From 1c3637de4f595e8d159d814701bf4083f1fcdacb Mon Sep 17 00:00:00 2001
From: kaizenman <15638776+kaizenman@users.noreply.github.com>
Date: Sat, 25 Apr 2026 00:21:35 +0200
Subject: [PATCH] fix(importer): cap chord name read at field width in GP3-5
 binary parser
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

GpBinaryHelpers.gpReadStringByteLength interpreted the length-hint byte
as the actual read count, advancing the stream by stringLength + 1
bytes. The field is fixed-width (length + 1 bytes) and the hint is just
how many of those bytes are the active string — Guitar Pro itself,
PyGuitarPro and TuxGuitar all read this way. When stringLength exceeds
the field width (real-world GP5 chord names where Guitar Pro stored a
hint of 32 in a 22-byte field) AlphaTab over-consumed the stream,
mis-aligned the parse, and eventually attempted an unbounded readBend
loop on garbage bytes — practical DoS against any page running AlphaTab.

Read a fixed-width field (length + 1 bytes) and decode up to
min(stringLength, length) bytes, matching the reference parsers.
The buffer is also explicitly sized down before passing to
IOHelper.toString since TextDecoder.decode(arr.buffer) ignores
TypedArray byte offsets.

The fixture test-data/guitarpro5/chord-name-overflow.gp5 has a chord
diagram with a 32-byte name hint in a 22-byte field that previously
triggered the runaway loop. Two regression tests:
  - end-to-end: file parses cleanly with expected track/measure counts
  - synthetic: gpReadStringByteLength stops at field width, leaving
    the stream pointer at length + 1 bytes regardless of the hint
---
 .../alphatab/src/importer/Gp3To5Importer.ts   |  13 +++++----
 .../guitarpro5/chord-name-overflow.gp5        | Bin 0 -> 19548 bytes
 .../test/importer/Gp5Importer.test.ts         |  26 ++++++++++++++++++
 3 files changed, 34 insertions(+), 5 deletions(-)
 create mode 100755 packages/alphatab/test-data/guitarpro5/chord-name-overflow.gp5

diff --git a/packages/alphatab/src/importer/Gp3To5Importer.ts b/packages/alphatab/src/importer/Gp3To5Importer.ts
index cc74873be..54d828eda 100644
--- a/packages/alphatab/src/importer/Gp3To5Importer.ts
+++ b/packages/alphatab/src/importer/Gp3To5Importer.ts
@@ -1571,12 +1571,15 @@ export class GpBinaryHelpers {
      * @returns
      */
     public static gpReadStringByteLength(data: IReadable, length: number, encoding: string): string {
+        // Fixed-width string field: 1 length byte + `length` data bytes, decoded
+        // up to min(stringLength, length). Always consumes 1 + length bytes.
         const stringLength: number = data.readByte();
-        const s: string = GpBinaryHelpers.gpReadString(data, stringLength, encoding);
-        if (stringLength < length) {
-            data.skip(length - stringLength);
-        }
-        return s;
+        const fieldBytes: Uint8Array = new Uint8Array(length);
+        data.read(fieldBytes, 0, length);
+        const effectiveLength: number = Math.max(0, Math.min(stringLength, length));
+        const decoded: Uint8Array = new Uint8Array(effectiveLength);
+        decoded.set(fieldBytes.subarray(0, effectiveLength));
+        return IOHelper.toString(decoded, encoding);
     }
 }
 
diff --git a/packages/alphatab/test-data/guitarpro5/chord-name-overflow.gp5 b/packages/alphatab/test-data/guitarpro5/chord-name-overflow.gp5
new file mode 100755
index 0000000000000000000000000000000000000000..8de558027e98606d54b9a84e8dca7fd772f62cc8
GIT binary patch
literal 19548
zcmeHOUvC@75#K#h7OlvRqNauGw#K$FgA}M!)^%Y4?E@7#kyOOBD#-}aH`=;bL}^kW
zsX+P|ee2gL`qJlof_{p=y7Qa4-5uU76<M+pIJpCO+S@<#e`aUrPPabY-q_myWY=vz
z-QHi{bvwIH+*g12=yx5%*U#vFd;c(Zo4xTtK6Ilm-RGn6!NlEjyS@JKuQa^#X@B@4
zA5W&IgWUDT;~qV|%!gC=?9`1mfB%ug^2uSIPu*ZN`ul|L!x!$^@zlNS4Nu)sZ#<pQ
zI-1je*&p=Azr0C6Z*29ZJ@<Gt9Ub<^BMVxt)33Fc566A?B%gWU;dsO3*ST&~Cx1;{
zzb1%F^cTN(i@yi-_myqYeX+g2z5m%K?RPNJ-h2A7JThJF_1*pLz5TY#TmS6ir;pq3
z(YzHA9m%Er`IFs8d(!#%c+!6kVYMGW-P_)1-=UemkeMI2ILIqx#!qO*k2gj~r{n&M
z!>Ma;JlXkTcYAYdzr98y57!3+w~LX9+s!BW_^bSY)U`dF=Hp>++8+&j0~c5C<<F1D
z`N54Ph+%oB_ab-gzqEhb-f6Q$|3<xX{gnQ^3zq28ZRx4+wFJK35_om43o`f@{op(s
zS<{+~E_A*HSGPHj$S%hMjOr;Xp;y+m!01YXTfGQV^}@M}1m@M;H9?vfV4F*jUWAEy
z;oL=-c$JqXN)rT}bBVgpqBq6Gf0p;Ac|LHP$Ngz<d=}JeG}xuzAL;jye)s8jkA5H0
z4;Rc2KUkbA{{HXJADDkrJ6zblZPsWmTw82iUwYNR*5w!aNk5{->iYB1@nlL{@jdq_
z|FU;Hm}1wz8M^mJ!+aw4Z|`>OLc^@th0O4dXj|05(CiAe*afUB`hcy=gT?A5Eo>AE
zF<ll$5Lnot&dS0TEhM#KegcnSjLC(oj76>XD2#2=kkIQ1sGz+Zx9>9o#j?i}>6Mn(
zO4snkM#_>lkhJF;tA*YuI&hO*-K7Br#-hO#5uEgSP!)!?oI58B+tMFG%UBX!aYY4K
zVs@e{0*I<rpx_E*#!8B}m^IH|b~`>kXs|F$76g=NRbazJGG)?PhdLUDdkJ^x(cX`v
zgb!J;$%0WaJ}9Yz1sr%yE;H<a;N}Amz_*U)z-!24)m8;I;59V|5K$8xuqkD;kM=g9
zY62fk@f<*6G8y>LQdroMtae_A$N&M@H}*aOGk{2a4e4W<@F=$cO+gf`!oAqUi(nF@
zr!@%a*dQH&IP1DeYL}ReDD*6>VTm%YmS8s_iDpK0bC*FtqsJL)W%4y1ShMsbfheO6
zribA`gBlLuE5l*QK#olx1WAqrBEWe-ARtHd74&3xXCKMb7^xDbfF(bo0ii5_<#>^;
zd9aF2QaF>xqAo)e^^jT70D)ENQEM2s{W-yA))mRAK95h)y$IpKwLRUi6efi|s%YK*
z6A+Y9036F6HdC|`5*J3GIc!?Z1(6RNg4WPY<P$)^HE4iY3JOT|`4x&AL8Z0eCz<RP
zgAEYl09vy&D2U9KrSL=zBHr7~5p^`gW_Sof97iq8pt6u?X=4;~f!IC7Ko1<5GWQt}
ztQ1gnhNb+<JF<sZ$7qsQ7eX^8I1`0cibvj=W`lAaqe)WV;}|WmPDO{T!*P!yvX208
zRq?Y#yv|l=I>I2t6#O-`RMZIOCQ-wi+iav^IG2gtf<?z}AyAH9OfBK(b6B>@!O2HI
z<nJ8WSlt}`D%4j3c8Ax5g|m+wwaVM3E5r+VdC6ArXniCE#Bn?BnMfRj^1y?FC}Fh{
zt#zD*Ak;Qldh~KpFd3U&Ju2-0TGUL6%=6?a05R74)Bu}$G`dvg!fZ0c&?-aBwBmij
zWSA68<%EzR@MaS9p4gs+JZKxC(QnTdiIof?LF26-sjBobQEYypRVI&fiej(FF^`~w
zC;+<#q8J#uIJ>4k-BQ5B$mxKA6<A9&Hj5Mj+7cm!7H1EfPF{=YTNq_u#R`Q$=mG*-
zF^fRyb&2T?a)i7QP81vw7VW|WkZAO~Fyx5MU+II*kNYz0^<}T=FbKX?5VUO9n8rBH
z;8s9~;f6UX4Fma|5+dS6C<vLAatg?cNv0d&!zF4^X)}&w1frP9Cp7hFkwrI3NldB_
zVF83FL2{VR?lMz26Vf<m)Eq*Xm{iM_a`g9^VXv_HK^iRi`26j$<S~N%D`CmY?8;aY
zhdoP6HZaH5P&V^0n$nFp6XN8e4oZk4F(@s<z80dJV<#c9WW$^5p|hdHhh(^^C<14l
zrkr(j2qD-Dvh|0kplntQR7vAp3ND{3z2BWHyMW;q)Mt*{l9)iQpv+{clWahdI%7xA
zqt%eRhEFdO7;05-#x9d0)E@oKzW282SLlVveO!-%oN}azw-9sY4s;7+QwAjNq!0wJ
zFxF2u*_3RPqGc;fV8bjS6RlEAjr13W$wtfuZ;zOoc!TN8CEZnFN7B8~N7?x4#s-Mx
zU19EkU#p}P+4wHi5P2!bw7^Sw0K7oj6<$>K%PNsW!6Ew--DrdLH7FcNSa!<MAZV<p
zfJKJD`4WXkw3IJnjnLAi7E3fkOE9CABvgf)5IU4r%LR)diSj@KK{OyAZ(=&@r(Xn>
zBVHgGB^}|7gid@HWx5l7-BGTvlmF<hxS|3qQBF^EMF0kRMm1m41rcNxu+1`V#pQPB
z`xJNoH*TEw27^=iNQK8Rb>1ssp0M@x9rI7L9{%_GKi+%9ed<Pshwv7tE)<bqx*{C5
zMOzp1wQ)++{Q(v8>q3#=bz+);x?p*)5of6jMG`t>Z&^LU2C5T9YE!i5QwfW+*n{S6
zw5qIwI7Dj;!AtR^^olE#hop=G*lLH8-CaTC>9W%!58w?amhNoGHn?I_+M^^4)P<tD
zP~@XSIHM?&lbE0nG95BB%3~$3tP4fK$GD1BI;X`GctcL${z!#fmctCMDzz?C`>G2?
zBw2`E*|0>qx=_Ss7EXIgK+#O=LQ%?eRQQV-)CI~0-NNgY=sCV-3PA|Mb)kq<(Pf)8
z;=xKv--#M7pm87PmBxjaA7r7Zv^$C<;1ry~a@mUexP{5aZgDt|^)6OCCMk(Z27bab
z>Bcp(1yv)n(1MhQPN?d(AnzHt<x?L!XP}DZH33lB=`~j<l#+bawH?}(sDzj*veCN=
z|52h(t?G|}Y+c)-Y@2*u!V0_}PGwRbZPp(FQS>AMK|XSri;uCAKz;tbh2vN}E7?lO
zQo9@HGcp||3TfS<n5f=+;Qas-5Vmy%QFe*?BOnMUYNW31kj=2suz{haY=#HyTksJO
zlAMcv1Y}Og73uZTik<g&Mkes1Z$g!I>2stb_QrTav2)&cNarAdGN5_%`TiL?>x$DG
z{o2Z>Mc4(&0w~BQT6M*Vq*H&IBo?CLX!J!20%APmvt&cTkTALaG)W&eFZt<N6#12x
za%0)As7`x~i3ky+#${rK4@TeKI|PsM%2@I;yE2y8AkO@Lmg^hvLsNg5ncm;(FEihk
z?M*WGbfx!zPK~86@zj5Qs%^^y$>>F;)ctVu6c0%O@uL+G>Kw~QQ{MM1KIdaP8sS*X
zZ&la>>DFaT#sBBG)-swLshAG}RA971g?iy14#>tn^HjvcIscajkS9RQQo$4^LClp!
znu-utZMP6{1vixG|8vAcH!5bGxv;9hb71Utz%5-0OBM5(grX$DFqFhS=E_1B@OfTR
zm@CU5n8m_0fKMtN=OFYA;geLua~0n=RS6BmMKY_Ls%2uv_{2!6_(z;IwpK_jIINOC
RtYq)R<{}JMEsxFE`aefV4iEqU

literal 0
HcmV?d00001

diff --git a/packages/alphatab/test/importer/Gp5Importer.test.ts b/packages/alphatab/test/importer/Gp5Importer.test.ts
index 4ef957e89..0de09721b 100644
--- a/packages/alphatab/test/importer/Gp5Importer.test.ts
+++ b/packages/alphatab/test/importer/Gp5Importer.test.ts
@@ -1,4 +1,6 @@
 import { Settings } from '@coderline/alphatab/Settings';
+import { GpBinaryHelpers } from '@coderline/alphatab/importer/Gp3To5Importer';
+import { ByteBuffer } from '@coderline/alphatab/io/ByteBuffer';
 import { type Beat, BeatBeamingMode } from '@coderline/alphatab/model/Beat';
 import { Direction } from '@coderline/alphatab/model/Direction';
 import { Ottavia } from '@coderline/alphatab/model/Ottavia';
@@ -569,4 +571,28 @@ describe('Gp5ImporterTest', () => {
             }
         }
     });
+
+    it('chord-name-overflow', async () => {
+        // GP5 file with a chord name length byte that exceeds the 21-byte field
+        // (length=32). Pre-fix, gpReadStringByteLength consumed the full 32 bytes,
+        // mis-aligning the stream and triggering an unbounded readBend loop.
+        const score = (
+            await GpImporterTestHelper.prepareImporterWithFile('guitarpro5/chord-name-overflow.gp5')
+        ).readScore();
+        expect(score.tracks.length).to.equal(1);
+        expect(score.masterBars.length).to.equal(193);
+    });
+
+    it('gpReadStringByteLength caps consumption at field width', () => {
+        const sentinelByte = 0xca;
+        const fieldSize = 21;
+        const overlongHint = 32;
+        const buffer = ByteBuffer.fromBuffer(
+            new Uint8Array([overlongHint, ...new Array(fieldSize).fill(0x41), sentinelByte])
+        );
+        const result = GpBinaryHelpers.gpReadStringByteLength(buffer, fieldSize, 'utf-8');
+        expect(result).to.equal('A'.repeat(fieldSize));
+        expect(buffer.position).to.equal(1 + fieldSize);
+        expect(buffer.readByte()).to.equal(sentinelByte);
+    });
 });