When using libinput with xf86-input-libinput, the device speed is represented as a float passed via X properties.
If a buggy client gives a broken value, the conversions that occur can cause the value of speed to be NaN (not a number), aka infinity. In C, any comparison with NaN always gives false, whatever the value. So that test in libinput_device_config_accel_set_speed(): (speed < 1.0 || speed > 1.0) will necessarily return FALSE, defeating the test of range. However, since since any comparison with NaN is false, the opposite assert() in accelerator_set_speed(): (speed >= 1.0 && speed <= 1.0) will be false as well, thus triggering the abort() and the crash of the entire X server along with it. The solution is to use the same construct in both routines, so that it fails gracefully in libinput_device_config_accel_set_speed(). Signed-off-by: Olivier Fourdan <[email protected]> --- v2: Root caused the issue to the use of NaN src/libinput.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/libinput.c b/src/libinput.c index 7456b90..0e55b18 100644 --- a/src/libinput.c +++ b/src/libinput.c @@ -1534,7 +1534,8 @@ LIBINPUT_EXPORT enum libinput_config_status libinput_device_config_accel_set_speed(struct libinput_device *device, double speed) { - if (speed < -1.0 || speed > 1.0) + /* Need the negation in case speed is Nan */ + if (!(speed >= -1.0 && speed <= 1.0)) return LIBINPUT_CONFIG_STATUS_INVALID; if (!libinput_device_config_accel_is_available(device)) -- 2.1.0 _______________________________________________ wayland-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/wayland-devel
