dev-lang/ocaml: add CVE-2018-9838 patch to 4.05.0

Closes: https://bugs.gentoo.org/755257
Bug: https://bugs.gentoo.org/719134
Signed-off-by: Sam James <sam@gentoo.org>

1 files changed, 70 insertions, 0 deletions

diff --git a/dev-lang/ocaml/files/ocaml-4.05.0-CVE-2018-9838.patch b/dev-lang/ocaml/files/ocaml-4.05.0-CVE-2018-9838.patch
new file mode 100644
index 000000000000..cfe3ff636c25
--- /dev/null
+++ b/dev-lang/ocaml/files/ocaml-4.05.0-CVE-2018-9838.patch
@@ -0,0 +1,70 @@
+https://bugs.gentoo.org/755257
+
+Needed for both fixing the CVE + compatibility with Debian for e.g.
+Unison.
+
+From c6ca3afc78b75d7748e4e09e56c6b020418be06e Mon Sep 17 00:00:00 2001
+From: Stephane Glondu <steph@glondu.net>
+Date: Fri, 25 Jan 2019 14:34:23 +0100
+Subject: [PATCH] Fix integer overflows when unmarshaling a bigarray
+
+Malicious or corrupted marshaled data can result in a bigarray
+with impossibly large dimensions that cause overflow when computing
+the in-memory size of the bigarray.  Disaster ensues when the data
+is read in a too small memory area.  This commit checks for overflows
+when computing the in-memory size of the bigarray.
+
+This patch is based on one by Xavier Leroy and has been modified to
+use caml_ba_multov instead of caml_umul_overflow which is unavailable
+in OCaml 4.05.0.
+
+The original commit hash is 85162eee9d4072fa9c2f498f03cd94e357033eec.
+
+Origin: https://github.com/ocaml/ocaml/pull/1718
+Bug: https://github.com/ocaml/ocaml/issues/7765
+Bug-Debian: https://bugs.debian.org/895472
+Bug-CVE: CVE-2018-9838
+--- a/otherlibs/bigarray/bigarray_stubs.c
++++ b/otherlibs/bigarray/bigarray_stubs.c
+@@ -966,22 +966,34 @@ static void caml_ba_deserialize_longarray(void * dest, intnat num_elts)
+ uintnat caml_ba_deserialize(void * dst)
+ {
+   struct caml_ba_array * b = dst;
+-  int i, elt_size;
+-  uintnat num_elts;
++  int i;
++  uintnat num_elts, size;
++  int overflow;
+ 
+   /* Read back header information */
+   b->num_dims = caml_deserialize_uint_4();
++  if (b->num_dims < 0 || b->num_dims > CAML_BA_MAX_NUM_DIMS)
++    caml_deserialize_error("input_value: wrong number of bigarray dimensions");
+   b->flags = caml_deserialize_uint_4() | CAML_BA_MANAGED;
+   b->proxy = NULL;
+   for (i = 0; i < b->num_dims; i++) b->dim[i] = caml_deserialize_uint_4();
+-  /* Compute total number of elements */
+-  num_elts = caml_ba_num_elts(b);
+-  /* Determine element size in bytes */
++  /* Compute total number of elements.  Watch out for overflows (MPR#7765). */
++  num_elts = 1;
++  for (i = 0; i < b->num_dims; i++) {
++    overflow = 0;
++    num_elts = caml_ba_multov(num_elts, b->dim[i], &overflow);
++    if (overflow)
++      caml_deserialize_error("input_value: size overflow for bigarray");
++  }
++  /* Determine array size in bytes.  Watch out for overflows (MPR#7765). */
+   if ((b->flags & CAML_BA_KIND_MASK) > CAML_BA_CHAR)
+     caml_deserialize_error("input_value: bad bigarray kind");
+-  elt_size = caml_ba_element_size[b->flags & CAML_BA_KIND_MASK];
++  overflow = 0;
++  size = caml_ba_multov(num_elts, caml_ba_element_size[b->flags & CAML_BA_KIND_MASK], &overflow);
++  if (overflow)
++    caml_deserialize_error("input_value: size overflow for bigarray");
+   /* Allocate room for data */
+-  b->data = malloc(elt_size * num_elts);
++  b->data = malloc(size);
+   if (b->data == NULL)
+     caml_deserialize_error("input_value: out of memory for bigarray");
+   /* Read data */