xserver: Branch 'master'
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Wed Jun 24 08:06:49 UTC 2020
hw/xfree86/ramdac/xf86CursorRD.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
New commits:
commit 7ae221ad5774756766dc78a73d71f4163ac7b1c6
Author: Martin Weber <martin.weber at secunet.com>
Date: Fri Jun 19 16:51:15 2020 +0200
hw/xfree86: Avoid cursor use after free
During a VT-Switch a raw pointer to the shared cursor object
is saved which is then freed (in case of low refcount) by a call to
xf86CursorSetCursor with argument pCurs = NullCursor.
This leads to a dangling pointer which can follow in a use after free.
This fix ensures that there is a shared handle saved for the VT-Switch cycle.
Reviewed-by: Michel Dänzer <mdaenzer at redhat.com>
diff --git a/hw/xfree86/ramdac/xf86CursorRD.c b/hw/xfree86/ramdac/xf86CursorRD.c
index afcce5353..ee1d98916 100644
--- a/hw/xfree86/ramdac/xf86CursorRD.c
+++ b/hw/xfree86/ramdac/xf86CursorRD.c
@@ -212,7 +212,7 @@ xf86CursorEnableDisableFBAccess(ScrnInfoPtr pScrn, Bool enable)
xf86CursorScreenKey);
if (!enable && ScreenPriv->CurrentCursor != NullCursor) {
- CursorPtr currentCursor = ScreenPriv->CurrentCursor;
+ CursorPtr currentCursor = RefCursor(ScreenPriv->CurrentCursor);
xf86CursorSetCursor(pDev, pScreen, NullCursor, ScreenPriv->x,
ScreenPriv->y);
@@ -231,6 +231,7 @@ xf86CursorEnableDisableFBAccess(ScrnInfoPtr pScrn, Bool enable)
*/
xf86CursorSetCursor(pDev, pScreen, ScreenPriv->SavedCursor,
ScreenPriv->x, ScreenPriv->y);
+ UnrefCursor(ScreenPriv->SavedCursor);
ScreenPriv->SavedCursor = NULL;
}
}
More information about the xorg-commit
mailing list