From ebbaa1f8ea4d12c44d0ca0392e2a1712968bc372 Mon Sep 17 00:00:00 2001
From: Mrmaxmeier <Mrmaxmeier@gmail.com>
Date: Wed, 3 Feb 2021 22:32:38 +0100
Subject: [PATCH] Fix integer overflow in degenerate invoke_signed BPF syscalls
 (#15051)

---
 programs/bpf_loader/src/syscalls.rs | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/programs/bpf_loader/src/syscalls.rs b/programs/bpf_loader/src/syscalls.rs
index 2dc567b137..e6e2bbf1ab 100644
--- a/programs/bpf_loader/src/syscalls.rs
+++ b/programs/bpf_loader/src/syscalls.rs
@@ -348,7 +348,7 @@ fn translate_slice_inner<'a, T>(
     {
         Err(SyscallError::UnalignedPointer.into())
     } else if len == 0 {
-        Ok(unsafe { from_raw_parts_mut(0x1 as *mut T, len as usize) })
+        Ok(&mut [])
     } else {
         match translate(
             memory_mapping,
@@ -1471,7 +1471,9 @@ fn check_instruction_size(
     data_len: usize,
     invoke_context: &Ref<&mut dyn InvokeContext>,
 ) -> Result<(), EbpfError<BPFError>> {
-    let size = num_accounts * size_of::<AccountMeta>() + data_len;
+    let size = num_accounts
+        .saturating_mul(size_of::<AccountMeta>())
+        .saturating_add(data_len);
     let max_size = invoke_context
         .get_bpf_compute_budget()
         .max_cpi_instruction_size;