xfree86: Take second reference for SavedCursor in xf86CursorSetCursor

The same pointer is kept in CurrentCursor as well, therefore two RefCursor calls are needed. Fixes use-after-free after switching VTs. Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1067
author: Michel Dänzer <mdaenzer@redhat.com> 2020-08-31 12:10:43 +0200
committer: Michel Dänzer <michel@daenzer.net> 2020-08-31 12:10:43 +0200
commit: 919f1f46fc67dae93b2b3f278fcbfc77af34ec58 (patch)
tree: e33799c276cdfaf7c2f9e26e687c415a04c9ff86
parent: 2902b78535ecc6821cc027351818b28a5c7fdbdc (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/hw/xfree86/ramdac/xf86CursorRD.c b/hw/xfree86/ramdac/xf86CursorRD.c
index 9aa3de97b..c8362d169 100644
--- a/hw/xfree86/ramdac/xf86CursorRD.c
+++ b/hw/xfree86/ramdac/xf86CursorRD.c
@@ -334,6 +334,9 @@ xf86CursorSetCursor(DeviceIntPtr pDev, ScreenPtr pScreen, CursorPtr pCurs,
         ScreenPriv->HotY = cursor->bits->yhot;
 
         if (!infoPtr->pScrn->vtSema) {
+            cursor = RefCursor(cursor);
+            if (ScreenPriv->SavedCursor)
+                FreeCursor(ScreenPriv->SavedCursor, None);
             ScreenPriv->SavedCursor = cursor;
             return;
         }
author	Michel Dänzer <mdaenzer@redhat.com>	2020-08-31 12:10:43 +0200
committer	Michel Dänzer <michel@daenzer.net>	2020-08-31 12:10:43 +0200
commit	919f1f46fc67dae93b2b3f278fcbfc77af34ec58 (patch)
tree	e33799c276cdfaf7c2f9e26e687c415a04c9ff86
parent	2902b78535ecc6821cc027351818b28a5c7fdbdc (diff)