[PATCH xserver] xf86/cursor: Fix potential use of FreeCursor()ed cursor
Daniel Martin
daniel.martin at secunet.com
Mon Sep 21 02:14:59 PDT 2015
We save CurrentCursor if we're going to remove it from the screen in
xf86CursorEnableDisableFBAccess(). But, we call xf86CursorSetCursor()
in between, which calls FreeCursor() on CurrentCursor if set. If this
happens, we end up with a FreeCursor()ed SavedCursor.
We've to make sure that xf86CursorSetCursor() doesn't touch our
SavedCursor.
The stripped code looks like this atm:
xf86CursorEnableDisableFBAccess(enable=false)
{
if (!enable && ScreenPriv->CurrentCursor) {
CursorPtr currentCursor = ScreenPriv->CurrentCursor;
xf86CursorSetCursor(NullCursor);
ScreenPriv->SavedCursor = currentCursor;
return;
}
}
xf86CursorSetCursor(pCurs=NullCursor)
{
if (pCurs == NullCursor) {
if (ScreenPriv->CurrentCursor)
FreeCursor(ScreenPriv->CurrentCursor, None);
ScreenPriv->CurrentCursor = NullCursor;
return
}
}
Signed-off-by: Daniel Martin <consume.noise at gmail.com>
---
hw/xfree86/ramdac/xf86Cursor.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/xfree86/ramdac/xf86Cursor.c b/hw/xfree86/ramdac/xf86Cursor.c
index 2a54571..72d01d3 100644
--- a/hw/xfree86/ramdac/xf86Cursor.c
+++ b/hw/xfree86/ramdac/xf86Cursor.c
@@ -213,6 +213,7 @@ xf86CursorEnableDisableFBAccess(ScrnInfoPtr pScrn, Bool enable)
if (!enable && ScreenPriv->CurrentCursor != NullCursor) {
CursorPtr currentCursor = ScreenPriv->CurrentCursor;
+ ScreenPriv->CurrentCursor = NullCursor;
xf86CursorSetCursor(pDev, pScreen, NullCursor, ScreenPriv->x,
ScreenPriv->y);
--
2.4.5
More information about the xorg-devel
mailing list