Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • 21.1.16-1
  • 21.1.15-1
  • 21.1.14-1
  • 21.1.13-1
  • 21.1.12-1
  • 21.1.11-2
  • 21.1.11-1
  • 21.1.10-1
  • 21.1.9-2
  • 21.1.9-1
  • 21.1.8-2
12 results
Blame Permalink
0001-xfree86-Take-second-reference-for-SavedCursor-in-xf8.patch 1.18 KiB 
From 919f1f46fc67dae93b2b3f278fcbfc77af34ec58 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
Date: Mon, 31 Aug 2020 12:10:43 +0200
Subject: [PATCH] xfree86: Take second reference for SavedCursor in
 xf86CursorSetCursor

The same pointer is kept in CurrentCursor as well, therefore two
RefCursor calls are needed.

Fixes use-after-free after switching VTs.

Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1067
Signed-off-by: Laurent Carlier <lordheavym@gmail.com>
---
 hw/xfree86/ramdac/xf86CursorRD.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/xfree86/ramdac/xf86CursorRD.c b/hw/xfree86/ramdac/xf86CursorRD.c
index 9aa3de97b..c8362d169 100644
--- a/hw/xfree86/ramdac/xf86CursorRD.c
+++ b/hw/xfree86/ramdac/xf86CursorRD.c
@@ -334,6 +334,9 @@ xf86CursorSetCursor(DeviceIntPtr pDev, ScreenPtr pScreen, CursorPtr pCurs,
         ScreenPriv->HotY = cursor->bits->yhot;

         if (!infoPtr->pScrn->vtSema) {
+            cursor = RefCursor(cursor);
+            if (ScreenPriv->SavedCursor)
+                FreeCursor(ScreenPriv->SavedCursor, None);
             ScreenPriv->SavedCursor = cursor;
             return;
         }
-- 
2.28.0