From c1fcc374888bedee8977f99ec9baae102743feb7 Mon Sep 17 00:00:00 2001
From: Adam Hughes <9903835+tri-adam@users.noreply.github.com>
Date: Fri, 23 Aug 2024 14:52:35 +0000
Subject: [PATCH 1/2] fix: correct the range check for descriptor IDs

---
 pkg/sif/create.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/sif/create.go b/pkg/sif/create.go
index 0093f4fb..0dbe65d9 100644
--- a/pkg/sif/create.go
+++ b/pkg/sif/create.go
@@ -97,7 +97,7 @@ func (f *FileImage) writeDataObject(i int, di DescriptorInput, t time.Time) erro
 	}
 
 	// We derive the ID from i, so make sure the ID will not overflow.
-	if i >= math.MaxInt32 {
+	if int64(i) >= math.MaxUint32 {
 		return errObjectIDOverflow
 	}
 

From 6f00abac8ab905a7eabafb5de22c9efffa70d442 Mon Sep 17 00:00:00 2001
From: Adam Hughes <9903835+tri-adam@users.noreply.github.com>
Date: Fri, 23 Aug 2024 15:42:48 +0000
Subject: [PATCH 2/2] fix: check descriptor capacity during SIF creation

---
 pkg/sif/create.go      | 8 ++++++++
 pkg/sif/create_test.go | 7 +++++++
 2 files changed, 15 insertions(+)

diff --git a/pkg/sif/create.go b/pkg/sif/create.go
index 0dbe65d9..91dd430c 100644
--- a/pkg/sif/create.go
+++ b/pkg/sif/create.go
@@ -233,8 +233,16 @@ func OptCreateWithCloseOnUnload(b bool) CreateOpt {
 	}
 }
 
+var errDescriptorCapacityNotSupported = errors.New("descriptor capacity not supported")
+
 // createContainer creates a new SIF container file in rw, according to opts.
 func createContainer(rw ReadWriter, co createOpts) (*FileImage, error) {
+	// The supported number of descriptors is limited by the unsigned 32-bit ID field in each
+	// rawDescriptor.
+	if co.descriptorCapacity >= math.MaxUint32 {
+		return nil, errDescriptorCapacityNotSupported
+	}
+
 	rds := make([]rawDescriptor, co.descriptorCapacity)
 	rdsSize := int64(binary.Size(rds))
 
diff --git a/pkg/sif/create_test.go b/pkg/sif/create_test.go
index c3744269..be511498 100644
--- a/pkg/sif/create_test.go
+++ b/pkg/sif/create_test.go
@@ -186,6 +186,13 @@ func TestCreateContainerAtPath(t *testing.T) {
 		opts    []CreateOpt
 		wantErr error
 	}{
+		{
+			name: "ErrDescriptorCapacityNotSupported",
+			opts: []CreateOpt{
+				OptCreateWithDescriptorCapacity(math.MaxUint32),
+			},
+			wantErr: errDescriptorCapacityNotSupported,
+		},
 		{
 			name: "ErrInsufficientCapacity",
 			opts: []CreateOpt{