From 80f8d0b8e2214b2363afadbc8da3913f59333c8b Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Wed, 4 Dec 2024 15:49:43 +1000
Subject: [PATCH xserver 02/13] dix: keep a ref to the rootCursor

CreateCursor returns a cursor with refcount 1 - that refcount is used by
the resource system, any caller needs to call RefCursor to get their own
reference. That happens correctly for normal cursors but for our
rootCursor we keep a variable to the cursor despite not having a ref for
ourselves.

Fix this by reffing/unreffing the rootCursor to ensure our pointer is
valid.

Related to CVE-2025-26594, ZDI-CAN-25544

Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit b0a09ba6020147961acc62d9c73d807b4cccd9f7)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
 dix/main.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/dix/main.c b/dix/main.c
index 4980bd6cb..0fa196427 100644
--- a/dix/main.c
+++ b/dix/main.c
@@ -234,6 +234,8 @@ dix_main(int argc, char *argv[], char *envp[])
             FatalError("could not open default cursor font");
         }
 
+        rootCursor = RefCursor(rootCursor);
+
 #ifdef PANORAMIX
         /*
          * Consolidate window and colourmap information for each screen
@@ -274,6 +276,8 @@ dix_main(int argc, char *argv[], char *envp[])
 
         Dispatch();
 
+        UnrefCursor(rootCursor);
+
         UndisplayDevices();
         DisableAllDevices();
 
-- 
2.48.1