Mojira Archive
MC-269334

Repair cost integer overflow when combining items causes NBT serialization crash

Repair cost is validated to be a non-negative integer. However, calculation in the anvil for specially-crafted stacks will ignore the maximum value of repair cost, resulting in it becoming a negative value in memory. When the world is saved, the codec will throw an exception due to the value in memory not passing validation, and the chunk will fail to save or the game will crash.

This crash can likely only be produced in creative mode, as other gamemodes would run into 'too expensive' restrictions. However, a creative mode player only needs to use commands, send a creative inventory action packet, or combine 32 enchanted books to reproduce the issue.

Reproduction steps

To reproduce this issue:

1. Give yourself 2 enchanted books with a value whose double + 1 would overflow: /give @s minecraft:enchanted_book[minecraft:stored_enchantments=\{efficiency:1\},minecraft:repair_cost=2147483647] 2
2. Place these 2 enchanted books into the slots of an anvil.
3. Type a letter in the anvil name input (I think being unable to take out the result directly is a result of this bug)
4. Take out the result stack.
5. Save the game, such as by pausing the game.

Code analysis (Yarn mappings)

The anvil screen handler in the AnvilScreenHandler#updateResult method sets the repair cost to a value that is prone to overflowing (as calculated by iterative calls to the AnvilScreenHandler.getNextCost method), resulting in an invalid value for the repair cost component's codec. A suggested fix would be to perform arithmetic that caps at the maximum integer or to discard the operation if the repair cost would become invalid.

Note that because grindstones use similar code (see the GrindstoneScreenHandler#grind method), this issue can theoretically happen with them too. However, because there are only 2 curse enchantments rather than 32, the repair cost calculation will never overflow. I would still recommend a fix for modded environments/if more curses are added.

Exception trace

The crash is as follows (from 24w10a):

Encountered an unexpected exception
y: Saving entity NBT
	at bqa.f(SourceFile:1871)
	at gpv.b(SourceFile:26)
	at atr.h(SourceFile:701)
	at net.minecraft.server.MinecraftServer.b(SourceFile:569)
	at gpw.b(SourceFile:317)
	at gpw.a(SourceFile:95)
	at net.minecraft.server.MinecraftServer.y(SourceFile:687)
	at net.minecraft.server.MinecraftServer.a(SourceFile:272)
	at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.lang.IllegalStateException: Value must be non-negative: -1
	at ac.a(SourceFile:1050)
	at crs.b(SourceFile:342)
	at cjz.a(SourceFile:415)
	at cka.b(SourceFile:882)
	at apv.b(SourceFile:390)
	at bqa.f(SourceFile:1853)
	... 8 more

Fixed

haykam

[Mojang] slicedlime

2024-03-14, 01:50 AM

2024-03-20, 02:05 PM

2024-03-20, 02:05 PM

0

0

Plausible

Very Important

Platform

Crash

24w10a, 24w11a

24w12a