[NOTE] This should be nominated for previous branches too! These two calls save a pointer to the current cursor during DisplayCursor(), but the cursor can be destroyed leaving a dangling reference. This patch wraps this using the cursor reference counters to ensure the cursor isn't deleted during it's use.
This bug was fixed in RedHat's bugzilla database 18 months ago. https://bugzilla.redhat.com/show_bug.cgi?id=1357694 Signed-off-by: Alan Hourihane <[email protected]> --- xfixes/cursor.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/xfixes/cursor.c b/xfixes/cursor.c index 09cf2fa69..0ce1c71ed 100644 --- a/xfixes/cursor.c +++ b/xfixes/cursor.c @@ -154,7 +154,10 @@ CursorDisplayCursor(DeviceIntPtr pDev, ScreenPtr pScreen, CursorPtr pCursor) CursorEventPtr e; UpdateCurrentTimeIf(); - CursorCurrent[pDev->id] = pCursor; + if (CursorCurrent[pDev->id] != NULL) { + FreeCursor(pCursor, (Cursor) 0); + } + CursorCurrent[pDev->id] = RefCursor(pCursor); for (e = cursorEvents; e; e = e->next) { if ((e->eventMask & XFixesDisplayCursorNotifyMask)) { xXFixesCursorNotifyEvent ev = { -- 2.13.0 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: https://lists.x.org/mailman/listinfo/xorg-devel
