone.
- The same thread may be reused in consecutive sessions. The first session will leave TLS set, but release the TLS data address, so the second session must re-register the callback's thread.
Change History (2)
comment:1 Changed 16 years ago by nanang
- Description modified (diff)
comment:2 Changed 16 years ago by nanang
- Resolution set to fixed
- Status changed from new to closed
In r2426: Updated PA callbacks to check their thread registration status using both: manual flag and actual/TLS status.