STB libraries are not designed for untrusted input, leading to denial of service and likely remote code execution via malicious servers and resource packs

Minecraft uses the stb_image, stb_vorbis, and stb_truetype libraries. These libraries are written in a memory unsafe language and not (originally) intended for untrusted input. From what I can tell, only stb_image has been actively fuzzed, with only minimal security review having been performed on stb_vorbis and none on stb_truetype. stb_image is primarily recommended to be use with trusted data, while stb_truetype carries a warning: "NO SECURITY GUARANTEE – DO NOT USE THIS ON UNTRUSTED FONT FILES". It is very likely that a malicious resource pack could exploit a vulnerability in at least one of these libraries to gain code execution.

Additionally, server icons are directly passed to stb_image by the client. This makes all supported formats part of the attack surface for remote code execution. The unmodified server will re-encode images. I have made a (fairly unpolished) Quilt mod to disable this behavior. The icon will still need to be named server-icon.png, but it can be any format supported by stb_image.

Minecraft also uses LWJGL 3.3.1, which uses an outdated version of stb_image containing a number of known vulnerabilities. I have attached the one of the samples from https://github.com/nothings/stb/issues/1291, which results in a SIGSEGV upon viewing the server list. I believe the same vulnerability may be able to be exploited for remote code execution, however I have not fully investigated this possibility.