From 926de7f0caa13580b246b65a3d081dbc992f5371 Mon Sep 17 00:00:00 2001 From: Stephane Glondu Date: Fri, 25 Jan 2019 14:36:36 +0100 Subject: [PATCH] Use caml_ba_multov instead of caml_umul_overflow --- ...erflows-when-unmarshaling-a-bigarray.patch | 26 ++++++++++++------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/debian/patches/0012-Integer-overflows-when-unmarshaling-a-bigarray.patch b/debian/patches/0012-Integer-overflows-when-unmarshaling-a-bigarray.patch index 5fc85a6a..d982b190 100644 --- a/debian/patches/0012-Integer-overflows-when-unmarshaling-a-bigarray.patch +++ b/debian/patches/0012-Integer-overflows-when-unmarshaling-a-bigarray.patch @@ -1,5 +1,5 @@ -From: Xavier Leroy -Date: Fri, 25 Jan 2019 13:56:29 +0100 +From: Stephane Glondu +Date: Fri, 25 Jan 2019 14:34:23 +0100 Subject: Integer overflows when unmarshaling a bigarray Malicious or corrupted marshaled data can result in a bigarray @@ -8,19 +8,22 @@ the in-memory size of the bigarray. Disaster ensues when the data is read in a too small memory area. This commit checks for overflows when computing the in-memory size of the bigarray. +This patch has been modified from upstream one to use caml_ba_multov +instead of caml_umul_overflow which is unavailable in OCaml 4.05.0. + Origin: https://github.com/ocaml/ocaml/pull/1718 Bug: https://caml.inria.fr/mantis/view.php?id=7765 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895472 Bug-CVE: CVE-2018-9838 --- - otherlibs/bigarray/bigarray_stubs.c | 23 ++++++++++++++++------- - 1 file changed, 16 insertions(+), 7 deletions(-) + otherlibs/bigarray/bigarray_stubs.c | 26 +++++++++++++++++++------- + 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/otherlibs/bigarray/bigarray_stubs.c b/otherlibs/bigarray/bigarray_stubs.c -index cb38bef..df1ccc9 100644 +index cb38bef..995739d 100644 --- a/otherlibs/bigarray/bigarray_stubs.c +++ b/otherlibs/bigarray/bigarray_stubs.c -@@ -966,22 +966,31 @@ static void caml_ba_deserialize_longarray(void * dest, intnat num_elts) +@@ -966,22 +966,34 @@ static void caml_ba_deserialize_longarray(void * dest, intnat num_elts) uintnat caml_ba_deserialize(void * dst) { struct caml_ba_array * b = dst; @@ -28,6 +31,7 @@ index cb38bef..df1ccc9 100644 - uintnat num_elts; + int i; + uintnat num_elts, size; ++ int overflow; /* Read back header information */ b->num_dims = caml_deserialize_uint_4(); @@ -42,16 +46,18 @@ index cb38bef..df1ccc9 100644 + /* Compute total number of elements. Watch out for overflows (MPR#7765). */ + num_elts = 1; + for (i = 0; i < b->num_dims; i++) { -+ if (caml_umul_overflow(num_elts, b->dim[i], &num_elts)) ++ overflow = 0; ++ num_elts = caml_ba_multov(num_elts, b->dim[i], &overflow); ++ if (overflow) + caml_deserialize_error("input_value: size overflow for bigarray"); + } + /* Determine array size in bytes. Watch out for overflows (MPR#7765). */ if ((b->flags & CAML_BA_KIND_MASK) > CAML_BA_CHAR) caml_deserialize_error("input_value: bad bigarray kind"); - elt_size = caml_ba_element_size[b->flags & CAML_BA_KIND_MASK]; -+ if (caml_umul_overflow(num_elts, -+ caml_ba_element_size[b->flags & CAML_BA_KIND_MASK], -+ &size)) ++ overflow = 0; ++ size = caml_ba_multov(num_elts, caml_ba_element_size[b->flags & CAML_BA_KIND_MASK], &overflow); ++ if (overflow) + caml_deserialize_error("input_value: size overflow for bigarray"); /* Allocate room for data */ - b->data = malloc(elt_size * num_elts); -- 2.30.2