Describe the bug
The compressed NBT writer may output a tag which exceeds 32767 in length, causing Java's (stupidly) signed short to overflow into a negative number. The reader will then not be able to parse such a tag because the length provided is negative. The fix is to undo the overflow by converting into an unsigned integer.
Version info
First discovered on 7.1_01, confirmed to still be an issue in bta-nightly-2024-05-31.
Error Log
java.io.IOException: Received tag length is less than zero! Weird tag!
at net.minecraft.core.net.packet.Packet.readCompressedCompoundTag(Packet.java:213)
at net.minecraft.core.net.packet.Packet21PickupSpawn.readPacketData(Packet21PickupSpawn.java:44)
at net.minecraft.core.net.packet.Packet.readPacket(Packet.java:107)
at net.minecraft.core.net.NetworkManager.readPacket(NetworkManager.java:188)
at net.minecraft.core.net.NetworkManager.access$200(NetworkManager.java:14)
at net.minecraft.core.net.NetworkManager$1.run(NetworkManager.java:63)
Describe the bug The compressed NBT writer may output a tag which exceeds 32767 in length, causing Java's (stupidly) signed short to overflow into a negative number. The reader will then not be able to parse such a tag because the length provided is negative. The fix is to undo the overflow by converting into an unsigned integer.
The fix is available on gists.
To Reproduce No reproduction will be provided due to the possible dangerous outcomes for old versions of the game.
Expected behavior The game keeps running as normal and no kicks caused by internal exceptions should happen.
Screenshots Showcase of the exploit in action.
Version info First discovered on
7.1_01
, confirmed to still be an issue in bta-nightly-2024-05-31.Error Log