From f435ce84a28641f61ecd94b4347471aa4a64279b Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Fri, 15 Dec 2023 11:31:01 +0100
Subject: [PATCH] chunked: disallow both zstd:chunked and eStargz TOCs

reject a layer if it contains both a zstd:chunked and an eStargz TOC
since there are no guarantees that the two TOCs are consistent.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 pkg/chunked/storage_linux.go | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/pkg/chunked/storage_linux.go b/pkg/chunked/storage_linux.go
index fe216a2fff..f278628e8f 100644
--- a/pkg/chunked/storage_linux.go
+++ b/pkg/chunked/storage_linux.go
@@ -259,10 +259,17 @@ func GetDiffer(ctx context.Context, store storage.Store, blobSize int64, annotat
 		return nil, err
 	}
 
-	if _, ok := annotations[internal.ManifestChecksumKey]; ok {
+	_, hasZstdChunkedTOC := annotations[internal.ManifestChecksumKey]
+	_, hasEstargzTOC := annotations[estargz.TOCJSONDigestAnnotation]
+
+	if hasZstdChunkedTOC && hasEstargzTOC {
+		return nil, errors.New("both zstd:chunked and eStargz TOC found")
+	}
+
+	if hasZstdChunkedTOC {
 		return makeZstdChunkedDiffer(ctx, store, blobSize, annotations, iss, &storeOpts)
 	}
-	if _, ok := annotations[estargz.TOCJSONDigestAnnotation]; ok {
+	if hasEstargzTOC {
 		return makeEstargzChunkedDiffer(ctx, store, blobSize, annotations, iss, &storeOpts)
 	}