Fix a use-after-free of cursor data by refcounting for the sprite.current

    reference. The particular path seen was XFixes' ReplaceCursor()
    resulting in the sprite.current being freed, but then it getting
    accessed during the ChangeToCursor() that happens as a result of
    WindowHasNewCursor().

1 files changed, 6 insertions, 1 deletions

diff --git a/dix/events.c b/dix/events.c
index 13eb67a5f..86333609d 100644
--- a/dix/events.c
+++ b/dix/events.c
@@ -1,4 +1,4 @@
-/* $XdotOrg: xc/programs/Xserver/dix/events.c,v 1.12 2005/06/15 16:46:59 daniels Exp $ */
+/* $XdotOrg: xc/programs/Xserver/dix/events.c,v 1.16 2005/07/15 05:48:29 kem Exp $ */
 /* $XFree86: xc/programs/Xserver/dix/events.c,v 3.51 2004/01/12 17:04:52 tsi Exp $ */
 /************************************************************
 
@@ -675,7 +675,9 @@ XineramaChangeToCursor(CursorPtr cursor)
 		(sprite.current->bits->yhot != cursor->bits->yhot))
 	    XineramaCheckPhysLimits(cursor, FALSE);
     	(*sprite.screen->DisplayCursor)(sprite.screen, cursor);
+	FreeCursor(sprite.current, (Cursor)0);
 	sprite.current = cursor;
+	sprite.current->refcnt++;
     }
 }
 
@@ -930,7 +932,9 @@ ChangeToCursor(CursorPtr cursor)
 			    (ScreenPtr)NULL);
 	(*sprite.hotPhys.pScreen->DisplayCursor) (sprite.hotPhys.pScreen,
 						  cursor);
+	FreeCursor(sprite.current, (Cursor)0);
 	sprite.current = cursor;
+	sprite.current->refcnt++;
     }
 }
 
@@ -2184,6 +2188,7 @@ DefineInitialRootWindow(register WindowPtr win)
 #endif
     sprite.win = win;
     sprite.current = wCursor (win);
+    sprite.current->refcnt++;
     spriteTraceGood = 1;
     ROOT = win;
     (*pScreen->CursorLimits) (