xserver: Branch 'master'

Tue Sep 1 01:51:16 UTC 2020

hw/xfree86/ramdac/xf86CursorRD.c |    3 +++
 1 file changed, 3 insertions(+)

New commits:
commit 919f1f46fc67dae93b2b3f278fcbfc77af34ec58
Author: Michel Dänzer <mdaenzer at redhat.com>
Date:   Mon Aug 31 12:10:43 2020 +0200

    xfree86: Take second reference for SavedCursor in xf86CursorSetCursor
    
    The same pointer is kept in CurrentCursor as well, therefore two
    RefCursor calls are needed.
    
    Fixes use-after-free after switching VTs.
    
    Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1067

diff --git a/hw/xfree86/ramdac/xf86CursorRD.c b/hw/xfree86/ramdac/xf86CursorRD.c
index 9aa3de97b..c8362d169 100644
--- a/hw/xfree86/ramdac/xf86CursorRD.c
+++ b/hw/xfree86/ramdac/xf86CursorRD.c
@@ -334,6 +334,9 @@ xf86CursorSetCursor(DeviceIntPtr pDev, ScreenPtr pScreen, CursorPtr pCurs,
         ScreenPriv->HotY = cursor->bits->yhot;
 
         if (!infoPtr->pScrn->vtSema) {
+            cursor = RefCursor(cursor);
+            if (ScreenPriv->SavedCursor)
+                FreeCursor(ScreenPriv->SavedCursor, None);
             ScreenPriv->SavedCursor = cursor;
             return;
         }
