Clamp client-sent movement speed control (#15721)

Results in the `movement_x` and `movement_y` fields of `player:get_player_control()` being safe to use
(otherwise users would need to compute the length as `(x^2 + y^2)^0.5` and clamp that to 1 themselves).

src/network/serverpackethandler.cpp

@@ -30,6 +30,8 @@
 #include "util/srp.h"
 #include "clientdynamicinfo.h"
 
+#include <algorithm>
+
 void Server::handleCommand_Deprecated(NetworkPacket* pkt)
 {
 	infostream << "Server: " << toServerCommandTable[pkt->getCommand()].name
@@ -468,7 +470,11 @@ void Server::process_PlayerPos(RemotePlayer *player, PlayerSAO *playersao,
 		*pkt >> bits;
 
 	if (pkt->getRemainingBytes() >= 8) {
-		*pkt >> player->control.movement_speed;
+		f32 movement_speed;
+		*pkt >> movement_speed;
+		if (movement_speed != movement_speed) // NaN
+			movement_speed = 0.0f;
+		player->control.movement_speed = std::clamp(movement_speed, 0.0f, 1.0f);
 		*pkt >> player->control.movement_direction;
 	} else {
 		player->control.movement_speed = 0.0f;