From d248b6f597c9699d3db150325db4a0f16d9864cc Mon Sep 17 00:00:00 2001
From: "Arvid E. Picciani" <arvid@kraud.cloud>
Date: Wed, 13 Jul 2022 11:22:15 +0200
Subject: [PATCH] fixes #11142 missing array length check on release

---
 pkg/storage/driver/util.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkg/storage/driver/util.go b/pkg/storage/driver/util.go
index e5b846163cc..828f845fe47 100644
--- a/pkg/storage/driver/util.go
+++ b/pkg/storage/driver/util.go
@@ -60,6 +60,10 @@ func decodeRelease(data string) (*rspb.Release, error) {
 		return nil, err
 	}
 
+	if len(b) < 3 {
+		return nil, errors.New("too short to be a valid gzip")
+	}
+
 	// For backwards compatibility with releases that were stored before
 	// compression was introduced we skip decompression if the
 	// gzip magic header is not found