From e196535abbf2ef4aa7c1eb0b4b9b67840032b88a Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Thu, 9 Feb 2023 11:40:07 +0100
Subject: dix: Clear device sprite after free in AttachDevice()

The code in AttachDevice() may free the dev->spriteInfo->sprite under
some circumstances and later call GetCurrentRootWindow() which uses
the same dev->spriteInfo->sprite.

While it seems unlikely that this is actually an issue, considering the
cases where one or the other get called, it still makes the code look
suspicious.

Make sure to clear set dev->spriteInfo->sprite to NULL  immediately
after it's freed to avoid any confusion, even if only to clarify the
code.

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1436
---
 dix/devices.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dix/devices.c b/dix/devices.c
index 5f9ce1678..f5ab17352 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -2630,6 +2630,7 @@ AttachDevice(ClientPtr client, DeviceIntPtr dev, DeviceIntPtr master)
         screen = miPointerGetScreen(dev);
         screen->DeviceCursorCleanup(dev, screen);
         free(dev->spriteInfo->sprite);
+        dev->spriteInfo->sprite = NULL;
     }
 
     dev->master = master;
-- 
cgit v1.2.1