fix: add bounds checking to addendum layer mutations to prevent panic

[aaron-prindle]

fixes #1646

Based on PR by @Gnoale here - GoogleContainerTools/kaniko#2538. From the PR there - "It seems that the addendums slice index is incremented twice in cases there is an empty layer in the history" <-- this seems to lead to a possibly unexpected case where addendumIdx > len(addendums) which makes addendums[addendumIdx] panic

Adding context from the above issue in the description below vvv:
Currently in kaniko v1.9.2+ (which uses go-containerregistry v0.14.0+) a panic occurs when attempting to call go-containerregistry related to the code here:
https://github.com/google/go-containerregistry/blob/main/pkg/v1/mutate/mutate.go#L405

No errors using the same dockerfile with kaniko v1.9.1 which uses go-containerregistry v0.8.1-0.20220507185902-82405e5dfa82

The likely cuplrit is commit 9db616f, since the error happens in mutate.Time after trying to index the addendums slice. The PR adds an additional bounds check on addendums before mutating.

[codecov-commenter]

Codecov Report

Merging #1715 (4f13c51) into main (c3f8a49) will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@           Coverage Diff           @@
##             main    #1715   +/-   ##
=======================================
  Coverage   71.96%   71.96%           
=======================================
  Files         121      121           
  Lines        9766     9768    +2     
=======================================
+ Hits         7028     7030    +2     
  Misses       2062     2062           
  Partials      676      676           

Impacted Files	Coverage Δ
pkg/v1/mutate/mutate.go	69.76% <100.00%> (+0.18%)	⬆️