Opened 11 years ago

Closed 11 years ago

#701 closed defect (fixed)

Possible heap corruption in pjmedia/pasound.c callback's thread (thanks Paulo Sousa for the detail report).

Reported by: nanang Owned by: nanang
Priority: normal Milestone: release-1.1
Component: pjmedia Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported:

Description (last modified by nanang)

Here is quoted report:

We ran into a intermittent problem with memory corruption on the Windows version of the application, that we traced to sound stream handling in "pasound.c".


For each call, the application is calling "pjmedia_snd_port_create()" at the start of the call and "pjmedia_snd_port_destroy()" at the end of the call. After the second call, the application got corrupted heap sections.


We noticed that after the second call, the thread that is receiving sound frames by PortAudio? through "PaPlayerCallback?()" had an invalid structure in it's TLS when calling pj_thread_this(). On the second call, the thread was not being registered, so the initial thread register was referencing the memory pool of the first call.


So, basically callback's thread cases to be handled are:

  • The thread may be changed in the middle of a session, e.g: in MacOS it happens when plugging/unplugging headphone.
  • The same thread may be reused in consecutive sessions. The first session will leave TLS set, but release the TLS data address, so the second session must re-register the callback's thread.

Change History (2)

comment:1 Changed 11 years ago by nanang

  • Description modified (diff)

In r2426: Updated PA callbacks to check their thread registration status using both: manual flag and actual/TLS status.

comment:2 Changed 11 years ago by nanang

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.