On 08/06/17 22:51, Keith Packard wrote: > Adam Jackson <[email protected]> writes: > >> We're not wrapping all the ways a cursor can be destroyed, so this array >> ends up with stale data. Rather than try harder to wrap more code paths, >> just look up the cursor when we need it. > I'm pretty sure it doesn't matter -- DisplayCursor is only ever called > while *both* cursors are still valid. Here's the DIX code: > > (*pScreen->DisplayCursor) (pDev, pScreen, cursor); > FreeCursor(pSprite->current, (Cursor) 0); > pSprite->current = RefCursor(cursor); > > Note that InitializeSprite also sets pSprite->current *before* calling > DisplayCursor, which breaks your assumption. I don't think that matters > as it should only be done before a client could possibly know about the > device? > > I can see why you might want to get rid of the magic array; seems like > this should just be using a private in the device. >
So what's happening with this ? I've just posted a fix which has been on RedHat's radar for 18 months with the same patch that DIX does above, in the xfixes/cursor.c code paths. You can easily crash the Xserver without this fix. Alan. _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: https://lists.x.org/mailman/listinfo/xorg-devel
