Headline
GHSA-xc7j-wj36-qjfr: PocketMine-MP BookEditPacket crash when inventory slot in the packet is invalid
Summary
If a client sends a BookEditPacket with InventorySlot greater than 35, the server will crash due to an unhandled exception thrown by BaseInventory->getItem().
Details
Crashes at https://github.com/pmmp/PocketMine-MP/blob/b744e09352a714d89220719ab6948a010ac636fc/src/network/mcpe/handler/InGamePacketHandler.php#L873
PoC
Using Gophertunnel, use serverConn.WritePacket(&packet.BookEdit{InventorySlot: 36})
Impact
Server crash, all servers
Patched versions
This issue was fixed by 47f011966092f275cc1b11f8de635e89fd9651a7, and the fix was released in 5.11.2.
Package
composer pocketmine/pocketmine-mp (Composer)
Affected versions
< 5.11.2
Patched versions
5.11.2
Description
Summary
If a client sends a BookEditPacket with InventorySlot greater than 35, the server will crash due to an unhandled exception thrown by BaseInventory->getItem().
Details
Crashes at https://github.com/pmmp/PocketMine-MP/blob/b744e09352a714d89220719ab6948a010ac636fc/src/network/mcpe/handler/InGamePacketHandler.php#L873
PoC
Using Gophertunnel, use serverConn.WritePacket(&packet.BookEdit{InventorySlot: 36})
Impact
Server crash, all servers
Patched versions
This issue was fixed by 47f011966092f275cc1b11f8de635e89fd9651a7, and the fix was released in 5.11.2.
References
- GHSA-xc7j-wj36-qjfr
- pmmp/PocketMine-MP@47f0119
- https://github.com/pmmp/PocketMine-MP/blob/b744e09352a714d89220719ab6948a010ac636fc/src/network/mcpe/handler/InGamePacketHandler.php#L873
dktapps published to pmmp/PocketMine-MP
Mar 5, 2024
Published to the GitHub Advisory Database
Mar 6, 2024
Reviewed
Mar 6, 2024