From 9d13b4d211eba11c14998dfd33419f82cb45519e Mon Sep 17 00:00:00 2001
From: Adam Hughes <9903835+tri-adam@users.noreply.github.com>
Date: Fri, 23 Aug 2024 15:42:48 +0000
Subject: [PATCH] fix: check descriptor capacity during SIF creation

---
 pkg/sif/create.go      | 8 ++++++++
 pkg/sif/create_test.go | 7 +++++++
 2 files changed, 15 insertions(+)

diff --git a/pkg/sif/create.go b/pkg/sif/create.go
index f50b5751..b4a9c249 100644
--- a/pkg/sif/create.go
+++ b/pkg/sif/create.go
@@ -233,8 +233,16 @@ func OptCreateWithCloseOnUnload(b bool) CreateOpt {
 	}
 }
 
+var errDescriptorCapacityNotSupported = errors.New("descriptor capacity not supported")
+
 // createContainer creates a new SIF container file in rw, according to opts.
 func createContainer(rw ReadWriter, co createOpts) (*FileImage, error) {
+	// The supported number of descriptors is limited by the unsigned 32-bit ID field in each
+	// rawDescriptor.
+	if co.descriptorCapacity >= math.MaxUint32 {
+		return nil, errDescriptorCapacityNotSupported
+	}
+
 	rds := make([]rawDescriptor, co.descriptorCapacity)
 	rdsSize := int64(binary.Size(rds))
 
diff --git a/pkg/sif/create_test.go b/pkg/sif/create_test.go
index c3744269..be511498 100644
--- a/pkg/sif/create_test.go
+++ b/pkg/sif/create_test.go
@@ -186,6 +186,13 @@ func TestCreateContainerAtPath(t *testing.T) {
 		opts    []CreateOpt
 		wantErr error
 	}{
+		{
+			name: "ErrDescriptorCapacityNotSupported",
+			opts: []CreateOpt{
+				OptCreateWithDescriptorCapacity(math.MaxUint32),
+			},
+			wantErr: errDescriptorCapacityNotSupported,
+		},
 		{
 			name: "ErrInsufficientCapacity",
 			opts: []CreateOpt{