Merge pull request #2740 from opencloud-eu/dependabot/go_modules/golang.org/x/image-0.40.0

build(deps): bump golang.org/x/image from 0.38.0 to 0.40.0
2026-05-25 00:46:37 -04:00 · 2026-05-19 18:53:31 +02:00
parent 0601a80e19 7b1b7e883c
commit 56a65e68b9
7 changed files with 36 additions and 10 deletions
--- a/go.mod
+++ b/go.mod
@@ -104,12 +104,12 @@ require (
 	go.opentelemetry.io/otel/trace v1.43.0
 	golang.org/x/crypto v0.50.0
 	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f
-	golang.org/x/image v0.38.0
+	golang.org/x/image v0.40.0
 	golang.org/x/net v0.53.0
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/sync v0.20.0
 	golang.org/x/term v0.42.0
-	golang.org/x/text v0.36.0
+	golang.org/x/text v0.37.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9
 	google.golang.org/grpc v1.80.0
 	google.golang.org/protobuf v1.36.11
--- a/go.sum
+++ b/go.sum
@@ -1378,8 +1378,8 @@ golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJk
 golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.38.0 h1:5l+q+Y9JDC7mBOMjo4/aPhMDcxEptsX+Tt3GgRQRPuE=
-golang.org/x/image v0.38.0/go.mod h1:/3f6vaXC+6CEanU4KJxbcUZyEePbyKbaLoDOe4ehFYY=
+golang.org/x/image v0.40.0 h1:Tw4GyDXMo+daZN1znreBRC3VayR1aLFUyUEOLUdW1a8=
+golang.org/x/image v0.40.0/go.mod h1:uIc348UZMSvS5Z65CVZ7iDPaNobNFEPeJ4kbqTOszmA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1584,8 +1584,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
-golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
--- a/vendor/golang.org/x/image/font/sfnt/sfnt.go
+++ b/vendor/golang.org/x/image/font/sfnt/sfnt.go
@@ -214,8 +214,9 @@ func u32(b []byte) uint32 {
 // copying from the source to a caller-supplied buffer, and instead provide
 // direct access to the underlying []byte data.
 type source struct {
-	b []byte
-	r io.ReaderAt
+	b       []byte
+	r       io.ReaderAt
+	minSize int // r is known to contain at least minSize bytes

 	// TODO: add a caching layer, if we're using the io.ReaderAt? Note that
 	// this might make a source no longer safe to use concurrently.
@@ -255,6 +256,17 @@ func (s *source) view(buf []byte, offset, length int) ([]byte, error) {
 		return s.b[offset : offset+length], nil
 	}

+	if end := offset + length; end > s.minSize && length > 1<<20 {
+		// We're reading more than 1MiB, and we don't know whether
+		// the file contains this data. Check that the data exists
+		// before we try to allocate.
+		var oneByte [1]byte
+		if n, err := s.r.ReadAt(oneByte[:], int64(end)-1); err != nil || n != 1 {
+			return nil, errInvalidBounds
+		}
+		s.minSize = end
+	}
+
 	// Read from the io.ReaderAt.
 	if length <= cap(buf) {
 		buf = buf[:length]
--- a/vendor/golang.org/x/image/tiff/reader.go
+++ b/vendor/golang.org/x/image/tiff/reader.go
@@ -11,6 +11,7 @@ import (
 	"bytes"
 	"compress/zlib"
 	"encoding/binary"
+	"errors"
 	"fmt"
 	"image"
 	"image/color"
@@ -500,6 +501,9 @@ func newDecoder(r io.Reader) (*decoder, error) {

 	d.config.Width = int(d.firstVal(tImageWidth))
 	d.config.Height = int(d.firstVal(tImageLength))
+	if d.config.Width == 0 || d.config.Height == 0 {
+		return nil, errors.New("tiff: zero-size image")
+	}

 	if _, ok := d.features[tBitsPerSample]; !ok {
 		// Default is 1 per specification.
--- a/vendor/golang.org/x/image/tiff/writer.go
+++ b/vendor/golang.org/x/image/tiff/writer.go
@@ -292,6 +292,10 @@ type Options struct {
 func Encode(w io.Writer, m image.Image, opt *Options) error {
 	d := m.Bounds().Size()

+	if d.X == 0 || d.Y == 0 {
+		return errors.New("tiff: zero-size image")
+	}
+
 	compression := uint32(cNone)
 	predictor := false
 	if opt != nil {
--- a/vendor/golang.org/x/image/webp/decode.go
+++ b/vendor/golang.org/x/image/webp/decode.go
@@ -134,6 +134,12 @@ func decode(r io.Reader, configOnly bool) (image.Image, image.Config, error) {
 			wantAlpha = (buf[0] & alphaBit) != 0
 			widthMinusOne = uint32(buf[4]) | uint32(buf[5])<<8 | uint32(buf[6])<<16
 			heightMinusOne = uint32(buf[7]) | uint32(buf[8])<<8 | uint32(buf[9])<<16
+			if uint64(widthMinusOne+1)*uint64(heightMinusOne+1) > 1<<32-1 {
+				// The product of _Canvas Width_ and _Canvas Height_ MUST be
+				// at most 2^32 - 1.
+				// https://www.rfc-editor.org/rfc/rfc9649.html#section-2.7-12
+				return nil, image.Config{}, errInvalidFormat
+			}
 			if configOnly {
 				if wantAlpha {
 					return nil, image.Config{
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -2444,7 +2444,7 @@ golang.org/x/exp/slices
 golang.org/x/exp/slog
 golang.org/x/exp/slog/internal
 golang.org/x/exp/slog/internal/buffer
-# golang.org/x/image v0.38.0
+# golang.org/x/image v0.40.0
 ## explicit; go 1.25.0
 golang.org/x/image/bmp
 golang.org/x/image/ccitt
@@ -2513,7 +2513,7 @@ golang.org/x/sys/windows/svc/mgr
 # golang.org/x/term v0.42.0
 ## explicit; go 1.25.0
 golang.org/x/term
-# golang.org/x/text v0.36.0
+# golang.org/x/text v0.37.0
 ## explicit; go 1.25.0
 golang.org/x/text/cases
 golang.org/x/text/collate