[PULL 06/32] ui/input: do not assert() when tracing invalid input

Sat, 09 May 2026 00:37:37 -0700 

From: Marc-André Lureau <[email protected]>

It's possible to reach an assert() in the input tracing code by sending
some out of range input values via D-Bus for ex:

  #0  0x00007fec8652186c in __pthread_kill_implementation () at /lib64/libc.so.6
  #1  0x00007fec864c648e in raise () at /lib64/libc.so.6
  #2  0x00007fec864ad7b3 in abort () at /lib64/libc.so.6
  #3  0x00007fec864ae804 in __libc_message_impl.cold () at /lib64/libc.so.6
  #4  0x00007fec864be345 in __assert_fail () at /lib64/libc.so.6
  #5  0x00005597964c551e in qapi_enum_lookup[cold] ()
  #6  0x000055979650514a in qemu_input_event_send_impl ()
  #7  0x0000559796505a4d in qemu_input_queue_btn ()
  #8  0x00007fec85780c19 in dbus_mouse_press () at 
/usr/bin/../lib64/qemu/ui-dbus.so
  #9  0x00007fec857912fc in _g_dbus_codegen_marshal_BOOLEAN__OBJECT_UINT.part.0 
() at /usr/bin/../lib64/qemu/ui-dbus.so
  #10 0x00007fec874cce7c in g_closure_invoke () at /lib64/libgobject-2.0.so.0
  #11 0x00007fec874eb849 in signal_emit_unlocked_R.isra.0 () at 
/lib64/libgobject-2.0.so.0
  #12 0x00007fec874ec66f in g_signal_emitv () at /lib64/libgobject-2.0.so.0
  #13 0x00007fec85797e0a in 
_qemu_dbus_display1_mouse_skeleton_handle_method_call () at 
/usr/bin/../lib64/qemu/ui-dbus.so

Other paths in input code accept out-of-range values
(qemu_input_key_value_to_number etc). Let it pass tracing.

Reviewed-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: Marc-André Lureau <[email protected]>
---
 ui/input.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ui/input.c b/ui/input.c
index 57e7817878a..966023d4f4d 100644
--- a/ui/input.c
+++ b/ui/input.c
@@ -207,22 +207,22 @@ static void qemu_input_event_trace(QemuConsole *src, 
InputEvent *evt)
         break;
     case INPUT_EVENT_KIND_BTN:
         btn = evt->u.btn.data;
-        name = InputButton_str(btn->button);
+        name = btn->button < INPUT_BUTTON__MAX ? InputButton_str(btn->button) 
: "invalid";
         trace_input_event_btn(idx, name, btn->down);
         break;
     case INPUT_EVENT_KIND_REL:
         move = evt->u.rel.data;
-        name = InputAxis_str(move->axis);
+        name = move->axis < INPUT_AXIS__MAX ? InputAxis_str(move->axis) : 
"invalid";
         trace_input_event_rel(idx, name, move->value);
         break;
     case INPUT_EVENT_KIND_ABS:
         move = evt->u.abs.data;
-        name = InputAxis_str(move->axis);
+        name = move->axis < INPUT_AXIS__MAX ? InputAxis_str(move->axis) : 
"invalid";
         trace_input_event_abs(idx, name, move->value);
         break;
     case INPUT_EVENT_KIND_MTT:
         mtt = evt->u.mtt.data;
-        name = InputAxis_str(mtt->axis);
+        name = mtt->axis < INPUT_AXIS__MAX ? InputAxis_str(mtt->axis) : 
"invalid";
         trace_input_event_mtt(idx, name, mtt->value);
         break;
     case INPUT_EVENT_KIND__MAX:
-- 
2.54.0

Reply via email to