Conversation
Fixes compilation since ours was missing some revisions from LCEMP
This was referenced Mar 9, 2026
Kamenkovic
pushed a commit
to Kamenkovic/VSync
that referenced
this pull request
Mar 9, 2026
* LCEMP RCE Fixes WIP Based on LCEMP/LCEMP@d017bfc * Update to LCEMP's ByteArrayIO version Fixes compilation since ours was missing some revisions from LCEMP * Add additional safety checks missed in first pass * Remove duplicate recipe count check
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Introduces various packet parsing safety checks based on LCEMP/LCEMP@d017bfc. Note that this RCE is due to faults in the code from 4JStudios and not due to code from LCEMP.
Changes
Root Cause
Various components do not handle improperly defined sizes/lengthsproperly. While most of the existing code is fairly safe (such as the ByteArrayIO classes), limits can be defined that exceed anything reasonable in malicious packets that could cause clients / servers to improperly decode / encode the data.
New Behavior
Packets with invalid length values will now silently fail rather than doing potentially unsafe, unchecked operations. Similar fixes were applied to components on the receiving end of these packets, like inventory systems.
Fix Implementation
Various maximum length checks and value maximum checks were introduced in relevant places in the code. LCEMP's ByteArrayIO related classes were also copied over since they have a few additions / improvements we didn't have
AI Use Disclosure
No AI was used, this was manually patched in from the LCEMP commit
Note
It would be wise to have the client immediately disconnect when these protocol violations occur. Cleanup should be done soon to handle this properly (immediate disconnect, report it to console, notify player of protocol violation) rather than failing silently like this.