From 8a638b71aef45e16b7dcf86bd5267229d715a2e9 Mon Sep 17 00:00:00 2001
From: Cesar Talledo <cesar.talledo@docker.com>
Date: Tue, 8 Apr 2025 18:00:26 -0700
Subject: [PATCH] Prevent panic in Docker pusher.

Prevent a panic in the Docker pusher pushWriter, by checking that
the pipe is non nil before attempting to use it.

The panic was found by Moby issue #46746 (https://github.com/moby/moby/issues/46746).
With this fix the panic no longer reproduces.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>
---
 core/remotes/docker/pusher.go | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/core/remotes/docker/pusher.go b/core/remotes/docker/pusher.go
index f994fff5a..be712a3ac 100644
--- a/core/remotes/docker/pusher.go
+++ b/core/remotes/docker/pusher.go
@@ -477,13 +477,15 @@ func (pw *pushWriter) Digest() digest.Digest {
 
 func (pw *pushWriter) Commit(ctx context.Context, size int64, expected digest.Digest, opts ...content.Opt) error {
 	// Check whether read has already thrown an error
-	if _, err := pw.pipe.Write([]byte{}); err != nil && !errors.Is(err, io.ErrClosedPipe) {
-		return fmt.Errorf("pipe error before commit: %w", err)
+	if pw.pipe != nil {
+		if _, err := pw.pipe.Write([]byte{}); err != nil && !errors.Is(err, io.ErrClosedPipe) {
+			return fmt.Errorf("pipe error before commit: %w", err)
+		}
+		if err := pw.pipe.Close(); err != nil {
+			return err
+		}
 	}
 
-	if err := pw.pipe.Close(); err != nil {
-		return err
-	}
 	// TODO: timeout waiting for response
 	var resp *http.Response
 	select {