ServerboundHelloPacket DoS through public key NBT

The bug

The public key NBT data added to ServerboundHelloPacket in 22w17a allows a denial-of-service attack because it uses FriendlyByteBuf.readWithCodec(Codec) which reads the NBT data with readAnySizeNbt().

An attacker can for example send malicious NBT data which claims to contain a long array of size Integer.MAX_VALUE (or close to it) which is then allocated before the server notices that the payload of the attacker does not actually contain that much data.

In general it might be good to avoid mixing "safe" and "unsafe" methods in FriendlyByteBuf, and to closely review which methods the packets are using during deserialization.
Unrelated to this issue, but the StreamTagVisitor implementation in its current form without any size tracking might also be rather risky (e.g. net.minecraft.nbt.IntArrayTag.TYPE.new VariableSize() {...}.parse), but as long as you make sure it is never used in server-side packet code, that is probably not an issue.

Reproduction steps

1. Start a server on port 25565
2. Download the attached MC_251136.java
3. Start the script with the protocol version used by the server, e.g. for 22w17a the protocol version is 1073741906.
   The protocol version for a specific Minecraft version can be looked up on the Minecraft wiki.

   java MC_251136.java <protocol-version>
   

   (Java 11 or newer is recommended)

4. Look at the log file of the server
   It indicates that an java.lang.OutOfMemoryError occurred

   [Server thread/INFO]: /127.0.0.1:50257 lost connection: Internal Exception: java.lang.OutOfMemoryError: Requested array size exceeds VM limit