From 9728f19f59ce7bfda2601bd14f06ad1b284e2e77 Mon Sep 17 00:00:00 2001
From: Project Nayuki <me@nayuki.io>
Date: Mon, 26 Feb 2018 20:29:25 +0000
Subject: [PATCH] Added integer overflow checks to toSvgString() in Java, C++,
 Rust code; added checks to toImage() in Java code.

---
 cpp/QrCode.cpp                       | 3 +++
 java/io/nayuki/qrcodegen/QrCode.java | 6 ++++++
 rust/src/lib.rs                      | 4 ++--
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/cpp/QrCode.cpp b/cpp/QrCode.cpp
index b62afe3..75a5473 100644
--- a/cpp/QrCode.cpp
+++ b/cpp/QrCode.cpp
@@ -157,6 +157,9 @@ bool QrCode::getModule(int x, int y) const {
 std::string QrCode::toSvgString(int border) const {
 	if (border < 0)
 		throw "Border must be non-negative";
+	if (border > INT_MAX / 2 || border * 2 > INT_MAX - size)
+		throw "Border too large";
+	
 	std::ostringstream sb;
 	sb << "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
 	sb << "<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\n";
diff --git a/java/io/nayuki/qrcodegen/QrCode.java b/java/io/nayuki/qrcodegen/QrCode.java
index 68d35ca..5f64ca2 100644
--- a/java/io/nayuki/qrcodegen/QrCode.java
+++ b/java/io/nayuki/qrcodegen/QrCode.java
@@ -258,6 +258,9 @@ public final class QrCode {
 	public BufferedImage toImage(int scale, int border) {
 		if (scale <= 0 || border < 0)
 			throw new IllegalArgumentException("Value out of range");
+		if (border > Integer.MAX_VALUE / 2 || size + border * 2L > Integer.MAX_VALUE / scale)
+			throw new IllegalArgumentException("Scale or border too large");
+		
 		BufferedImage result = new BufferedImage((size + border * 2) * scale, (size + border * 2) * scale, BufferedImage.TYPE_INT_RGB);
 		for (int y = 0; y < result.getHeight(); y++) {
 			for (int x = 0; x < result.getWidth(); x++) {
@@ -279,6 +282,9 @@ public final class QrCode {
 	public String toSvgString(int border) {
 		if (border < 0)
 			throw new IllegalArgumentException("Border must be non-negative");
+		if (size + border * 2L > Integer.MAX_VALUE)
+			throw new IllegalArgumentException("Border too large");
+		
 		StringBuilder sb = new StringBuilder();
 		sb.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n");
 		sb.append("<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\n");
diff --git a/rust/src/lib.rs b/rust/src/lib.rs
index 8387f58..d4b41ae 100644
--- a/rust/src/lib.rs
+++ b/rust/src/lib.rs
@@ -240,9 +240,9 @@ impl QrCode {
 		let mut result: String = String::new();
 		result.push_str("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n");
 		result.push_str("<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\n");
+		let dimension = self.size.checked_add(border.checked_mul(2).unwrap()).unwrap();
 		result.push_str(&format!(
-			"<svg xmlns=\"http://www.w3.org/2000/svg\" version=\"1.1\" viewBox=\"0 0 {0} {0}\" stroke=\"none\">\n",
-			self.size + border * 2));
+			"<svg xmlns=\"http://www.w3.org/2000/svg\" version=\"1.1\" viewBox=\"0 0 {0} {0}\" stroke=\"none\">\n", dimension));
 		result.push_str("\t<rect width=\"100%\" height=\"100%\" fill=\"#FFFFFF\"/>\n");
 		result.push_str("\t<path d=\"");
 		let mut head: bool = true;