hw/xfree86: Avoid cursor use after free
During a VT-Switch a raw pointer to the shared cursor object is saved which is then freed (in case of low refcount) by a call to xf86CursorSetCursor with argument pCurs = NullCursor. This leads to a dangling pointer which can follow in a use after free. This fix ensures that there is a shared handle saved for the VT-Switch cycle. Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
This commit is contained in:
parent
6a79a737e2
commit
7ae221ad57
|
@ -212,7 +212,7 @@ xf86CursorEnableDisableFBAccess(ScrnInfoPtr pScrn, Bool enable)
|
||||||
xf86CursorScreenKey);
|
xf86CursorScreenKey);
|
||||||
|
|
||||||
if (!enable && ScreenPriv->CurrentCursor != NullCursor) {
|
if (!enable && ScreenPriv->CurrentCursor != NullCursor) {
|
||||||
CursorPtr currentCursor = ScreenPriv->CurrentCursor;
|
CursorPtr currentCursor = RefCursor(ScreenPriv->CurrentCursor);
|
||||||
|
|
||||||
xf86CursorSetCursor(pDev, pScreen, NullCursor, ScreenPriv->x,
|
xf86CursorSetCursor(pDev, pScreen, NullCursor, ScreenPriv->x,
|
||||||
ScreenPriv->y);
|
ScreenPriv->y);
|
||||||
|
@ -231,6 +231,7 @@ xf86CursorEnableDisableFBAccess(ScrnInfoPtr pScrn, Bool enable)
|
||||||
*/
|
*/
|
||||||
xf86CursorSetCursor(pDev, pScreen, ScreenPriv->SavedCursor,
|
xf86CursorSetCursor(pDev, pScreen, ScreenPriv->SavedCursor,
|
||||||
ScreenPriv->x, ScreenPriv->y);
|
ScreenPriv->x, ScreenPriv->y);
|
||||||
|
UnrefCursor(ScreenPriv->SavedCursor);
|
||||||
ScreenPriv->SavedCursor = NULL;
|
ScreenPriv->SavedCursor = NULL;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user