From d557ca2dfba5ffcca99ceb41b07d149f871964b5 Mon Sep 17 00:00:00 2001
From: Loki Rautio <lokirautio@gmail.com>
Date: Mon, 9 Mar 2026 04:45:14 -0500
Subject: LCEMP RCE fixes

Based on commit d017bfc30a68888bf5c79b23cf5c4f607cf828bf
---
 Minecraft.World/DataInputStream.cpp | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'Minecraft.World/DataInputStream.cpp')

diff --git a/Minecraft.World/DataInputStream.cpp b/Minecraft.World/DataInputStream.cpp
index 4e4f5cd1..0cd21a7e 100644
--- a/Minecraft.World/DataInputStream.cpp
+++ b/Minecraft.World/DataInputStream.cpp
@@ -303,6 +303,10 @@ wstring DataInputStream::readUTF()
 	int b = stream->read();
 	unsigned short UTFLength = static_cast<unsigned short>(((a & 0xff) << 8) | (b & 0xff));
 
+	const unsigned short MAX_UTF_LENGTH = 32767;
+    if (UTFLength > MAX_UTF_LENGTH)
+        return outputString;
+
 	//// 4J Stu - I decided while writing DataOutputStream that we didn't need to bother using the UTF8 format
 	//// used in the java libs, and just write in/out as wchar_t all the time
 
-- 
cgit v1.2.3