I'm not sure there's anything to be done here that wouldn't be redundant with that. You could imagine a new Decoder type with some optional limit options, and have Decode return an error if limits are violated, I guess. That might be a little more friendly.
There is a way, once you learn the rest of the standard library. :-)
Imagine you have a streamReader which is not seekable. (e.g. it's coming from the network, via an HTTP request or response or whatever). You can read the header, verify its properties, and then decode the rest of the image with the already-read header re-stitched on to the front like this: