vendor: update containers/image

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

vendor/github.com/sylabs/sif/v2/pkg/sif/create.go

@@ -12,33 +12,47 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"math"
 	"os"
 	"time"
 
 	"github.com/google/uuid"
 )
 
+var errAlignmentOverflow = errors.New("integer overflow when calculating alignment")
+
 // nextAligned finds the next offset that satisfies alignment.
-func nextAligned(offset int64, alignment int) int64 {
+func nextAligned(offset int64, alignment int) (int64, error) {
 	align64 := uint64(alignment)
 	offset64 := uint64(offset)
 
-	if align64 != 0 && offset64%align64 != 0 {
-		offset64 = (offset64 & ^(align64 - 1)) + align64
+	if align64 <= 0 || offset64%align64 == 0 {
+		return offset, nil
 	}
 
-	return int64(offset64)
+	offset64 += (align64 - offset64%align64)
+
+	if offset64 > math.MaxInt64 {
+		return 0, errAlignmentOverflow
+	}
+
+	//nolint:gosec // Overflow handled above.
+	return int64(offset64), nil
 }
 
 // writeDataObjectAt writes the data object described by di to ws, using time t, recording details
 // in d. The object is written at the first position that satisfies the alignment requirements
 // described by di following offsetUnaligned.
 func writeDataObjectAt(ws io.WriteSeeker, offsetUnaligned int64, di DescriptorInput, t time.Time, d *rawDescriptor) error { //nolint:lll
-	offset, err := ws.Seek(nextAligned(offsetUnaligned, di.opts.alignment), io.SeekStart)
+	offset, err := nextAligned(offsetUnaligned, di.opts.alignment)
 	if err != nil {
 		return err
 	}
 
+	if _, err := ws.Seek(offset, io.SeekStart); err != nil {
+		return err
+	}
+
 	n, err := io.Copy(ws, di.r)
 	if err != nil {
 		return err
@@ -72,6 +86,7 @@ func (f *FileImage) calculatedDataSize() int64 {
 var (
 	errInsufficientCapacity = errors.New("insufficient descriptor capacity to add data object(s) to image")
 	errPrimaryPartition     = errors.New("image already contains a primary partition")
+	errObjectIDOverflow     = errors.New("object ID would overflow")
 )
 
 // writeDataObject writes the data object described by di to f, using time t, recording details in
@@ -81,6 +96,11 @@ func (f *FileImage) writeDataObject(i int, di DescriptorInput, t time.Time) erro
 		return errInsufficientCapacity
 	}
 
+	// We derive the ID from i, so make sure the ID will not overflow.
+	if int64(i) >= math.MaxUint32 {
+		return errObjectIDOverflow
+	}
+
 	// If this is a primary partition, verify there isn't another primary partition, and update the
 	// architecture in the global header.
 	if p, ok := di.opts.md.(partition); ok && p.Parttype == PartPrimSys {
@@ -92,7 +112,7 @@ func (f *FileImage) writeDataObject(i int, di DescriptorInput, t time.Time) erro
 	}
 
 	d := &f.rds[i]
-	d.ID = uint32(i) + 1
+	d.ID = uint32(i) + 1 //nolint:gosec // Overflow handled above.
 
 	f.h.DataSize = f.calculatedDataSize()
 
@@ -213,8 +233,16 @@ func OptCreateWithCloseOnUnload(b bool) CreateOpt {
 	}
 }
 
+var errDescriptorCapacityNotSupported = errors.New("descriptor capacity not supported")
+
 // createContainer creates a new SIF container file in rw, according to opts.
 func createContainer(rw ReadWriter, co createOpts) (*FileImage, error) {
+	// The supported number of descriptors is limited by the unsigned 32-bit ID field in each
+	// rawDescriptor.
+	if co.descriptorCapacity >= math.MaxUint32 {
+		return nil, errDescriptorCapacityNotSupported
+	}
+
 	rds := make([]rawDescriptor, co.descriptorCapacity)
 	rdsSize := int64(binary.Size(rds))