Skip to content

fix: prevent DoS and resource exhaustion attacks #2703

Merged
Danielku15 merged 7 commits into
developfrom
feature/oob-safety
May 17, 2026
Merged

fix: prevent DoS and resource exhaustion attacks #2703
Danielku15 merged 7 commits into
developfrom
feature/oob-safety

Conversation

@Danielku15
Copy link
Copy Markdown
Member

@Danielku15 Danielku15 commented May 17, 2026

Issues

Fixes #2677
Fixes #2678

Proposed changes

  • Limit buffer sizes during decoding (e.g. guitar pro binary strings and on zip inflation)
  • Limit GP5 loop boundaries to semantic upper-bounds
  • Fail-Fast when we hit the EOF

Checklist

  • I consent that this change becomes part of alphaTab under it's current or any future open source license
  • Changes are implemented
  • New tests were added

Further details

  • This is a breaking change
  • This change will require update of the documentation/website

@Danielku15 Danielku15 self-assigned this May 17, 2026
@Danielku15 Danielku15 force-pushed the feature/oob-safety branch from 02f20a6 to 2f450e4 Compare May 17, 2026 13:16
@Danielku15 Danielku15 merged commit e926f2b into develop May 17, 2026
5 checks passed
@Danielku15 Danielku15 deleted the feature/oob-safety branch May 17, 2026 20:23
@Danielku15 Danielku15 mentioned this pull request May 17, 2026
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Danielku15 Danielku15

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Gp3To5Importer: harden remaining four count-driven loops against DoS readBend/readTremoloBarEffect OOM-crash on unbounded count fields (DoS)

1 participant

@Danielku15