6c2dd5fc20
The content of this branch was automatically imported from Fedora ELN with the following as its source: https://src.fedoraproject.org/rpms/xorg-x11-server#eaf442296937a83e622ce4995c5f33122bcd6f02
35 lines
1.2 KiB
Diff
35 lines
1.2 KiB
Diff
From 1e84fda2020b12a83c6b9c6d31ab84f993c6176c Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
|
|
Date: Tue, 1 Sep 2020 11:24:57 +0200
|
|
Subject: [PATCH xserver 06/16] xfree86: Take second reference for SavedCursor
|
|
in xf86CursorSetCursor
|
|
|
|
The same pointer is kept in CurrentCursor as well, therefore two
|
|
RefCursor calls are needed.
|
|
|
|
Fixes use-after-free after switching VTs.
|
|
|
|
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1067
|
|
(cherry picked from commit 919f1f46fc67dae93b2b3f278fcbfc77af34ec58)
|
|
---
|
|
hw/xfree86/ramdac/xf86CursorRD.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/hw/xfree86/ramdac/xf86CursorRD.c b/hw/xfree86/ramdac/xf86CursorRD.c
|
|
index ee1d98916..02dab36fe 100644
|
|
--- a/hw/xfree86/ramdac/xf86CursorRD.c
|
|
+++ b/hw/xfree86/ramdac/xf86CursorRD.c
|
|
@@ -334,6 +334,9 @@ xf86CursorSetCursor(DeviceIntPtr pDev, ScreenPtr pScreen, CursorPtr pCurs,
|
|
ScreenPriv->HotY = cursor->bits->yhot;
|
|
|
|
if (!infoPtr->pScrn->vtSema) {
|
|
+ cursor = RefCursor(cursor);
|
|
+ if (ScreenPriv->SavedCursor)
|
|
+ FreeCursor(ScreenPriv->SavedCursor, None);
|
|
ScreenPriv->SavedCursor = cursor;
|
|
return;
|
|
}
|
|
--
|
|
2.28.0
|
|
|