[PATCH xserver] xf86/cursor: Fix potential use of FreeCursor()ed cursor
Daniel Martin
consume.noise at gmail.com
Wed Dec 2 00:51:00 PST 2015
On 21 September 2015 at 11:14, Daniel Martin <daniel.martin at secunet.com> wrote:
> We save CurrentCursor if we're going to remove it from the screen in
> xf86CursorEnableDisableFBAccess(). But, we call xf86CursorSetCursor()
> in between, which calls FreeCursor() on CurrentCursor if set. If this
> happens, we end up with a FreeCursor()ed SavedCursor.
> We've to make sure that xf86CursorSetCursor() doesn't touch our
> SavedCursor.
>
> The stripped code looks like this atm:
>
> xf86CursorEnableDisableFBAccess(enable=false)
> {
> if (!enable && ScreenPriv->CurrentCursor) {
> CursorPtr currentCursor = ScreenPriv->CurrentCursor;
> xf86CursorSetCursor(NullCursor);
> ScreenPriv->SavedCursor = currentCursor;
> return;
> }
> }
>
> xf86CursorSetCursor(pCurs=NullCursor)
> {
> if (pCurs == NullCursor) {
> if (ScreenPriv->CurrentCursor)
> FreeCursor(ScreenPriv->CurrentCursor, None);
> ScreenPriv->CurrentCursor = NullCursor;
> return
> }
> }
>
> Signed-off-by: Daniel Martin <consume.noise at gmail.com>
> ---
> hw/xfree86/ramdac/xf86Cursor.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/hw/xfree86/ramdac/xf86Cursor.c b/hw/xfree86/ramdac/xf86Cursor.c
> index 2a54571..72d01d3 100644
> --- a/hw/xfree86/ramdac/xf86Cursor.c
> +++ b/hw/xfree86/ramdac/xf86Cursor.c
> @@ -213,6 +213,7 @@ xf86CursorEnableDisableFBAccess(ScrnInfoPtr pScrn, Bool enable)
>
> if (!enable && ScreenPriv->CurrentCursor != NullCursor) {
> CursorPtr currentCursor = ScreenPriv->CurrentCursor;
> + ScreenPriv->CurrentCursor = NullCursor;
>
> xf86CursorSetCursor(pDev, pScreen, NullCursor, ScreenPriv->x,
> ScreenPriv->y);
> --
> 2.4.5
>
Ping.
More information about the xorg-devel
mailing list