ziggi/mstore
1
0
Fork 0
Code Pull Requests Actions Packages Projects Releases Wiki Activity

updated vendor

Browse Source
This commit is contained in:
Олег Бородин
2026-06-16 08:02:19 +02:00
parent 2f7f99d3f0
commit 77299d0c64
1283 changed files with 67302 additions and 208958 deletions
Download Patch File Download Diff File Expand all files Collapse all files
vendor/oras.land/oras-go/v2/content/reader.go
Vendored
+7 -1
View File
@@ -24,6 +24,12 @@ import (
ocispec "github.com/opencontainers/image-spec/specs-go/v1"
)
// maxDescriptorSize is the upper-bound for descriptor sizes accepted by
// ReadAll. Descriptors sourced from attacker-supplied OCI layouts can carry
// arbitrarily large Size values; without this cap, make([]byte, desc.Size)
// triggers a runtime panic before any allocation occurs.
const maxDescriptorSize = 32 * 1024 * 1024 // 32 MiB
var (
// ErrInvalidDescriptorSize is returned by ReadAll() when
// the descriptor has an invalid size.
@@ -119,7 +125,7 @@ func NewVerifyReader(r io.Reader, desc ocispec.Descriptor) *VerifyReader {
// The read content is verified against the size and the digest
// using a VerifyReader.
func ReadAll(r io.Reader, desc ocispec.Descriptor) ([]byte, error) {
if desc.Size < 0 {
if desc.Size < 0 || desc.Size > maxDescriptorSize {
return nil, ErrInvalidDescriptorSize
}
buf := make([]byte, desc.Size)