MC-271287DataComponentPatch unsafely allocates Reference2ObjectArrayMap on deserialization
Currently, Minecraft does not safely check the size of i / j when deserializing a DataComponentPatch. This can potentially cause malicious clients to send large var ints, which causes an OOME due to huge allocation amounts.
public static final StreamCodec<RegistryFriendlyByteBuf, DataComponentPatch> STREAM_CODEC = new StreamCodec<RegistryFriendlyByteBuf, DataComponentPatch>() { public DataComponentPatch decode(RegistryFriendlyByteBuf registryfriendlybytebuf) { int i = registryfriendlybytebuf.readVarInt(); // HERE int j = registryfriendlybytebuf.readVarInt(); // HERE if (i == 0 && j == 0) { return DataComponentPatch.EMPTY; } else { Reference2ObjectMap<DataComponentType<?>, Optional<?>> reference2objectmap = new Reference2ObjectArrayMap(i + j); // explosion sounds
[00:04:06 WARN]: java.lang.OutOfMemoryError: Java heap space [00:04:06 WARN]: at it.unimi.dsi.fastutil.objects.Reference2ObjectArrayMap.<init>(Reference2ObjectArrayMap.java:76) [00:04:06 WARN]: at net.minecraft.core.component.DataComponentPatch$1.decode(DataComponentPatch.java:74) [00:04:06 WARN]: at net.minecraft.core.component.DataComponentPatch$1.decode(DataComponentPatch.java:66) [00:04:06 WARN]: at net.minecraft.world.item.ItemStack$1.decode(ItemStack.java:167) [00:04:06 WARN]: at net.minecraft.world.item.ItemStack$1.decode(ItemStack.java:157) [00:04:06 WARN]: at net.minecraft.network.codec.ByteBufCodecs$20.decode(ByteBufCodecs.java:457) [00:04:06 WARN]: at net.minecraft.network.codec.ByteBufCodecs$20.decode(ByteBufCodecs.java:440) [00:04:06 WARN]: at net.minecraft.network.protocol.game.ServerboundContainerClickPacket.<init>(ServerboundContainerClickPacket.java:48) [00:04:06 WARN]: at net.minecraft.network.protocol.game.ServerboundContainerClickPacket$$Lambda/0x00000008014791c0.decode(Unknown Source) [00:04:06 WARN]: at net.minecraft.network.codec.StreamCodec$2.decode(StreamCodec.java:33) [00:04:06 WARN]: at net.minecraft.network.codec.StreamCodec$5.decode(StreamCodec.java:82) [00:04:06 WARN]: at net.minecraft.network.codec.StreamCodec$5.decode(StreamCodec.java:78) [00:04:06 WARN]: at net.minecraft.network.codec.IdDispatchCodec.decode(IdDispatchCodec.java:32) [00:04:06 WARN]: at net.minecraft.network.codec.IdDispatchCodec.decode(IdDispatchCodec.java:20) [00:04:06 WARN]: at net.minecraft.network.PacketDecoder.decode(PacketDecoder.java:25) [00:04:06 WARN]: at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529) [00:04:06 WARN]: at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468) [00:04:06 WARN]: at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) [00:04:06 WARN]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) [00:04:06 WARN]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [00:04:06 WARN]: at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) [00:04:06 WARN]: at io.netty.handler.flow.FlowControlHandler.dequeue(FlowControlHandler.java:202) [00:04:06 WARN]: at io.netty.handler.flow.FlowControlHandler.channelRead(FlowControlHandler.java:164) [00:04:06 WARN]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442) [00:04:06 WARN]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [00:04:06 WARN]: at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) [00:04:06 WARN]: at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:346) [00:04:06 WARN]: at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:318) [00:04:06 WARN]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) [00:04:06 WARN]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [00:04:06 WARN]: at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) [00:04:06 WARN]: at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:346) [00:04:06 INFO]: Player355 lost connection: Internal Exception: java.lang.OutOfMemoryError: Java heap space
In this case, the item was sent inside of a ServerboundContainerClickPacket.
2024-04-30, 04:14 AM
2024-05-06, 01:38 PM
2024-05-06, 01:38 PM
1
1