hw/xfree86: Avoid cursor use after free

During a VT-Switch a raw pointer to the shared cursor object
is saved which is then freed (in case of low refcount) by a call to
xf86CursorSetCursor with argument pCurs = NullCursor.
This leads to a dangling pointer which can follow in a use after free.

This fix ensures that there is a shared handle saved for the VT-Switch cycle.

Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 7ae221ad5774756766dc78a73d71f4163ac7b1c6)

1 files changed, 2 insertions, 1 deletions

diff --git a/hw/xfree86/ramdac/xf86CursorRD.c b/hw/xfree86/ramdac/xf86CursorRD.c
index afcce5353..ee1d98916 100644
--- a/hw/xfree86/ramdac/xf86CursorRD.c
+++ b/hw/xfree86/ramdac/xf86CursorRD.c
@@ -212,7 +212,7 @@ xf86CursorEnableDisableFBAccess(ScrnInfoPtr pScrn, Bool enable)
                                                xf86CursorScreenKey);
 
     if (!enable && ScreenPriv->CurrentCursor != NullCursor) {
-        CursorPtr currentCursor = ScreenPriv->CurrentCursor;
+        CursorPtr currentCursor = RefCursor(ScreenPriv->CurrentCursor);
 
         xf86CursorSetCursor(pDev, pScreen, NullCursor, ScreenPriv->x,
                             ScreenPriv->y);
@@ -231,6 +231,7 @@ xf86CursorEnableDisableFBAccess(ScrnInfoPtr pScrn, Bool enable)
          */
         xf86CursorSetCursor(pDev, pScreen, ScreenPriv->SavedCursor,
                             ScreenPriv->x, ScreenPriv->y);
+        UnrefCursor(ScreenPriv->SavedCursor);
         ScreenPriv->SavedCursor = NULL;
     }
 }