From beb06a57ca8ad38e8b80c9ba5818f4773e0f017b Mon Sep 17 00:00:00 2001 From: Nanang Izzuddin Date: Wed, 7 Feb 2024 15:28:32 +0700 Subject: [PATCH] Fix bad mem access in cancelling a timer, move _timer_id validation earlier. (#3854) --- pjlib/src/pj/timer.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/pjlib/src/pj/timer.c b/pjlib/src/pj/timer.c index 65a837763..bbbaf91d5 100644 --- a/pjlib/src/pj/timer.c +++ b/pjlib/src/pj/timer.c @@ -534,11 +534,14 @@ static int cancel( pj_timer_heap_t *ht, PJ_CHECK_STACK(); - // Check to see if the timer_id is out of range + // Check to see if the timer_id is out of range. + // Moved to cancel_timer() as it needs to validate _timer_id earlier + /* if (entry->_timer_id < 1 || (pj_size_t)entry->_timer_id >= ht->max_size) { entry->_timer_id = -1; return 0; } + */ timer_node_slot = ht->timer_ids[entry->_timer_id]; @@ -811,6 +814,13 @@ static int cancel_timer(pj_timer_heap_t *ht, PJ_ASSERT_RETURN(ht && entry, PJ_EINVAL); lock_timer_heap(ht); + + // Check to see if the timer_id is out of range + if (entry->_timer_id < 1 || (pj_size_t)entry->_timer_id >= ht->max_size) { + unlock_timer_heap(ht); + return 0; + } + timer_copy = GET_TIMER(ht, entry); grp_lock = timer_copy->_grp_lock;