37 lines
1.0 KiB
Diff
37 lines
1.0 KiB
Diff
From e1ec32e24f11bb3f003ef876e404777c1041349b Mon Sep 17 00:00:00 2001
|
|
From: bwzhang <zhangbowei@kylinos.cn>
|
|
Date: Wed, 13 Mar 2024 15:03:38 +0800
|
|
Subject: [PATCH] Fix CVE-2023-25153
|
|
|
|
---
|
|
images/archive/importer.go | 12 +++++++-----
|
|
1 file changed, 7 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/images/archive/importer.go b/images/archive/importer.go
|
|
index c531049..8ba3206 100644
|
|
--- a/images/archive/importer.go
|
|
+++ b/images/archive/importer.go
|
|
@@ -232,12 +232,14 @@ func ImportIndex(ctx context.Context, store content.Store, reader io.Reader, opt
|
|
return writeManifest(ctx, store, idx, ocispec.MediaTypeImageIndex)
|
|
}
|
|
|
|
+const (
|
|
+ kib = 1024
|
|
+ mib = 1024 * kib
|
|
+ jsonLimit = 20 * mib
|
|
+)
|
|
+
|
|
func onUntarJSON(r io.Reader, j interface{}) error {
|
|
- b, err := io.ReadAll(r)
|
|
- if err != nil {
|
|
- return err
|
|
- }
|
|
- return json.Unmarshal(b, j)
|
|
+ return json.NewDecoder(io.LimitReader(r, jsonLimit)).Decode(j)
|
|
}
|
|
|
|
func onUntarBlob(ctx context.Context, r io.Reader, store content.Ingester, size int64, ref string) (digest.Digest, error) {
|
|
--
|
|
2.20.1
|
|
|