-
Bug
-
Resolution: Fixed
-
24w11a
-
None
-
Plausible
-
Crash, Data Packs
-
Very Important
-
Platform
Summary
Three new item modifiers/loot functions, set_fireworks, set_written_book_pages, and set_writable_book_pages, all use similar formats for modifying lists. One of the mode s that can be specified is replace_selection, which further allows specifying offset and size fields. These fields are non-negative integers. Although offset is validated to never exceed the current values' size - which is at most 256 in the case of fireworks - size's value is not validated.
By specifying very high size value and non-zero offset, an integer overflow can be triggered in the code calculating the list index, causing a crash.
Note that triggering this crash requires that the list have at least one entry (explosion or page), otherwise offset fails to validate. The attached data pack first adds one explosion, then calls the problematic loot function, to trigger the crash.
Steps to Reproduce
- Add the attached data pack.
- Kill a creeper. Note: the game catches any exception caught during player action, so use lava or other non-player damages to test the crash.
Expected Result
One firework rocket drops, and the game does not crash.
Actual Result
The game crashes.
Code Analysis (24w11a)
In epn$d#a, we find this piece of code:
int k = this.offset + ((Integer)this.size.orElse(Integer.valueOf(list2.size()))).intValue(); if (k < j) builder.addAll(list.subList(k, j));
In the example data pack, offset is 1 and size is 2147483647 (Integer.MAX_VALUE). Adding that makes k -2147483648. j is the size of the current value; since k is negative, k < j is always true. This calls List#subList with a negative integer as the start index, causing a crash.