xfree86: Take second reference for SavedCursor in xf86CursorSetCursor

The same pointer is kept in CurrentCursor as well, therefore two
RefCursor calls are needed.

Fixes use-after-free after switching VTs.

Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1067

hw/xfree86/ramdac/xf86CursorRD.c

@@ -334,6 +334,9 @@ xf86CursorSetCursor(DeviceIntPtr pDev, ScreenPtr pScreen, CursorPtr pCurs,
         ScreenPriv->HotY = cursor->bits->yhot;
 
         if (!infoPtr->pScrn->vtSema) {
+            cursor = RefCursor(cursor);
+            if (ScreenPriv->SavedCursor)
+                FreeCursor(ScreenPriv->SavedCursor, None);
             ScreenPriv->SavedCursor = cursor;
             return;
         }