From eac11ef908480df8e2f6375c84d52d3d25e1f70a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 May 2026 06:01:13 +0000 Subject: [PATCH] build(deps): bump golang.org/x/image from 0.38.0 to 0.40.0 Bumps [golang.org/x/image](https://github.com/golang/image) from 0.38.0 to 0.40.0. - [Commits](https://github.com/golang/image/compare/v0.38.0...v0.40.0) --- updated-dependencies: - dependency-name: golang.org/x/image dependency-version: 0.40.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 4 ++-- go.sum | 8 ++++---- vendor/golang.org/x/image/font/sfnt/sfnt.go | 16 ++++++++++++++-- vendor/golang.org/x/image/tiff/reader.go | 4 ++++ vendor/golang.org/x/image/tiff/writer.go | 4 ++++ vendor/golang.org/x/image/webp/decode.go | 6 ++++++ vendor/modules.txt | 4 ++-- 7 files changed, 36 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index 57733da7b1..2c791c8d88 100644 --- a/go.mod +++ b/go.mod @@ -105,12 +105,12 @@ require ( go.opentelemetry.io/otel/trace v1.43.0 golang.org/x/crypto v0.50.0 golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac - golang.org/x/image v0.38.0 + golang.org/x/image v0.40.0 golang.org/x/net v0.53.0 golang.org/x/oauth2 v0.36.0 golang.org/x/sync v0.20.0 golang.org/x/term v0.42.0 - golang.org/x/text v0.36.0 + golang.org/x/text v0.37.0 google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 google.golang.org/grpc v1.80.0 google.golang.org/protobuf v1.36.11 diff --git a/go.sum b/go.sum index 1f0860d8bc..a74fa54d05 100644 --- a/go.sum +++ b/go.sum @@ -1378,8 +1378,8 @@ golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac h1:l5+whBCLH3iH2ZNHYLbAe58bo golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac/go.mod h1:hH+7mtFmImwwcMvScyxUhjuVHR3HGaDPMn9rMSUUbxo= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= -golang.org/x/image v0.38.0 h1:5l+q+Y9JDC7mBOMjo4/aPhMDcxEptsX+Tt3GgRQRPuE= -golang.org/x/image v0.38.0/go.mod h1:/3f6vaXC+6CEanU4KJxbcUZyEePbyKbaLoDOe4ehFYY= +golang.org/x/image v0.40.0 h1:Tw4GyDXMo+daZN1znreBRC3VayR1aLFUyUEOLUdW1a8= +golang.org/x/image v0.40.0/go.mod h1:uIc348UZMSvS5Z65CVZ7iDPaNobNFEPeJ4kbqTOszmA= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -1584,8 +1584,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg= -golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164= +golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc= +golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/vendor/golang.org/x/image/font/sfnt/sfnt.go b/vendor/golang.org/x/image/font/sfnt/sfnt.go index 8ed19e21a9..d1ef8a6a08 100644 --- a/vendor/golang.org/x/image/font/sfnt/sfnt.go +++ b/vendor/golang.org/x/image/font/sfnt/sfnt.go @@ -214,8 +214,9 @@ func u32(b []byte) uint32 { // copying from the source to a caller-supplied buffer, and instead provide // direct access to the underlying []byte data. type source struct { - b []byte - r io.ReaderAt + b []byte + r io.ReaderAt + minSize int // r is known to contain at least minSize bytes // TODO: add a caching layer, if we're using the io.ReaderAt? Note that // this might make a source no longer safe to use concurrently. @@ -255,6 +256,17 @@ func (s *source) view(buf []byte, offset, length int) ([]byte, error) { return s.b[offset : offset+length], nil } + if end := offset + length; end > s.minSize && length > 1<<20 { + // We're reading more than 1MiB, and we don't know whether + // the file contains this data. Check that the data exists + // before we try to allocate. + var oneByte [1]byte + if n, err := s.r.ReadAt(oneByte[:], int64(end)-1); err != nil || n != 1 { + return nil, errInvalidBounds + } + s.minSize = end + } + // Read from the io.ReaderAt. if length <= cap(buf) { buf = buf[:length] diff --git a/vendor/golang.org/x/image/tiff/reader.go b/vendor/golang.org/x/image/tiff/reader.go index 4c1de45f7e..882899d859 100644 --- a/vendor/golang.org/x/image/tiff/reader.go +++ b/vendor/golang.org/x/image/tiff/reader.go @@ -11,6 +11,7 @@ import ( "bytes" "compress/zlib" "encoding/binary" + "errors" "fmt" "image" "image/color" @@ -500,6 +501,9 @@ func newDecoder(r io.Reader) (*decoder, error) { d.config.Width = int(d.firstVal(tImageWidth)) d.config.Height = int(d.firstVal(tImageLength)) + if d.config.Width == 0 || d.config.Height == 0 { + return nil, errors.New("tiff: zero-size image") + } if _, ok := d.features[tBitsPerSample]; !ok { // Default is 1 per specification. diff --git a/vendor/golang.org/x/image/tiff/writer.go b/vendor/golang.org/x/image/tiff/writer.go index 5d461841c0..b7b47a17b3 100644 --- a/vendor/golang.org/x/image/tiff/writer.go +++ b/vendor/golang.org/x/image/tiff/writer.go @@ -292,6 +292,10 @@ type Options struct { func Encode(w io.Writer, m image.Image, opt *Options) error { d := m.Bounds().Size() + if d.X == 0 || d.Y == 0 { + return errors.New("tiff: zero-size image") + } + compression := uint32(cNone) predictor := false if opt != nil { diff --git a/vendor/golang.org/x/image/webp/decode.go b/vendor/golang.org/x/image/webp/decode.go index 2371808f42..15dc0ee556 100644 --- a/vendor/golang.org/x/image/webp/decode.go +++ b/vendor/golang.org/x/image/webp/decode.go @@ -134,6 +134,12 @@ func decode(r io.Reader, configOnly bool) (image.Image, image.Config, error) { wantAlpha = (buf[0] & alphaBit) != 0 widthMinusOne = uint32(buf[4]) | uint32(buf[5])<<8 | uint32(buf[6])<<16 heightMinusOne = uint32(buf[7]) | uint32(buf[8])<<8 | uint32(buf[9])<<16 + if uint64(widthMinusOne+1)*uint64(heightMinusOne+1) > 1<<32-1 { + // The product of _Canvas Width_ and _Canvas Height_ MUST be + // at most 2^32 - 1. + // https://www.rfc-editor.org/rfc/rfc9649.html#section-2.7-12 + return nil, image.Config{}, errInvalidFormat + } if configOnly { if wantAlpha { return nil, image.Config{ diff --git a/vendor/modules.txt b/vendor/modules.txt index 689910f30a..02547b9a62 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -2452,7 +2452,7 @@ golang.org/x/exp/slices golang.org/x/exp/slog golang.org/x/exp/slog/internal golang.org/x/exp/slog/internal/buffer -# golang.org/x/image v0.38.0 +# golang.org/x/image v0.40.0 ## explicit; go 1.25.0 golang.org/x/image/bmp golang.org/x/image/ccitt @@ -2521,7 +2521,7 @@ golang.org/x/sys/windows/svc/mgr # golang.org/x/term v0.42.0 ## explicit; go 1.25.0 golang.org/x/term -# golang.org/x/text v0.36.0 +# golang.org/x/text v0.37.0 ## explicit; go 1.25.0 golang.org/x/text/cases golang.org/x/text/collate