From 1be5faaea781402e7de06b263eeca4c688b7712c Mon Sep 17 00:00:00 2001 From: Vincent Zhang <73851560+bootsareme@users.noreply.github.com> Date: Sat, 7 Mar 2026 18:18:25 -0500 Subject: [PATCH 1/5] bugfix: Holding CTRL key resets flying acceleration (#863) --- Minecraft.Client/LocalPlayer.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Minecraft.Client/LocalPlayer.cpp b/Minecraft.Client/LocalPlayer.cpp index cfcf85acc..d743543e5 100644 --- a/Minecraft.Client/LocalPlayer.cpp +++ b/Minecraft.Client/LocalPlayer.cpp @@ -278,7 +278,7 @@ void LocalPlayer::aiStep() } if (isSneaking()) sprintTriggerTime = 0; #ifdef _WINDOWS64 - if (input->sprinting && onGround && enoughFoodToSprint && !isUsingItem() && !hasEffect(MobEffect::blindness) && !isSneaking()) + if (input->sprinting && !isSprinting() && onGround && enoughFoodToSprint && !isUsingItem() && !hasEffect(MobEffect::blindness) && !isSneaking()) { setSprinting(true); } From 126d08a6f8afe8045a8c69fcd0eb38d2f5795462 Mon Sep 17 00:00:00 2001 From: x86 <126331+x86@users.noreply.github.com> Date: Sun, 8 Mar 2026 13:02:36 +1300 Subject: [PATCH 2/5] RCE Fix #1 --- Minecraft.World/compression.cpp | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/Minecraft.World/compression.cpp b/Minecraft.World/compression.cpp index 99c5228ab..7413f7f35 100644 --- a/Minecraft.World/compression.cpp +++ b/Minecraft.World/compression.cpp @@ -196,9 +196,20 @@ HRESULT Compression::DecompressLZXRLE(void *pDestination, unsigned int *pDestSiz unsigned int rleSize = staticRleSize; unsigned char *dynamicRleBuf = NULL; - if(*pDestSize > rleSize) + + unsigned int safeRleSize = max(rleSize, *pDestSize); + + const unsigned int MAX_RLE_ALLOC = 16 * 1024 * 1024; // 16 MB + if(safeRleSize > MAX_RLE_ALLOC) { - rleSize = *pDestSize; + LeaveCriticalSection(&rleDecompressLock); + *pDestSize = 0; + return E_FAIL; + } + + if(safeRleSize > staticRleSize) + { + rleSize = safeRleSize; dynamicRleBuf = new unsigned char[rleSize]; Decompress(dynamicRleBuf, &rleSize, pSource, SrcSize); pucIn = (unsigned char *)dynamicRleBuf; @@ -212,16 +223,19 @@ HRESULT Compression::DecompressLZXRLE(void *pDestination, unsigned int *pDestSiz //unsigned char *pucIn = (unsigned char *)rleDecompressBuf; unsigned char *pucEnd = pucIn + rleSize; unsigned char *pucOut = (unsigned char *)pDestination; + unsigned char *pucOutEnd = pucOut + *pDestSize; while( pucIn != pucEnd ) { unsigned char thisOne = *pucIn++; if( thisOne == 255 ) { + if( pucIn >= pucEnd ) break; unsigned int count = *pucIn++; if( count < 3 ) { count++; + if( pucOut + count > pucOutEnd ) { pucOut = pucOutEnd; break; } for( unsigned int i = 0; i < count; i++ ) { *pucOut++ = 255; @@ -230,7 +244,9 @@ HRESULT Compression::DecompressLZXRLE(void *pDestination, unsigned int *pDestSiz else { count++; + if( pucIn >= pucEnd ) break; unsigned char data = *pucIn++; + if( pucOut + count > pucOutEnd ) { pucOut = pucOutEnd; break; } for( unsigned int i = 0; i < count; i++ ) { *pucOut++ = data; @@ -239,6 +255,7 @@ HRESULT Compression::DecompressLZXRLE(void *pDestination, unsigned int *pDestSiz } else { + if( pucOut >= pucOutEnd ) break; *pucOut++ = thisOne; } } @@ -260,16 +277,19 @@ HRESULT Compression::DecompressRLE(void *pDestination, unsigned int *pDestSize, unsigned char *pucIn = (unsigned char *)pSource; unsigned char *pucEnd = pucIn + SrcSize; unsigned char *pucOut = (unsigned char *)pDestination; + unsigned char *pucOutEnd = pucOut + *pDestSize; while( pucIn != pucEnd ) { unsigned char thisOne = *pucIn++; if( thisOne == 255 ) { + if( pucIn >= pucEnd ) break; unsigned int count = *pucIn++; if( count < 3 ) { count++; + if( pucOut + count > pucOutEnd ) { pucOut = pucOutEnd; break; } for( unsigned int i = 0; i < count; i++ ) { *pucOut++ = 255; @@ -278,7 +298,9 @@ HRESULT Compression::DecompressRLE(void *pDestination, unsigned int *pDestSize, else { count++; + if( pucIn >= pucEnd ) break; unsigned char data = *pucIn++; + if( pucOut + count > pucOutEnd ) { pucOut = pucOutEnd; break; } for( unsigned int i = 0; i < count; i++ ) { *pucOut++ = data; @@ -287,6 +309,7 @@ HRESULT Compression::DecompressRLE(void *pDestination, unsigned int *pDestSize, } else { + if( pucOut >= pucOutEnd ) break; *pucOut++ = thisOne; } } @@ -542,5 +565,3 @@ void Compression::SetDecompressionType(ESavePlatform platform) } /*Compression gCompression;*/ - - From 5d63f83286dd232f5a3f2b084dd4c9e997664c81 Mon Sep 17 00:00:00 2001 From: x86 <126331+x86@users.noreply.github.com> Date: Sun, 8 Mar 2026 13:08:28 +1300 Subject: [PATCH 3/5] Rce Fix 2 --- Minecraft.World/TextureAndGeometryPacket.cpp | 23 ++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/Minecraft.World/TextureAndGeometryPacket.cpp b/Minecraft.World/TextureAndGeometryPacket.cpp index d28fc8628..8cbe8d6d7 100644 --- a/Minecraft.World/TextureAndGeometryPacket.cpp +++ b/Minecraft.World/TextureAndGeometryPacket.cpp @@ -121,7 +121,17 @@ void TextureAndGeometryPacket::read(DataInputStream *dis) //throws IOException { textureName = dis->readUTF(); dwSkinID = (DWORD)dis->readInt(); - dwTextureBytes = (DWORD)dis->readShort(); + + short rawTextureBytes = dis->readShort(); + if(rawTextureBytes <= 0) + { + dwTextureBytes = 0; + } + else + { + dwTextureBytes = (DWORD)(unsigned short)rawTextureBytes; + if(dwTextureBytes > 65536) dwTextureBytes = 0; + } if(dwTextureBytes>0) { @@ -134,7 +144,16 @@ void TextureAndGeometryPacket::read(DataInputStream *dis) //throws IOException } uiAnimOverrideBitmask = dis->readInt(); - dwBoxC = (DWORD)dis->readShort(); + short rawBoxC = dis->readShort(); + if(rawBoxC <= 0) + { + dwBoxC = 0; + } + else + { + dwBoxC = (DWORD)(unsigned short)rawBoxC; + if(dwBoxC > 256) dwBoxC = 0; // sane limit for skin boxes + } if(dwBoxC>0) { From 7e3b59305300a878bf1d676c4d749fa3050130df Mon Sep 17 00:00:00 2001 From: x86 <126331+x86@users.noreply.github.com> Date: Sun, 8 Mar 2026 13:10:17 +1300 Subject: [PATCH 4/5] Rce Fix 3 --- Minecraft.World/TexturePacket.cpp | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/Minecraft.World/TexturePacket.cpp b/Minecraft.World/TexturePacket.cpp index 77dfdc38c..a057c7173 100644 --- a/Minecraft.World/TexturePacket.cpp +++ b/Minecraft.World/TexturePacket.cpp @@ -37,16 +37,24 @@ void TexturePacket::handle(PacketListener *listener) void TexturePacket::read(DataInputStream *dis) //throws IOException { textureName = dis->readUTF(); - dwBytes = (DWORD)dis->readShort(); - - if(dwBytes>0) + short rawBytes = dis->readShort(); + if(rawBytes <= 0) + { + dwBytes = 0; + return; + } + dwBytes = (DWORD)(unsigned short)rawBytes; + if(dwBytes > 65536) { - this->pbData= new BYTE [dwBytes]; + dwBytes = 0; + return; + } + + this->pbData= new BYTE [dwBytes]; - for(DWORD i=0;ipbData[i] = dis->readByte(); - } + for(DWORD i=0;ipbData[i] = dis->readByte(); } } From dacde328c9e2668dfef4954f499b89e0564a4af2 Mon Sep 17 00:00:00 2001 From: x86 <126331+x86@users.noreply.github.com> Date: Sun, 8 Mar 2026 14:47:59 +1300 Subject: [PATCH 5/5] RCE Fix 4 --- Minecraft.World/BlockRegionUpdatePacket.cpp | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/Minecraft.World/BlockRegionUpdatePacket.cpp b/Minecraft.World/BlockRegionUpdatePacket.cpp index bec943d8d..afac43685 100644 --- a/Minecraft.World/BlockRegionUpdatePacket.cpp +++ b/Minecraft.World/BlockRegionUpdatePacket.cpp @@ -103,6 +103,12 @@ void BlockRegionUpdatePacket::read(DataInputStream *dis) //throws IOException levelIdx = ( size >> 30 ) & 3; size &= 0x3fffffff; + const int MAX_COMPRESSED_CHUNK_SIZE = 5 * 1024 * 1024; + if(size < 0 || size > MAX_COMPRESSED_CHUNK_SIZE) + { + size = 0; + } + if(size == 0) { buffer = byteArray(); @@ -131,7 +137,10 @@ void BlockRegionUpdatePacket::read(DataInputStream *dis) //throws IOException delete [] compressedBuffer.data; - assert(buffer.length == outputSize); + if(buffer.length != outputSize) + { + app.DebugPrintf("BlockRegionUpdatePacket: decompressed size mismatch (expected %d, got %d)\n", buffer.length, outputSize); + } } }