From f33e5a69da7f5476dd5662aac25eacd8ee92ecd0 Mon Sep 17 00:00:00 2001
From: Milos Gajdos <milosthegajdos@gmail.com>
Date: Wed, 22 Nov 2023 06:07:49 +0000
Subject: [PATCH] fix: invalid conversion when using Content-Range in client

Fixes: https://github.com/distribution/distribution/security/code-scanning/34

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
---
 internal/client/transport/http_reader.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/internal/client/transport/http_reader.go b/internal/client/transport/http_reader.go
index 459cf07a..b7dba855 100644
--- a/internal/client/transport/http_reader.go
+++ b/internal/client/transport/http_reader.go
@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"math"
 	"net/http"
 	"regexp"
 	"strconv"
@@ -240,6 +241,9 @@ func (hrs *HTTPReadSeeker) reader() (io.Reader, error) {
 					return nil, fmt.Errorf("range in Content-Range stops before the end of the content: %s", contentRange)
 				}
 
+				if size > math.MaxInt64 {
+					return nil, fmt.Errorf("Content-Range size: %d exceeds max allowed size", size)
+				}
 				hrs.size = int64(size)
 			}
 		} else if resp.StatusCode == http.StatusOK {