[PATCH libinput v2] Fix an abort if the device speed is NaN
Peter Hutterer
peter.hutterer at who-t.net
Thu Feb 5 16:27:12 PST 2015
On Thu, Feb 05, 2015 at 02:33:31PM +0100, Olivier Fourdan wrote:
> When using libinput with xf86-input-libinput, the device speed is
> represented as a float passed via X properties.
>
> If a buggy client gives a broken value, the conversions that occur
> can cause the value of speed to be NaN (not a number), aka infinity.
>
> In C, any comparison with NaN always gives false, whatever the value.
>
> So that test in libinput_device_config_accel_set_speed():
>
> (speed < 1.0 || speed > 1.0)
>
> will necessarily return FALSE, defeating the test of range.
>
> However, since since any comparison with NaN is false, the
> opposite assert() in accelerator_set_speed():
>
> (speed >= 1.0 && speed <= 1.0)
>
> will be false as well, thus triggering the abort() and the crash of
> the entire X server along with it.
>
> The solution is to use the same construct in both routines, so that
> it fails gracefully in libinput_device_config_accel_set_speed().
>
> Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
> ---
>
> v2: Root caused the issue to the use of NaN
merged, with minor changes:
- s/Nan/NaN/
- added a test case for NAN and INFINITY
thanks for tracking this down
Cheers,
Peter
>
> src/libinput.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/libinput.c b/src/libinput.c
> index 7456b90..0e55b18 100644
> --- a/src/libinput.c
> +++ b/src/libinput.c
> @@ -1534,7 +1534,8 @@ LIBINPUT_EXPORT enum libinput_config_status
> libinput_device_config_accel_set_speed(struct libinput_device *device,
> double speed)
> {
> - if (speed < -1.0 || speed > 1.0)
> + /* Need the negation in case speed is Nan */
> + if (!(speed >= -1.0 && speed <= 1.0))
> return LIBINPUT_CONFIG_STATUS_INVALID;
>
> if (!libinput_device_config_accel_is_available(device))
> --
> 2.1.0
>
More information about the wayland-devel
mailing list