From 8d4761092d2405bc83b6cafbd3d42c028045e8ac Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 7 Jul 2026 10:35:24 +0000 Subject: [PATCH] chore(deps): bump golang.org/x/image from 0.38.0 to 0.41.0 Bumps [golang.org/x/image](https://github.com/golang/image) from 0.38.0 to 0.41.0. - [Commits](https://github.com/golang/image/compare/v0.38.0...v0.41.0) --- updated-dependencies: - dependency-name: golang.org/x/image dependency-version: 0.41.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] --- go.mod | 4 ++-- go.sum | 8 ++++---- vendor/golang.org/x/image/font/sfnt/sfnt.go | 16 ++++++++++++++-- vendor/golang.org/x/image/tiff/compress.go | 8 ++++++-- vendor/golang.org/x/image/tiff/reader.go | 6 +++++- vendor/golang.org/x/image/tiff/writer.go | 4 ++++ vendor/modules.txt | 4 ++-- 7 files changed, 37 insertions(+), 13 deletions(-) diff --git a/go.mod b/go.mod index 0428674..3495c2e 100644 --- a/go.mod +++ b/go.mod @@ -22,8 +22,8 @@ require ( github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/spf13/pflag v1.0.10 // indirect - golang.org/x/image v0.38.0 // indirect - golang.org/x/text v0.35.0 // indirect + golang.org/x/image v0.41.0 // indirect + golang.org/x/text v0.37.0 // indirect gonum.org/v1/plot v0.16.0 // indirect ) diff --git a/go.sum b/go.sum index e86293c..c6b312d 100644 --- a/go.sum +++ b/go.sum @@ -70,8 +70,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts= golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos= -golang.org/x/image v0.38.0 h1:5l+q+Y9JDC7mBOMjo4/aPhMDcxEptsX+Tt3GgRQRPuE= -golang.org/x/image v0.38.0/go.mod h1:/3f6vaXC+6CEanU4KJxbcUZyEePbyKbaLoDOe4ehFYY= +golang.org/x/image v0.41.0 h1:8wS72eGJMJaBxK6okTzd4WaXumUlTVlb753MlsSvTCo= +golang.org/x/image v0.41.0/go.mod h1:uIc348UZMSvS5Z65CVZ7iDPaNobNFEPeJ4kbqTOszmA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -90,8 +90,8 @@ golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8= -golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA= +golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc= +golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= diff --git a/vendor/golang.org/x/image/font/sfnt/sfnt.go b/vendor/golang.org/x/image/font/sfnt/sfnt.go index 8ed19e2..d1ef8a6 100644 --- a/vendor/golang.org/x/image/font/sfnt/sfnt.go +++ b/vendor/golang.org/x/image/font/sfnt/sfnt.go @@ -214,8 +214,9 @@ func u32(b []byte) uint32 { // copying from the source to a caller-supplied buffer, and instead provide // direct access to the underlying []byte data. type source struct { - b []byte - r io.ReaderAt + b []byte + r io.ReaderAt + minSize int // r is known to contain at least minSize bytes // TODO: add a caching layer, if we're using the io.ReaderAt? Note that // this might make a source no longer safe to use concurrently. @@ -255,6 +256,17 @@ func (s *source) view(buf []byte, offset, length int) ([]byte, error) { return s.b[offset : offset+length], nil } + if end := offset + length; end > s.minSize && length > 1<<20 { + // We're reading more than 1MiB, and we don't know whether + // the file contains this data. Check that the data exists + // before we try to allocate. + var oneByte [1]byte + if n, err := s.r.ReadAt(oneByte[:], int64(end)-1); err != nil || n != 1 { + return nil, errInvalidBounds + } + s.minSize = end + } + // Read from the io.ReaderAt. if length <= cap(buf) { buf = buf[:length] diff --git a/vendor/golang.org/x/image/tiff/compress.go b/vendor/golang.org/x/image/tiff/compress.go index 3f176f0..1520b57 100644 --- a/vendor/golang.org/x/image/tiff/compress.go +++ b/vendor/golang.org/x/image/tiff/compress.go @@ -15,11 +15,12 @@ type byteReader interface { } // unpackBits decodes the PackBits-compressed data in src and returns the -// uncompressed data. +// uncompressed data. The output size is limited to lim bytes to prevent +// decompression bombs. // // The PackBits compression format is described in section 9 (p. 42) // of the TIFF spec. -func unpackBits(r io.Reader) ([]byte, error) { +func unpackBits(r io.Reader, lim int64) ([]byte, error) { buf := make([]byte, 128) dst := make([]byte, 0, 1024) br, ok := r.(byteReader) @@ -54,5 +55,8 @@ func unpackBits(r io.Reader) ([]byte, error) { } dst = append(dst, buf[:1-code]...) } + if int64(len(dst)) > lim { + return nil, FormatError("PackBits: decompressed data too large") + } } } diff --git a/vendor/golang.org/x/image/tiff/reader.go b/vendor/golang.org/x/image/tiff/reader.go index 4c1de45..297a4cf 100644 --- a/vendor/golang.org/x/image/tiff/reader.go +++ b/vendor/golang.org/x/image/tiff/reader.go @@ -11,6 +11,7 @@ import ( "bytes" "compress/zlib" "encoding/binary" + "errors" "fmt" "image" "image/color" @@ -500,6 +501,9 @@ func newDecoder(r io.Reader) (*decoder, error) { d.config.Width = int(d.firstVal(tImageWidth)) d.config.Height = int(d.firstVal(tImageLength)) + if d.config.Width == 0 || d.config.Height == 0 { + return nil, errors.New("tiff: zero-size image") + } if _, ok := d.features[tBitsPerSample]; !ok { // Default is 1 per specification. @@ -752,7 +756,7 @@ func Decode(r io.Reader) (img image.Image, err error) { d.buf, err = readBuf(r, d.buf, blockMaxDataSize) r.Close() case cPackBits: - d.buf, err = unpackBits(io.NewSectionReader(d.r, offset, n)) + d.buf, err = unpackBits(io.NewSectionReader(d.r, offset, n), blockMaxDataSize) default: err = UnsupportedError(fmt.Sprintf("compression value %d", d.firstVal(tCompression))) } diff --git a/vendor/golang.org/x/image/tiff/writer.go b/vendor/golang.org/x/image/tiff/writer.go index 5d46184..b7b47a1 100644 --- a/vendor/golang.org/x/image/tiff/writer.go +++ b/vendor/golang.org/x/image/tiff/writer.go @@ -292,6 +292,10 @@ type Options struct { func Encode(w io.Writer, m image.Image, opt *Options) error { d := m.Bounds().Size() + if d.X == 0 || d.Y == 0 { + return errors.New("tiff: zero-size image") + } + compression := uint32(cNone) predictor := false if opt != nil { diff --git a/vendor/modules.txt b/vendor/modules.txt index c6ad72c..756caf2 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -92,7 +92,7 @@ golang.org/x/crypto/internal/alias golang.org/x/crypto/internal/poly1305 golang.org/x/crypto/nacl/secretbox golang.org/x/crypto/salsa20/salsa -# golang.org/x/image v0.38.0 +# golang.org/x/image v0.41.0 ## explicit; go 1.25.0 golang.org/x/image/ccitt golang.org/x/image/draw @@ -114,7 +114,7 @@ golang.org/x/image/vector golang.org/x/sys/cpu golang.org/x/sys/unix golang.org/x/sys/windows -# golang.org/x/text v0.35.0 +# golang.org/x/text v0.37.0 ## explicit; go 1.25.0 golang.org/x/text/encoding golang.org/x/text/encoding/charmap