On Fri, Nov 4, 2011 at 7:10 AM, Ross Finlayson <span dir="ltr"><<a href="mailto:finlayson@live555.com" target="_blank">finlayson@live555.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div style="word-wrap:break-word"><div><div><blockquote type="cite"><div style="word-wrap:break-word"><div><span><div><div><div><div><div><div><span><div><div><span><div><div><div><div><div><div><span><div><div>
<div>Looking at the code here <a href="http://www.live555.com/liveMedia/doxygen/html/DelayQueue_8cpp-source.html" target="_blank">http://www.live555.com/liveMedia/doxygen/html/DelayQueue_8cpp-source.html</a> I see this:</div>

<div><br></div><div><pre style="font-family:monospace, fixed;font-size:13px;border-top-width:1px;border-right-width:1px;border-bottom-width:1px;border-left-width:1px;border-top-style:solid;border-right-style:solid;border-bottom-style:solid;border-left-style:solid;border-top-color:rgb(204, 204, 204);border-right-color:rgb(204, 204, 204);border-bottom-color:rgb(204, 204, 204);border-left-color:rgb(204, 204, 204);background-color:rgb(255, 255, 255);margin-top:4px;margin-bottom:4px;margin-left:2px;margin-right:8px;padding-left:6px;padding-right:6px;padding-top:4px;padding-bottom:4px;color:rgb(0, 0, 0);font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;word-spacing:0px">
<a href="http://www.live555.com/liveMedia/doxygen/html/classDelayQueue.html#da6c5403a9e0e40945dc2e14d0e39435" style="color:rgb(0, 0, 255);text-decoration:none;font-weight:normal" target="_blank">00153</a> <span style="color:rgb(96, 64, 32)">void</span> <a href="http://www.live555.com/liveMedia/doxygen/html/classDelayQueue.html#da6c5403a9e0e40945dc2e14d0e39435" style="color:rgb(0, 0, 255);text-decoration:none;font-weight:normal" target="_blank">DelayQueue::removeEntry</a>(<a href="http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html" style="color:rgb(0, 0, 255);text-decoration:none;font-weight:normal" target="_blank">DelayQueueEntry</a>* entry) {
<a name="1336fea6afc3d31e_1336eeac319f1fea_l00154" style="color:rgb(26, 65, 168)"></a>00154   <span style="color:rgb(224, 128, 0)">if</span> (entry == <a href="http://www.live555.com/liveMedia/doxygen/html/UsageEnvironment_8hh.html#070d2ce7b6bb7e5c05602aa8c308d0c4" style="color:rgb(0, 0, 255);text-decoration:none;font-weight:normal" target="_blank">NULL</a> || entry-><a href="http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#3a2ccdcdcac760623833136b5ced2410" style="color:rgb(0, 0, 255);text-decoration:none;font-weight:normal" target="_blank">fNext</a> == <a href="http://www.live555.com/liveMedia/doxygen/html/UsageEnvironment_8hh.html#070d2ce7b6bb7e5c05602aa8c308d0c4" style="color:rgb(0, 0, 255);text-decoration:none;font-weight:normal" target="_blank">NULL</a>) <span style="color:rgb(224, 128, 0)">return</span>;
<a name="1336fea6afc3d31e_1336eeac319f1fea_l00155" style="color:rgb(26, 65, 168)"></a>00155   
<a name="1336fea6afc3d31e_1336eeac319f1fea_l00156" style="color:rgb(26, 65, 168)"></a>00156   entry-><a href="http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#3a2ccdcdcac760623833136b5ced2410" style="color:rgb(0, 0, 255);text-decoration:none;font-weight:normal" target="_blank">fNext</a>-><a href="http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#68a7578179260ad40cb4f8fbde38e491" style="color:rgb(0, 0, 255);text-decoration:none;font-weight:normal" target="_blank">fDeltaTimeRemaining</a> += entry-><a href="http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#68a7578179260ad40cb4f8fbde38e491" style="color:rgb(0, 0, 255);text-decoration:none;font-weight:normal" target="_blank">fDeltaTimeRemaining</a>;
<a name="1336fea6afc3d31e_1336eeac319f1fea_l00157" style="color:rgb(26, 65, 168)"></a>00157   entry-><a href="http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#9bafd3137d60cd3b5cef4298a01644fd" style="color:rgb(0, 0, 255);text-decoration:none;font-weight:normal" target="_blank">fPrev</a>-><a href="http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#3a2ccdcdcac760623833136b5ced2410" style="color:rgb(0, 0, 255);text-decoration:none;font-weight:normal" target="_blank">fNext</a> = entry-><a href="http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#3a2ccdcdcac760623833136b5ced2410" style="color:rgb(0, 0, 255);text-decoration:none;font-weight:normal" target="_blank">fNext</a>;
<a name="1336fea6afc3d31e_1336eeac319f1fea_l00158" style="color:rgb(26, 65, 168)"></a>00158   entry-><a href="http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#3a2ccdcdcac760623833136b5ced2410" style="color:rgb(0, 0, 255);text-decoration:none;font-weight:normal" target="_blank">fNext</a>-><a href="http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#9bafd3137d60cd3b5cef4298a01644fd" style="color:rgb(0, 0, 255);text-decoration:none;font-weight:normal" target="_blank">fPrev</a> = entry-><a href="http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#9bafd3137d60cd3b5cef4298a01644fd" style="color:rgb(0, 0, 255);text-decoration:none;font-weight:normal" target="_blank">fPrev</a>;
<a name="1336fea6afc3d31e_1336eeac319f1fea_l00159" style="color:rgb(26, 65, 168)"></a>00159   entry-><a href="http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#3a2ccdcdcac760623833136b5ced2410" style="color:rgb(0, 0, 255);text-decoration:none;font-weight:normal" target="_blank">fNext</a> = entry-><a href="http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#9bafd3137d60cd3b5cef4298a01644fd" style="color:rgb(0, 0, 255);text-decoration:none;font-weight:normal" target="_blank">fPrev</a> = <a href="http://www.live555.com/liveMedia/doxygen/html/UsageEnvironment_8hh.html#070d2ce7b6bb7e5c05602aa8c308d0c4" style="color:rgb(0, 0, 255);text-decoration:none;font-weight:normal" target="_blank">NULL</a>;
<a name="1336fea6afc3d31e_1336eeac319f1fea_l00160" style="color:rgb(26, 65, 168)"></a>00160   <span style="color:rgb(128, 0, 0)">// in case we should try to remove it again</span>
<a name="1336fea6afc3d31e_1336eeac319f1fea_l00161" style="color:rgb(26, 65, 168)"></a>00161 }</pre><div><br></div></div><div>I think the first if could produce a wrong memory access if entry is NULL. Is that correct?</div>
</div></div></span></div>
</div></div></div></div></div></span></div></div></span></div></div></div></div></div></div></span></div></div></blockquote><div><br></div></div></div>No, because the statement at line 154 quite clearly tests for "entry == NULL", and returns if it is.<br>

</div></blockquote><div><br>Is it possible that entry->fPrev is null?  I notice it checks entry and fnext, but not fprev.  But on line 157, it pretty clearly attempts to dereference both fPrev and fPrev->fNext.  Also, it dereferences entry->fNext->fPrev, which could (in theory) be null.<br>

<br>Not familiar with the code, so maybe there's no problem with any of this, but seems like ample opportunities for segmentation fault that aren't caught by the statement at like 154.<br></div></div>