From 1e84fda2020b12a83c6b9c6d31ab84f993c6176c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
Date: Tue, 1 Sep 2020 11:24:57 +0200
Subject: [PATCH xserver 06/16] xfree86: Take second reference for SavedCursor
 in xf86CursorSetCursor

The same pointer is kept in CurrentCursor as well, therefore two
RefCursor calls are needed.

Fixes use-after-free after switching VTs.

Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1067
(cherry picked from commit 919f1f46fc67dae93b2b3f278fcbfc77af34ec58)
---
 hw/xfree86/ramdac/xf86CursorRD.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/xfree86/ramdac/xf86CursorRD.c b/hw/xfree86/ramdac/xf86CursorRD.c
index ee1d98916..02dab36fe 100644
--- a/hw/xfree86/ramdac/xf86CursorRD.c
+++ b/hw/xfree86/ramdac/xf86CursorRD.c
@@ -334,6 +334,9 @@ xf86CursorSetCursor(DeviceIntPtr pDev, ScreenPtr pScreen, CursorPtr pCurs,
         ScreenPriv->HotY = cursor->bits->yhot;
 
         if (!infoPtr->pScrn->vtSema) {
+            cursor = RefCursor(cursor);
+            if (ScreenPriv->SavedCursor)
+                FreeCursor(ScreenPriv->SavedCursor, None);
             ScreenPriv->SavedCursor = cursor;
             return;
         }
-- 
2.28.0