frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

dix: keep a ref to the rootCursor 

CreateCursor returns a cursor with refcount 1 - that refcount is used by
the resource system, any caller needs to call RefCursor to get their own
reference. That happens correctly for normal cursors but for our
rootCursor we keep a variable to the cursor despite not having a ref for
ourselves.

Fix this by reffing/unreffing the rootCursor to ensure our pointer is
valid.

Related to CVE-2025-26594, ZDI-CAN-25544

Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
This commit is contained in:
Peter Hutterer 2024-12-04 15:49:43 +10:00 committed by Olivier Fourdan
parent 01642f263f
commit b0a09ba602
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
dix/main.c
View File

@ -241,6 +241,8 @@ dix_main(int argc, char *argv[], char *envp[])
FatalError("could not open default cursor font");
}
rootCursor = RefCursor(rootCursor);
#ifdef XINERAMA
/*
* Consolidate window and colourmap information for each screen
@ -281,6 +283,8 @@ dix_main(int argc, char *argv[], char *envp[])
Dispatch();
UnrefCursor(rootCursor);
UndisplayDevices();
DisableAllDevices();