From 68d95e759f8b6ebca6bd52e69e6bc34cc174f8ca Mon Sep 17 00:00:00 2001 From: Alex Goins Date: Tue, 24 Oct 2017 18:39:13 -0700 Subject: [PATCH] ramdac: Check ScreenPriv != NULL in xf86ScreenSetCursor() Similar to change cba5a10f, xf86ScreenSetCursor() would dereference ScreenPriv without NULL checking it. If Option "SWCursor" is specified, ScreenPriv == NULL. Without this fix, it is observed that setting Option "SWCursor" "on" on the modesetting driver in a PRIME configuration will segfault the server. It is important to return success rather than failure in the instance that ScreenPriv == NULL and pCurs == NullCursor, because otherwise xf86SetCursor() can fall into infinite recursion: xf86SetCursor(pCurs) calls xf86ScreenSetCursor(pCurs), and if FALSE, calls xf86SetCursor(NullCursor). If xf86ScreenSetCursor(NullCursor) returns FALSE, it calls xf86SetCursor(NullCursor) again and this repeats forever. Signed-off-by: Alex Goins Reviewed-by: Dave Airlie --- hw/xfree86/ramdac/xf86HWCurs.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/hw/xfree86/ramdac/xf86HWCurs.c b/hw/xfree86/ramdac/xf86HWCurs.c index 2e4c9e519..366837c01 100644 --- a/hw/xfree86/ramdac/xf86HWCurs.c +++ b/hw/xfree86/ramdac/xf86HWCurs.c @@ -181,9 +181,16 @@ xf86ScreenSetCursor(ScreenPtr pScreen, CursorPtr pCurs, int x, int y) xf86CursorScreenPtr ScreenPriv = (xf86CursorScreenPtr) dixLookupPrivate(&pScreen->devPrivates, xf86CursorScreenKey); - xf86CursorInfoPtr infoPtr = ScreenPriv->CursorInfoPtr; + + xf86CursorInfoPtr infoPtr; unsigned char *bits; + if (!ScreenPriv) { /* NULL if Option "SWCursor" */ + return (pCurs == NullCursor); + } + + infoPtr = ScreenPriv->CursorInfoPtr; + if (pCurs == NullCursor) { (*infoPtr->HideCursor) (infoPtr->pScrn); return TRUE;