Fix UAF in X11CursorFactoryOzone.

Add a reference to the returned invisible cursor when we try to create a
cursor from an invalid bitmap.

X11CursorFactoryOzone is only used in the chromeos-on-linux development
environment. I've double checked that this doesn't occur in
CursorDataFactoryOzone and BitmapCursorFactoryOzone.

Bug: 791243
Change-Id: Ia12edf1638a420b61eb7f72f3696dabf506a44e0
Reviewed-on: https://chromium-review.googlesource.com/809492
Commit-Queue: Elliot Glaysher <erg@chromium.org>
Reviewed-by: kylechar <kylechar@chromium.org>
Reviewed-by: Scott Violet <sky@chromium.org>
Cr-Commit-Position: refs/heads/master@{#522200}

ui/ozone/platform/x11/x11_cursor_factory_ozone.cc

@@ -49,6 +49,12 @@ PlatformCursor X11CursorFactoryOzone::CreateImageCursor(
   // resulting SkBitmap is empty and X crashes when creating a zero size cursor
   // image. Return invisible cursor here instead.
   if (bitmap.drawsNothing()) {
+    // The result of |invisible_cursor_| is owned by the caller, and will be
+    // Unref()ed by code far away. (Usually in web_cursor.cc in content, among
+    // others.) If we don't manually add another reference before we cast this
+    // to a void*, we can end up with |invisible_cursor_| being freed out from
+    // under us.
+    invisible_cursor_->AddRef();
     return ToPlatformCursor(invisible_cursor_.get());
   }