From 919f1f46fc67dae93b2b3f278fcbfc77af34ec58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michel=20D=C3=A4nzer?= Date: Mon, 31 Aug 2020 12:10:43 +0200 Subject: [PATCH] xfree86: Take second reference for SavedCursor in xf86CursorSetCursor The same pointer is kept in CurrentCursor as well, therefore two RefCursor calls are needed. Fixes use-after-free after switching VTs. Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1067 Signed-off-by: Laurent Carlier --- hw/xfree86/ramdac/xf86CursorRD.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/xfree86/ramdac/xf86CursorRD.c b/hw/xfree86/ramdac/xf86CursorRD.c index 9aa3de97b..c8362d169 100644 --- a/hw/xfree86/ramdac/xf86CursorRD.c +++ b/hw/xfree86/ramdac/xf86CursorRD.c @@ -334,6 +334,9 @@ xf86CursorSetCursor(DeviceIntPtr pDev, ScreenPtr pScreen, CursorPtr pCurs, ScreenPriv->HotY = cursor->bits->yhot; if (!infoPtr->pScrn->vtSema) { + cursor = RefCursor(cursor); + if (ScreenPriv->SavedCursor) + FreeCursor(ScreenPriv->SavedCursor, None); ScreenPriv->SavedCursor = cursor; return; } -- 2.28.0