MC-266816Resource Pack Denial of Service
There is a null pointer dereference in one of LWJGL's native libraries. This allows an attacker to remotely crash another player's game using a malicious resource pack with a crafted OGG file.
The bug is in the stb_vorbis.c library which is used by LWJGL to load OGG files. The issue was originally discovered by JarLob on GitHub. This pull request describes the issue: https://github.com/nothings/stb/pull/1558
To trigger the bug, you need to create a crafted OGG file with a very large comment list length. This will cause the allocation to fail and the program to crash when it tries to access the pointers in the comment list.
Next, create a resource pack using this OGG file, and enable it in the game. When the sound that you set the OGG file to in the resource pack is played, the game will crash. This will work on Minecraft versions as old as 1.8 through the latest 1.20.2.
I've attached an OGG file that will trigger the bug as well as the program I used to generate it.
Edit:
There are related bugs in stb_vorbis.c that could potentially lead to remote code execution:
2023-11-19, 12:50 PM
2024-04-11, 11:40 PM
2024-04-11, 12:56 PM
2
5