On Thu, Feb 05, 2015 at 02:33:31PM +0100, Olivier Fourdan wrote:
> When using libinput with xf86-input-libinput, the device speed is
> represented as a float passed via X properties.
>
> If a buggy client gives a broken value, the conversions that occur
> can cause the value of speed to be NaN (not a number), aka infinity.
>
> In C, any comparison with NaN always gives false, whatever the value.
>
> So that test in libinput_device_config_accel_set_speed():
>
> (speed < 1.0 || speed > 1.0)
>
> will necessarily return FALSE, defeating the test of range.
>
> However, since since any comparison with NaN is false, the
> opposite assert() in accelerator_set_speed():
>
> (speed >= 1.0 && speed <= 1.0)
>
> will be false as well, thus triggering the abort() and the crash of
> the entire X server along with it.
>
> The solution is to use the same construct in both routines, so that
> it fails gracefully in libinput_device_config_accel_set_speed().
>
> Signed-off-by: Olivier Fourdan <[email protected]>
> ---
>
> v2: Root caused the issue to the use of NaN
merged, with minor changes:
- s/Nan/NaN/
- added a test case for NAN and INFINITY
thanks for tracking this down
Cheers,
Peter
>
> src/libinput.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/libinput.c b/src/libinput.c
> index 7456b90..0e55b18 100644
> --- a/src/libinput.c
> +++ b/src/libinput.c
> @@ -1534,7 +1534,8 @@ LIBINPUT_EXPORT enum libinput_config_status
> libinput_device_config_accel_set_speed(struct libinput_device *device,
> double speed)
> {
> - if (speed < -1.0 || speed > 1.0)
> + /* Need the negation in case speed is Nan */
> + if (!(speed >= -1.0 && speed <= 1.0))
> return LIBINPUT_CONFIG_STATUS_INVALID;
>
> if (!libinput_device_config_accel_is_available(device))
> --
> 2.1.0
>
_______________________________________________
wayland-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/wayland-devel
