fix: add proper error handling for file stream reads in DLL validation

jbrinkman · jbrinkman · commit 665e8767fb1a · 2025-07-23T17:44:47.000-04:00
Signed-off-by: jbrinkman &lt;joe.brinkman@improving.com&gt;
diff --git a/src/DotNetApiDiff/AssemblyLoading/AssemblyLoader.cs b/src/DotNetApiDiff/AssemblyLoading/AssemblyLoader.cs
@@ -262,7 +262,11 @@ private bool IsProbablyNativeDll(string filePath)
                 }
 
                 byte[] buffer = new byte[2];
-                fileStream.Read(buffer, 0, 2);
+                int bytesRead = fileStream.Read(buffer, 0, 2);
+                if (bytesRead < 2)
+                {
+                    return false; // Not enough bytes to determine if it's a DLL
+                }
 
                 // Check for the MZ header (0x4D, 0x5A)
                 if (buffer[0] != 0x4D || buffer[1] != 0x5A)
@@ -275,15 +279,25 @@ private bool IsProbablyNativeDll(string filePath)
 
                 // Read the PE header offset
                 byte[] offsetBuffer = new byte[4];
-                fileStream.Read(offsetBuffer, 0, 4);
+                bytesRead = 0;
+                bytesRead = fileStream.Read(offsetBuffer, 0, 4);
+                if (bytesRead < 4)
+                {
+                    return false; // Not enough bytes to determine if it's a DLL
+                }
                 int peOffset = BitConverter.ToInt32(offsetBuffer, 0);
 
                 // Seek to the PE header
                 fileStream.Seek(peOffset, SeekOrigin.Begin);
 
                 // Read the PE signature
                 byte[] peBuffer = new byte[4];
-                fileStream.Read(peBuffer, 0, 4);
+                bytesRead = 0;
+                bytesRead = fileStream.Read(peBuffer, 0, 4);
+                if (bytesRead < 4)
+                {
+                    return false; // Not enough bytes to determine if it's a DLL
+                }
 
                 // Check for PE signature "PE\0\0"
                 if (peBuffer[0] != 0x50 || peBuffer[1] != 0x45 || peBuffer[2] != 0 || peBuffer[3] != 0)
diff --git a/src/DotNetApiDiff/Commands/CompareCommand.cs b/src/DotNetApiDiff/Commands/CompareCommand.cs
@@ -1,6 +1,4 @@
 // Copyright DotNet API Diff Project Contributors - SPDX Identifier: MIT
-using System.Reflection;
-using DotNetApiDiff.ExitCodes;
 using DotNetApiDiff.Interfaces;
 using DotNetApiDiff.Models;
 using DotNetApiDiff.Models.Configuration;
@@ -10,6 +8,7 @@
 using Spectre.Console.Cli;
 using System.ComponentModel;
 using System.Diagnostics.CodeAnalysis;
+using System.Reflection;
 
 namespace DotNetApiDiff.Commands;
 
