Possible heap corruption in pjmedia/pasound.c callback's thread (thanks Paulo Sousa for the detail report).

[nanang]

Here is quoted report:

We ran into a intermittent problem with memory corruption on the Windows version of the application, that we traced to sound stream handling in "pasound.c".

For each call, the application is calling "pjmedia_snd_port_create()" at the start of the call and "pjmedia_snd_port_destroy()" at the end of the call. After the second call, the application got corrupted heap sections.

We noticed that after the second call, the thread that is receiving sound frames by PortAudio? through "PaPlayerCallback?()" had an invalid structure in it's TLS when calling pj_thread_this(). On the second call, the thread was not being registered, so the initial thread register was referencing the memory pool of the first call.

So, basically callback's thread cases to be handled are:

• The thread may be changed in the middle of a session, e.g: in MacOS it happens when plugging/unplugging headphone.
• The same thread may be reused in consecutive sessions. The first session will leave TLS set, but release the TLS data address, so the second session must re-register the callback's thread.