From 1fed39fe1488abd654a5488b5e6ad59b4b973331 Mon Sep 17 00:00:00 2001
From: nanang <nanang@localhost>
Date: Tue, 8 Jan 2019 09:07:47 +0000
Subject: [PATCH 1/5] Fixed #2172: Avoid double reference counter decrements in
 timer in the scenario of race condition between pj_timer_heap_cancel() and
 pj_timer_heap_poll().

---
 pjlib/src/pj/timer.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

--- a/pjlib/src/pj/timer.c
+++ b/pjlib/src/pj/timer.c
@@ -580,13 +580,16 @@ static int cancel_timer(pj_timer_heap_t
 
     lock_timer_heap(ht);
     count = cancel(ht, entry, flags | F_DONT_CALL);
-    if (flags & F_SET_ID) {
-	entry->id = id_val;
-    }
-    if (entry->_grp_lock) {
-	pj_grp_lock_t *grp_lock = entry->_grp_lock;
-	entry->_grp_lock = NULL;
-	pj_grp_lock_dec_ref(grp_lock);
+    if (count > 0) {
+	/* Timer entry found & cancelled */
+	if (flags & F_SET_ID) {
+	    entry->id = id_val;
+	}
+	if (entry->_grp_lock) {
+	    pj_grp_lock_t *grp_lock = entry->_grp_lock;
+	    entry->_grp_lock = NULL;
+	    pj_grp_lock_dec_ref(grp_lock);
+	}
     }
     unlock_timer_heap(ht);