From d557ca2dfba5ffcca99ceb41b07d149f871964b5 Mon Sep 17 00:00:00 2001
From: Loki Rautio <lokirautio@gmail.com>
Date: Mon, 9 Mar 2026 04:45:14 -0500
Subject: LCEMP RCE fixes

Based on commit d017bfc30a68888bf5c79b23cf5c4f607cf828bf
---
 Minecraft.World/TextureAndGeometryPacket.cpp | 29 ++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

(limited to 'Minecraft.World/TextureAndGeometryPacket.cpp')

diff --git a/Minecraft.World/TextureAndGeometryPacket.cpp b/Minecraft.World/TextureAndGeometryPacket.cpp
index bf5eccdb..1c920ee7 100644
--- a/Minecraft.World/TextureAndGeometryPacket.cpp
+++ b/Minecraft.World/TextureAndGeometryPacket.cpp
@@ -121,7 +121,20 @@ void TextureAndGeometryPacket::read(DataInputStream *dis) //throws IOException
 {
 	textureName = dis->readUTF();
 	dwSkinID = static_cast<DWORD>(dis->readInt());
-	dwTextureBytes = static_cast<DWORD>(dis->readShort());
+
+    short rawTextureBytes = dis->readShort();
+    if (rawTextureBytes <= 0)
+    {
+        dwTextureBytes = 0;
+    }
+    else
+    {
+        dwTextureBytes = (DWORD)(unsigned short)rawTextureBytes;
+        if (dwTextureBytes > 65536)
+        {
+            dwTextureBytes = 0;
+        }
+    }
 
 	if(dwTextureBytes>0)
 	{
@@ -134,7 +147,19 @@ void TextureAndGeometryPacket::read(DataInputStream *dis) //throws IOException
 	}
 	uiAnimOverrideBitmask = dis->readInt();
 
-	dwBoxC = static_cast<DWORD>(dis->readShort());
+	short rawBoxC = dis->readShort();
+    if (rawBoxC <= 0)
+    {
+        dwBoxC = 0;
+    }
+    else
+    {
+        dwBoxC = (DWORD)(unsigned short)rawBoxC;
+        if (dwBoxC > 256)
+        {
+            dwBoxC = 0; // sane limit for skin boxes
+        }
+    }
 
 	if(dwBoxC>0)
 	{
-- 
cgit v1.2.3