@coderline/alphatab 1.9.0-alpha.1804 → 1.9.0-alpha.1806

package/dist/alphaTab.core.mjs

@@ -1,5 +1,5 @@
 /*!
- * alphaTab v1.9.0-alpha.1804 (develop, build 1804)
+ * alphaTab v1.9.0-alpha.1806 (develop, build 1806)
  *
  * Copyright © 2026, Daniel Kuschny and Contributors, All rights reserved.
  *
@@ -203,9 +203,9 @@ class AlphaTabError extends Error {
  * @internal
  */
 class VersionInfo {
-    static version = '1.9.0-alpha.1804';
-    static date = '2026-05-16T03:54:50.685Z';
-    static commit = '6e757c0cbec66598a7fa5327abc9d05616984486';
+    static version = '1.9.0-alpha.1806';
+    static date = '2026-05-18T04:36:35.809Z';
+    static commit = 'e926f2b6bcfbaa219a04140bf34fdd9431a6ca17';
     static print(print) {
         print(`alphaTab ${VersionInfo.version}`);
         print(`commit: ${VersionInfo.commit}`);
@@ -16001,6 +16001,68 @@ class AlphaTex1LanguageHandler {
     }
 }
 
+/**
+ * Thrown whenever we hit the end of input data unexpectedly.
+ * @public
+ */
+class EndOfReaderError extends AlphaTabError {
+    constructor() {
+        super(AlphaTabErrorType.Format, 'Unexpected end of data within reader');
+    }
+}
+/**
+ * Thrown whenever an overflow in data or buffer sizes is detected.
+ * @public
+ */
+class OverflowError extends AlphaTabError {
+    constructor(message) {
+        super(AlphaTabErrorType.Format, message);
+    }
+}
+/**
+ * An {@see IReadable} implementation throwing when the end of stream is reached guarding against
+ * corrupted or maliciously crafted files leading to endless reading
+ * @internal
+ */
+class ThrowingReadable {
+    _readable;
+    constructor(readable) {
+        this._readable = readable;
+    }
+    get position() {
+        return this._readable.position;
+    }
+    set position(value) {
+        this._readable.position = value;
+    }
+    get length() {
+        return this._readable.length;
+    }
+    reset() {
+        this._readable.reset();
+    }
+    skip(offset) {
+        this._readable.skip(offset);
+    }
+    _requireBytes(bytes) {
+        const remaining = this.length - this.position;
+        if (remaining < bytes) {
+            throw new EndOfReaderError();
+        }
+    }
+    readByte() {
+        this._requireBytes(1);
+        return this._readable.readByte();
+    }
+    read(buffer, offset, count) {
+        this._requireBytes(count);
+        return this._readable.read(buffer, offset, count);
+    }
+    readAll() {
+        return this._readable.readAll();
+    }
+}
+
 /**
  * This is the base public class for creating new song importers which
  * enable reading scores from any binary datasource
@@ -16013,7 +16075,12 @@ class ScoreImporter {
      * Initializes the importer with the given data and settings.
      */
     init(data, settings) {
-        this.data = data;
+        if (data instanceof ThrowingReadable) {
+            this.data = data;
+        }
+        else {
+            this.data = new ThrowingReadable(data);
+        }
         this.settings = settings;
         // when beginning reading a new score we reset the IDs.
         Score.resetIds();
@@ -17682,8 +17749,10 @@ class ZipEntry {
  */
 class ZipReader {
     _readable;
-    constructor(readable) {
+    _maxDecodingBufferSize;
+    constructor(readable, maxDecodingBufferSize) {
         this._readable = readable;
+        this._maxDecodingBufferSize = maxDecodingBufferSize;
     }
     read() {
         const entries = [];
@@ -17715,7 +17784,13 @@ class ZipReader {
         IOHelper.readInt32LE(readable); // crc-32
         IOHelper.readInt32LE(readable); // compressed size
         const uncompressedSize = IOHelper.readInt32LE(readable);
+        if (uncompressedSize > this._maxDecodingBufferSize) {
+            throw new OverflowError(`Zip contains files exceeding the configured maxDecodingBufferSize`);
+        }
         const fileNameLength = IOHelper.readInt16LE(readable);
+        if (fileNameLength > this._maxDecodingBufferSize) {
+            throw new OverflowError(`Zip contains file names exceeding the configured maxDecodingBufferSize`);
+        }
         const extraFieldLength = IOHelper.readInt16LE(readable);
         const fname = IOHelper.toString(IOHelper.readByteArray(readable, fileNameLength), 'utf-8');
         readable.skip(extraFieldLength);
@@ -17728,6 +17803,9 @@ class ZipReader {
             while (true) {
                 const bytes = z.readBytes(buffer, 0, buffer.length);
                 target.write(buffer, 0, bytes);
+                if (target.length > this._maxDecodingBufferSize) {
+                    throw new OverflowError(`Zip entry "${fname}" contains data exceeding the configured maxDecodingBufferSize`);
+                }
                 if (bytes < buffer.length) {
                     break;
                 }
@@ -19676,7 +19754,7 @@ class CapellaImporter extends ScoreImporter {
     }
     readScore() {
         Logger.debug(this.name, 'Loading ZIP entries');
-        const fileSystem = new ZipReader(this.data);
+        const fileSystem = new ZipReader(this.data, this.settings.importer.maxDecodingBufferSize);
         let entries;
         let xml = null;
         entries = fileSystem.read();
@@ -19806,7 +19884,7 @@ class Gp3To5Importer extends ScoreImporter {
         this._initialTempo = Automation.buildTempoAutomation(false, 0, 0, 0);
         if (this._versionNumber >= 500) {
             this.readPageSetup();
-            this._initialTempo.text = GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding);
+            this._initialTempo.text = GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
         }
         // tempo stuff
         this._initialTempo.value = IOHelper.readInt32LE(this.data);
@@ -19845,7 +19923,9 @@ class Gp3To5Importer extends ScoreImporter {
         }
         // contents
         this._barCount = IOHelper.readInt32LE(this.data);
+        this._ensureLoopBoundary(this._barCount, Gp3To5Importer._maxBarCount, 'bar count');
         this._trackCount = IOHelper.readInt32LE(this.data);
+        this._ensureLoopBoundary(this._trackCount, Gp3To5Importer._maxTrackCount, 'track count');
         this.readMasterBars();
         this.readTracks();
         this.readBars();
@@ -19893,35 +19973,54 @@ class Gp3To5Importer extends ScoreImporter {
         Logger.debug(this.name, `Guitar Pro version ${version} detected`);
     }
     readScoreInformation() {
-        this._score.title = GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding);
-        this._score.subTitle = GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding);
-        this._score.artist = GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding);
-        this._score.album = GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding);
-        this._score.words = GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding);
+        this._score.title = GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
+        this._score.subTitle = GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
+        this._score.artist = GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
+        this._score.album = GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
+        this._score.words = GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
         this._score.music =
             this._versionNumber >= 500
-                ? GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding)
+                ? GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize)
                 : this._score.words;
-        this._score.copyright = GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding);
-        this._score.tab = GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding);
-        this._score.instructions = GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding);
+        this._score.copyright = GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
+        this._score.tab = GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
+        this._score.instructions = GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
         const noticeLines = IOHelper.readInt32LE(this.data);
+        this._ensureLoopBoundary(noticeLines, Gp3To5Importer._maxNoticeLines, 'notice line count');
         let notice = '';
         for (let i = 0; i < noticeLines; i++) {
             if (i > 0) {
                 notice += '\r\n';
             }
-            notice += GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding)?.toString();
+            notice += GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize)?.toString();
         }
         this._score.notices = notice;
     }
+    // very generous thresholds for values which control loop boundaries
+    // prevents DoS or resource exhaustion for corrupt files or files with malicious intent
+    // not configurable, as realistically GP3-5 files will not exceed these values,
+    // I don't hink anyone is that verbose in the small GP5 box where you can add notices
+    static _maxNoticeLines = 1000;
+    // I haven't encountered such a long song in the wild. beyond 1000 bars something is clearly off
+    static _maxBarCount = 1000;
+    // I think GP5 itself limits already to ~10. 100 tracks is just unrealistic, proof me wrong
+    static _maxTrackCount = 100;
+    // nobody reallistically writes that many beats in one bar either.
+    static _maxBeatCount = 100;
+    // I think GP5 already limits this to way less, very generous to allow 4 times more than likely the UI supports
+    static _maxBendPointCount = BendPoint.MaxPosition * 4;
+    _ensureLoopBoundary(value, maximumValue, label) {
+        if (value > maximumValue) {
+            throw new OverflowError(`'${label}' with value ${value} has exceeded the internal safety threshold of ${maximumValue}`);
+        }
+    }
     readLyrics() {
         this._lyrics = [];
         this._lyricsTrack = IOHelper.readInt32LE(this.data) - 1;
         for (let i = 0; i < 5; i++) {
             const lyrics = new Lyrics();
             lyrics.startBar = IOHelper.readInt32LE(this.data) - 1;
-            lyrics.text = GpBinaryHelpers.gpReadStringInt(this.data, this.settings.importer.encoding);
+            lyrics.text = GpBinaryHelpers.gpReadStringInt(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
             this._lyrics.push(lyrics);
         }
     }
@@ -19938,41 +20037,41 @@ class Gp3To5Importer extends ScoreImporter {
         ModelUtils.getOrCreateHeaderFooterStyle(this._score, ScoreSubElement.Title).isVisible =
             (flags & (0x01 << 0)) !== 0;
         ModelUtils.getOrCreateHeaderFooterStyle(this._score, ScoreSubElement.Title).template =
-            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding);
+            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
         ModelUtils.getOrCreateHeaderFooterStyle(this._score, ScoreSubElement.SubTitle).isVisible =
             (flags & (0x01 << 1)) !== 0;
         ModelUtils.getOrCreateHeaderFooterStyle(this._score, ScoreSubElement.SubTitle).template =
-            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding);
+            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
         ModelUtils.getOrCreateHeaderFooterStyle(this._score, ScoreSubElement.Artist).isVisible =
             (flags & (0x01 << 2)) !== 0;
         ModelUtils.getOrCreateHeaderFooterStyle(this._score, ScoreSubElement.Artist).template =
-            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding);
+            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
         ModelUtils.getOrCreateHeaderFooterStyle(this._score, ScoreSubElement.Album).isVisible =
             (flags & (0x01 << 3)) !== 0;
         ModelUtils.getOrCreateHeaderFooterStyle(this._score, ScoreSubElement.Album).template =
-            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding);
+            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
         ModelUtils.getOrCreateHeaderFooterStyle(this._score, ScoreSubElement.Words).isVisible =
             (flags & (0x01 << 4)) !== 0;
         ModelUtils.getOrCreateHeaderFooterStyle(this._score, ScoreSubElement.Words).template =
-            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding);
+            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
         ModelUtils.getOrCreateHeaderFooterStyle(this._score, ScoreSubElement.Music).isVisible =
             (flags & (0x01 << 5)) !== 0;
         ModelUtils.getOrCreateHeaderFooterStyle(this._score, ScoreSubElement.Music).template =
-            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding);
+            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
         ModelUtils.getOrCreateHeaderFooterStyle(this._score, ScoreSubElement.WordsAndMusic).isVisible =
             (flags & (0x01 << 6)) !== 0;
         ModelUtils.getOrCreateHeaderFooterStyle(this._score, ScoreSubElement.WordsAndMusic).template =
-            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding);
+            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
         ModelUtils.getOrCreateHeaderFooterStyle(this._score, ScoreSubElement.Copyright).isVisible =
             (flags & (0x01 << 7)) !== 0;
         ModelUtils.getOrCreateHeaderFooterStyle(this._score, ScoreSubElement.Copyright).template =
-            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding);
+            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
         ModelUtils.getOrCreateHeaderFooterStyle(this._score, ScoreSubElement.CopyrightSecondLine).isVisible =
             (flags & (0x01 << 7)) !== 0;
         ModelUtils.getOrCreateHeaderFooterStyle(this._score, ScoreSubElement.CopyrightSecondLine).template =
-            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding);
+            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
         // page number format
-        GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding);
+        GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
     }
     readPlaybackInfos() {
         this._playbackInfos = [];
@@ -20053,7 +20152,7 @@ class Gp3To5Importer extends ScoreImporter {
         // marker
         if ((flags & 0x20) !== 0) {
             const section = new Section();
-            section.text = GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding);
+            section.text = GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
             section.marker = '';
             GpBinaryHelpers.gpReadColor(this.data, false);
             newMasterBar.section = section;
@@ -20220,9 +20319,9 @@ class Gp3To5Importer extends ScoreImporter {
                 // 1 byte PRE
                 this.data.skip(4);
                 // RSE: effect name
-                GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding);
+                GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
                 // RSE: effect category
-                GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding);
+                GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
             }
         }
         else {
@@ -20279,6 +20378,7 @@ class Gp3To5Importer extends ScoreImporter {
         }
         const newVoice = new Voice$1();
         bar.addVoice(newVoice);
+        this._ensureLoopBoundary(beatCount, Gp3To5Importer._maxBeatCount, 'beat count');
         for (let i = 0; i < beatCount; i++) {
             this.readBeat(track, bar, newVoice);
         }
@@ -20357,7 +20457,7 @@ class Gp3To5Importer extends ScoreImporter {
         }
         const beatTextAsLyrics = this.settings.importer.beatTextAsLyrics && track.index !== this._lyricsTrack; // detect if not lyrics track
         if ((flags & 0x04) !== 0) {
-            const text = GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding);
+            const text = GpBinaryHelpers.gpReadStringIntUnused(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
             if (beatTextAsLyrics) {
                 const lyrics = new Lyrics();
                 lyrics.text = text.trim();
@@ -20532,7 +20632,7 @@ class Gp3To5Importer extends ScoreImporter {
             }
             else {
                 const strings = this._versionNumber >= 406 ? 7 : 6;
-                chord.name = GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding);
+                chord.name = GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
                 chord.firstFret = IOHelper.readInt32LE(this.data);
                 if (chord.firstFret > 0) {
                     for (let i = 0; i < strings; i++) {
@@ -20643,6 +20743,7 @@ class Gp3To5Importer extends ScoreImporter {
         this.data.readByte(); // type
         IOHelper.readInt32LE(this.data); // value
         const pointCount = IOHelper.readInt32LE(this.data);
+        this._ensureLoopBoundary(pointCount, Gp3To5Importer._maxBendPointCount, 'tremolo bar point count');
         if (pointCount > 0) {
             for (let i = 0; i < pointCount; i++) {
                 const point = new BendPoint(0, 0);
@@ -20702,7 +20803,7 @@ class Gp3To5Importer extends ScoreImporter {
         const phaser = IOHelper.readSInt8(this.data);
         const tremolo = IOHelper.readSInt8(this.data);
         if (this._versionNumber >= 500) {
-            tableChange.tempoName = GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding);
+            tableChange.tempoName = GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
         }
         tableChange.tempo = IOHelper.readInt32LE(this.data);
         // durations (in number of beats)
@@ -20746,8 +20847,8 @@ class Gp3To5Importer extends ScoreImporter {
         }
         // unknown
         if (this._versionNumber >= 510) {
-            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding);
-            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding);
+            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
+            GpBinaryHelpers.gpReadStringIntByte(this.data, this.settings.importer.encoding, this.settings.importer.maxDecodingBufferSize);
         }
         if (tableChange.volume >= 0) {
             const volumeAutomation = new Automation();
@@ -20911,6 +21012,7 @@ class Gp3To5Importer extends ScoreImporter {
         this.data.readByte(); // type
         IOHelper.readInt32LE(this.data); // value
         const pointCount = IOHelper.readInt32LE(this.data);
+        this._ensureLoopBoundary(pointCount, Gp3To5Importer._maxBendPointCount, 'note bend point count');
         if (pointCount > 0) {
             for (let i = 0; i < pointCount; i++) {
                 const point = new BendPoint(0, 0);
@@ -21099,25 +21201,28 @@ class GpBinaryHelpers {
      * Skips an integer (4byte) and reads a string using
      * a bytesize
      */
-    static gpReadStringIntUnused(data, encoding) {
+    static gpReadStringIntUnused(data, encoding, maxDecodingBufferSize) {
         data.skip(4);
-        return GpBinaryHelpers.gpReadString(data, data.readByte(), encoding);
+        return GpBinaryHelpers.gpReadString(data, data.readByte(), encoding, maxDecodingBufferSize);
     }
     /**
      * Reads an integer as size, and then the string itself
      */
-    static gpReadStringInt(data, encoding) {
-        return GpBinaryHelpers.gpReadString(data, IOHelper.readInt32LE(data), encoding);
+    static gpReadStringInt(data, encoding, maxDecodingBufferSize) {
+        return GpBinaryHelpers.gpReadString(data, IOHelper.readInt32LE(data), encoding, maxDecodingBufferSize);
     }
     /**
      * Reads an integer as size, skips a byte and reads the string itself
      */
-    static gpReadStringIntByte(data, encoding) {
+    static gpReadStringIntByte(data, encoding, maxDecodingBufferSize) {
         const length = IOHelper.readInt32LE(data) - 1;
         data.readByte();
-        return GpBinaryHelpers.gpReadString(data, length, encoding);
+        return GpBinaryHelpers.gpReadString(data, length, encoding, maxDecodingBufferSize);
     }
-    static gpReadString(data, length, encoding) {
+    static gpReadString(data, length, encoding, maxDecodingBufferSize) {
+        if (length > maxDecodingBufferSize) {
+            throw new OverflowError(`Detected string exceeding maxDecodingBufferSize at offset ${data.position}`);
+        }
         const b = new Uint8Array(length);
         data.read(b, 0, b.length);
         return IOHelper.toString(b, encoding);
@@ -21251,17 +21356,17 @@ var DataType;
 class BinaryStylesheet {
     _types = new Map();
     raw = new Map();
-    constructor(data) {
+    constructor(data, maxDecodingBufferSize = 0) {
         if (data) {
-            this._read(data);
+            this._read(data, maxDecodingBufferSize);
         }
     }
-    _read(data) {
+    _read(data, maxDecodingBufferSize) {
         // BinaryStylesheet apears to be big-endien
         const readable = ByteBuffer.fromBuffer(data);
         const entryCount = IOHelper.readInt32BE(readable);
         for (let i = 0; i < entryCount; i++) {
-            const key = GpBinaryHelpers.gpReadString(readable, readable.readByte(), 'utf-8');
+            const key = GpBinaryHelpers.gpReadString(readable, readable.readByte(), 'utf-8', maxDecodingBufferSize);
             const type = readable.readByte();
             this._types.set(key, type);
             switch (type) {
@@ -21278,7 +21383,7 @@ class BinaryStylesheet {
                     this.addValue(key, fvalue);
                     break;
                 case DataType.String:
-                    const s = GpBinaryHelpers.gpReadString(readable, IOHelper.readInt16BE(readable), 'utf-8');
+                    const s = GpBinaryHelpers.gpReadString(readable, IOHelper.readInt16BE(readable), 'utf-8', maxDecodingBufferSize);
                     this.addValue(key, s);
                     break;
                 case DataType.Point:
@@ -24655,7 +24760,7 @@ class Gp7To8Importer extends ScoreImporter {
         // at first we need to load the binary file system
         // from the GPX container
         Logger.debug(this.name, 'Loading ZIP entries');
-        const fileSystem = new ZipReader(this.data);
+        const fileSystem = new ZipReader(this.data, this.settings.importer.maxDecodingBufferSize);
         let entries;
         try {
             entries = fileSystem.read();
@@ -24704,7 +24809,7 @@ class Gp7To8Importer extends ScoreImporter {
         const score = gpifParser.score;
         if (binaryStylesheetData) {
             Logger.debug(this.name, 'Start Parsing BinaryStylesheet');
-            const stylesheet = new BinaryStylesheet(binaryStylesheetData);
+            const stylesheet = new BinaryStylesheet(binaryStylesheetData, this.settings.importer.maxDecodingBufferSize);
             stylesheet.apply(score);
             Logger.debug(this.name, 'BinaryStylesheet parsed');
         }
@@ -24725,15 +24830,6 @@ class Gp7To8Importer extends ScoreImporter {
     }
 }
 
-/**
- * @internal
- */
-class EndOfReaderError extends AlphaTabError {
-    constructor() {
-        super(AlphaTabErrorType.Format, 'Unexpected end of data within reader');
-    }
-}
-
 /**
  * This utility public class allows bitwise reading of a stream
  * @internal
@@ -25079,7 +25175,7 @@ class GpxImporter extends ScoreImporter {
         const score = gpifParser.score;
         if (binaryStylesheetData) {
             Logger.debug(this.name, 'Start Parsing BinaryStylesheet');
-            const binaryStylesheet = new BinaryStylesheet(binaryStylesheetData);
+            const binaryStylesheet = new BinaryStylesheet(binaryStylesheetData, this.settings.importer.maxDecodingBufferSize);
             binaryStylesheet.apply(score);
             Logger.debug(this.name, 'BinaryStylesheet parsed');
         }
@@ -25456,7 +25552,7 @@ class MusicXmlImporter extends ScoreImporter {
         return this._score;
     }
     _extractMusicXml() {
-        const zip = new ZipReader(this.data);
+        const zip = new ZipReader(this.data, this.settings.importer.maxDecodingBufferSize);
         let entries;
         try {
             entries = zip.read();
@@ -32821,6 +32917,17 @@ class ImporterSettings {
      * ![Disabled](https://alphatab.net/img/reference/property/beattextaslyrics-disabled.png)
      */
     beatTextAsLyrics = false;
+    /**
+     * This setting controls the escape hatch for handling potentially malicous or corrupt
+     * input files. At selected spots in the codebase, we use this buffer size as maximum
+     * allowed sizes. e.g. during unzipping or decoding strings.
+     * This prevents resource exhaustion, especially when alphaTab is used on server side.
+     * Increase this buffer size if you need to handle very big files.
+     * @defaultValue `128000000`
+     * @category Core
+     * @since 1.9.0
+     */
+    maxDecodingBufferSize = 128000000;
 }
 
 /**
@@ -34146,6 +34253,7 @@ class ImporterSettingsSerializer {
         o.set("encoding", obj.encoding);
         o.set("mergepartgroupsinmusicxml", obj.mergePartGroupsInMusicXml);
         o.set("beattextaslyrics", obj.beatTextAsLyrics);
+        o.set("maxdecodingbuffersize", obj.maxDecodingBufferSize);
         return o;
     }
     static setProperty(obj, property, v) {
@@ -34159,6 +34267,9 @@ class ImporterSettingsSerializer {
             case "beattextaslyrics":
                 obj.beatTextAsLyrics = v;
                 return true;
+            case "maxdecodingbuffersize":
+                obj.maxDecodingBufferSize = v;
+                return true;
         }
         return false;
     }
@@ -34682,12 +34793,12 @@ class ScoreLoader {
         const importers = Environment.buildImporters();
         Logger.debug('ScoreLoader', `Loading score from ${data.length} bytes using ${importers.length} importers`);
         let score = null;
-        const bb = ByteBuffer.fromBuffer(data);
+        const readable = new ThrowingReadable(ByteBuffer.fromBuffer(data));
         for (const importer of importers) {
-            bb.reset();
+            readable.reset();
             try {
                 Logger.debug('ScoreLoader', `Importing using importer ${importer.name}`);
-                importer.init(bb, settings);
+                importer.init(readable, settings);
                 score = importer.readScore();
                 Logger.debug('ScoreLoader', `Score imported using ${importer.name}`);
                 break;

package/dist/alphaTab.d.ts

@@ -7272,6 +7272,14 @@ declare class ElementStyle<TSubElements extends number> {
     colors: Map<TSubElements, Color | null>;
 }
 
+/**
+ * Thrown whenever we hit the end of input data unexpectedly.
+ * @public
+ */
+declare class EndOfReaderError extends AlphaTabError {
+    constructor();
+}
+
 /**
  * Represents the end of the track indicating that no more events for this track follow.
  * @public
@@ -9645,6 +9653,17 @@ export declare class ImporterSettings {
      * ![Disabled](https://alphatab.net/img/reference/property/beattextaslyrics-disabled.png)
      */
     beatTextAsLyrics: boolean;
+    /**
+     * This setting controls the escape hatch for handling potentially malicous or corrupt
+     * input files. At selected spots in the codebase, we use this buffer size as maximum
+     * allowed sizes. e.g. during unzipping or decoding strings.
+     * This prevents resource exhaustion, especially when alphaTab is used on server side.
+     * Increase this buffer size if you need to handle very big files.
+     * @defaultValue `128000000`
+     * @category Core
+     * @since 1.9.0
+     */
+    maxDecodingBufferSize: number;
 }
 
 /**
@@ -9711,6 +9730,17 @@ declare interface ImporterSettingsJson {
      * ![Disabled](https://alphatab.net/img/reference/property/beattextaslyrics-disabled.png)
      */
     beatTextAsLyrics?: boolean;
+    /**
+     * This setting controls the escape hatch for handling potentially malicous or corrupt
+     * input files. At selected spots in the codebase, we use this buffer size as maximum
+     * allowed sizes. e.g. during unzipping or decoding strings.
+     * This prevents resource exhaustion, especially when alphaTab is used on server side.
+     * Increase this buffer size if you need to handle very big files.
+     * @defaultValue `128000000`
+     * @category Core
+     * @since 1.9.0
+     */
+    maxDecodingBufferSize?: number;
 }
 
 /**
@@ -9775,6 +9805,8 @@ export declare namespace io {
     export {
         IWriteable,
         IReadable,
+        OverflowError,
+        EndOfReaderError,
         ByteBuffer,
         IOHelper
     }
@@ -13346,6 +13378,14 @@ declare enum Ottavia {
     _15mb = 4
 }
 
+/**
+ * Thrown whenever an overflow in data or buffer sizes is detected.
+ * @public
+ */
+declare class OverflowError extends AlphaTabError {
+    constructor(message: string);
+}
+
 /**
  * Lists all types of pick strokes.
  * @public