1 files changed, 34 insertions, 0 deletions

diff --git a/0001-xfree86-Take-second-reference-for-SavedCursor-in-xf8.patch b/0001-xfree86-Take-second-reference-for-SavedCursor-in-xf8.patch
new file mode 100644
index 000000000000..872259bb8093
--- /dev/null
+++ b/0001-xfree86-Take-second-reference-for-SavedCursor-in-xf8.patch
@@ -0,0 +1,34 @@
+From 919f1f46fc67dae93b2b3f278fcbfc77af34ec58 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
+Date: Mon, 31 Aug 2020 12:10:43 +0200
+Subject: [PATCH] xfree86: Take second reference for SavedCursor in
+ xf86CursorSetCursor
+
+The same pointer is kept in CurrentCursor as well, therefore two
+RefCursor calls are needed.
+
+Fixes use-after-free after switching VTs.
+
+Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1067
+Signed-off-by: Laurent Carlier <lordheavym@gmail.com>
+---
+ hw/xfree86/ramdac/xf86CursorRD.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/xfree86/ramdac/xf86CursorRD.c b/hw/xfree86/ramdac/xf86CursorRD.c
+index 9aa3de97b..c8362d169 100644
+--- a/hw/xfree86/ramdac/xf86CursorRD.c
++++ b/hw/xfree86/ramdac/xf86CursorRD.c
+@@ -334,6 +334,9 @@ xf86CursorSetCursor(DeviceIntPtr pDev, ScreenPtr pScreen, CursorPtr pCurs,
+         ScreenPriv->HotY = cursor->bits->yhot;
+ 
+         if (!infoPtr->pScrn->vtSema) {
++            cursor = RefCursor(cursor);
++            if (ScreenPriv->SavedCursor)
++                FreeCursor(ScreenPriv->SavedCursor, None);
+             ScreenPriv->SavedCursor = cursor;
+             return;
+         }
+-- 
+2.28.0
+