From a4b4bbf039358ac3df1e68daf4e18057ba9ce377 Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Thu, 4 Feb 2021 00:09:56 +0000
Subject: [PATCH] Fix integer overflow in degenerate invoke_signed BPF syscalls
 (bp #15051) (#15070)

* Fix integer overflow in degenerate invoke_signed BPF syscalls (#15051)

(cherry picked from commit ebbaa1f8ea4d12c44d0ca0392e2a1712968bc372)

# Conflicts:
#	programs/bpf_loader/src/syscalls.rs

* resolve conflicts

Co-authored-by: Mrmaxmeier <Mrmaxmeier@gmail.com>
Co-authored-by: Jack May <jack@solana.com>
---
 programs/bpf_loader/src/syscalls.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/programs/bpf_loader/src/syscalls.rs b/programs/bpf_loader/src/syscalls.rs
index 66fb96ead0..eb65132d23 100644
--- a/programs/bpf_loader/src/syscalls.rs
+++ b/programs/bpf_loader/src/syscalls.rs
@@ -1270,7 +1270,10 @@ fn check_instruction_size(
     data_len: usize,
     max_size: usize,
 ) -> Result<(), EbpfError<BPFError>> {
-    if max_size < num_accounts * size_of::<AccountMeta>() + data_len {
+    let size = num_accounts
+        .saturating_mul(size_of::<AccountMeta>())
+        .saturating_add(data_len);
+    if size > max_size {
         return Err(
             SyscallError::InstructionError(InstructionError::ComputationalBudgetExceeded).into(),
         );