Use caml_ba_multov instead of caml_umul_overflow

diff --git a/debian/patches/0012-Integer-overflows-when-unmarshaling-a-bigarray.patch b/debian/patches/0012-Integer-overflows-when-unmarshaling-a-bigarray.patch
index 5fc85a6aa6f27fd2cbfd638dded307a73df9555c..d982b190304422128e42fa418f276fc1436cc33c 100644 (file)
--- a/debian/patches/0012-Integer-overflows-when-unmarshaling-a-bigarray.patch
+++ b/debian/patches/0012-Integer-overflows-when-unmarshaling-a-bigarray.patch
@@ -1,5 +1,5 @@
-From: Xavier Leroy <xavier.leroy@inria.fr>
-Date: Fri, 25 Jan 2019 13:56:29 +0100
+From: Stephane Glondu <steph@glondu.net>
+Date: Fri, 25 Jan 2019 14:34:23 +0100
 Subject: Integer overflows when unmarshaling a bigarray
 
 Malicious or corrupted marshaled data can result in a bigarray
@@ -8,19 +8,22 @@ the in-memory size of the bigarray.  Disaster ensues when the data
 is read in a too small memory area.  This commit checks for overflows
 when computing the in-memory size of the bigarray.
 
+This patch has been modified from upstream one to use caml_ba_multov
+instead of caml_umul_overflow which is unavailable in OCaml 4.05.0.
+
 Origin: https://github.com/ocaml/ocaml/pull/1718
 Bug: https://caml.inria.fr/mantis/view.php?id=7765
 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895472
 Bug-CVE: CVE-2018-9838
 ---
- otherlibs/bigarray/bigarray_stubs.c | 23 ++++++++++++++++-------
- 1 file changed, 16 insertions(+), 7 deletions(-)
+ otherlibs/bigarray/bigarray_stubs.c | 26 +++++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 7 deletions(-)
 
 diff --git a/otherlibs/bigarray/bigarray_stubs.c b/otherlibs/bigarray/bigarray_stubs.c
-index cb38bef..df1ccc9 100644
+index cb38bef..995739d 100644
 --- a/otherlibs/bigarray/bigarray_stubs.c
 +++ b/otherlibs/bigarray/bigarray_stubs.c
-@@ -966,22 +966,31 @@ static void caml_ba_deserialize_longarray(void * dest, intnat num_elts)
+@@ -966,22 +966,34 @@ static void caml_ba_deserialize_longarray(void * dest, intnat num_elts)
  uintnat caml_ba_deserialize(void * dst)
  {
    struct caml_ba_array * b = dst;
@@ -28,6 +31,7 @@ index cb38bef..df1ccc9 100644
 -  uintnat num_elts;
 +  int i;
 +  uintnat num_elts, size;
++  int overflow;
  
    /* Read back header information */
    b->num_dims = caml_deserialize_uint_4();
@@ -42,16 +46,18 @@ index cb38bef..df1ccc9 100644
 +  /* Compute total number of elements.  Watch out for overflows (MPR#7765). */
 +  num_elts = 1;
 +  for (i = 0; i < b->num_dims; i++) {
-+    if (caml_umul_overflow(num_elts, b->dim[i], &num_elts))
++    overflow = 0;
++    num_elts = caml_ba_multov(num_elts, b->dim[i], &overflow);
++    if (overflow)
 +      caml_deserialize_error("input_value: size overflow for bigarray");
 +  }
 +  /* Determine array size in bytes.  Watch out for overflows (MPR#7765). */
    if ((b->flags & CAML_BA_KIND_MASK) > CAML_BA_CHAR)
      caml_deserialize_error("input_value: bad bigarray kind");
 -  elt_size = caml_ba_element_size[b->flags & CAML_BA_KIND_MASK];
-+  if (caml_umul_overflow(num_elts,
-+                         caml_ba_element_size[b->flags & CAML_BA_KIND_MASK],
-+                         &size))
++  overflow = 0;
++  size = caml_ba_multov(num_elts, caml_ba_element_size[b->flags & CAML_BA_KIND_MASK], &overflow);
++  if (overflow)
 +    caml_deserialize_error("input_value: size overflow for bigarray");
    /* Allocate room for data */
 -  b->data = malloc(elt_size * num_elts);