Commit 7ae221ad authored by Martin Weber's avatar Martin Weber Committed by Michel Dänzer

hw/xfree86: Avoid cursor use after free

During a VT-Switch a raw pointer to the shared cursor object
is saved which is then freed (in case of low refcount) by a call to
xf86CursorSetCursor with argument pCurs = NullCursor.
This leads to a dangling pointer which can follow in a use after free.

This fix ensures that there is a shared handle saved for the VT-Switch cycle.
Reviewed-by: Michel Dänzer's avatarMichel Dänzer <mdaenzer@redhat.com>
parent 6a79a737
Pipeline #166569 passed with stages
in 3 minutes and 39 seconds
......@@ -212,7 +212,7 @@ xf86CursorEnableDisableFBAccess(ScrnInfoPtr pScrn, Bool enable)
xf86CursorScreenKey);
if (!enable && ScreenPriv->CurrentCursor != NullCursor) {
CursorPtr currentCursor = ScreenPriv->CurrentCursor;
CursorPtr currentCursor = RefCursor(ScreenPriv->CurrentCursor);
xf86CursorSetCursor(pDev, pScreen, NullCursor, ScreenPriv->x,
ScreenPriv->y);
......@@ -231,6 +231,7 @@ xf86CursorEnableDisableFBAccess(ScrnInfoPtr pScrn, Bool enable)
*/
xf86CursorSetCursor(pDev, pScreen, ScreenPriv->SavedCursor,
ScreenPriv->x, ScreenPriv->y);
UnrefCursor(ScreenPriv->SavedCursor);
ScreenPriv->SavedCursor = NULL;
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment