[PATCH libinput v2] Fix an abort if the device speed is NaN

Olivier Fourdan ofourdan at redhat.com
Thu Feb 5 05:33:31 PST 2015

When using libinput with xf86-input-libinput, the device speed is
represented as a float passed via X properties.

If a buggy client gives a broken value, the conversions that occur
can cause the value of speed to be NaN (not a number), aka infinity.

In C, any comparison with NaN always gives false, whatever the value.

So that test in libinput_device_config_accel_set_speed():

   (speed < 1.0 || speed > 1.0)

will necessarily return FALSE, defeating the test of range.

However, since since any comparison with NaN is false, the
opposite assert() in accelerator_set_speed():

   (speed >= 1.0 && speed <= 1.0)

will be false as well, thus triggering the abort() and the crash of
the entire X server along with it.

The solution is to use the same construct in both routines, so that
it fails gracefully in libinput_device_config_accel_set_speed().

Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>

 v2: Root caused the issue to the use of NaN

 src/libinput.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/libinput.c b/src/libinput.c
index 7456b90..0e55b18 100644
--- a/src/libinput.c
+++ b/src/libinput.c
@@ -1534,7 +1534,8 @@ LIBINPUT_EXPORT enum libinput_config_status
 libinput_device_config_accel_set_speed(struct libinput_device *device,
 				       double speed)
-	if (speed < -1.0 || speed > 1.0)
+	/* Need the negation in case speed is Nan */
+	if (!(speed >= -1.0 && speed <= 1.0))
 	if (!libinput_device_config_accel_is_available(device))

More information about the wayland-devel mailing list