Skip to content
This repository was archived by the owner on Dec 14, 2021. It is now read-only.

Commit a7c2a41

Browse files
modmuss50modmuss50
committed
Fix for CVE-2021-33790
This code will be removed and refactored in 1.17
1 parent 2d3c46b commit a7c2a41

File tree

2 files changed

+15
-11
lines changed

2 files changed

+15
-11
lines changed

build.gradle

+1-1
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ plugins {
1818
sourceCompatibility = 1.8
1919
targetCompatibility = 1.8
2020

21-
version = "4.7.2"
21+
version = "4.7.3"
2222
group = 'RebornCore'
2323

2424
def ENV = System.getenv()

src/main/java/reborncore/common/network/ExtendedPacketBuffer.java

+14-10
Original file line numberDiff line numberDiff line change
@@ -32,10 +32,12 @@
3232
import net.minecraft.nbt.NbtOps;
3333
import net.minecraft.nbt.Tag;
3434
import net.minecraft.network.PacketByteBuf;
35+
import org.apache.commons.io.serialization.ValidatingObjectInputStream;
36+
import reborncore.RebornCore;
3537

3638
import java.io.ByteArrayInputStream;
3739
import java.io.ByteArrayOutputStream;
38-
import java.io.ObjectInputStream;
40+
import java.io.IOException;
3941
import java.io.ObjectOutputStream;
4042
import java.math.BigInteger;
4143

@@ -52,23 +54,25 @@ protected Object readObject() {
5254
return ObjectBufferUtils.readObject(this);
5355
}
5456

57+
@Deprecated // Remove in 1.17
5558
public void writeBigInt(BigInteger bigInteger) {
56-
try {
57-
ByteArrayOutputStream baos = new ByteArrayOutputStream();
59+
try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
5860
ObjectOutputStream outputStream = new ObjectOutputStream(baos);
5961
outputStream.writeObject(bigInteger);
6062
writeByteArray(baos.toByteArray());
61-
} catch (Exception e) {
62-
throw new RuntimeException("Failed to write big int");
63+
} catch (IOException e) {
64+
RebornCore.LOGGER.error(e);
6365
}
6466
}
6567

66-
public BigInteger readBigInt() {
67-
try {
68-
ObjectInputStream inputStream = new ObjectInputStream(new ByteArrayInputStream(readByteArray()));
68+
@Deprecated // Remove in 1.17
69+
public BigInteger readBigInt(){
70+
try (ValidatingObjectInputStream inputStream = new ValidatingObjectInputStream(new ByteArrayInputStream(readByteArray()))) {
71+
inputStream.accept(BigInteger.class);
6972
return (BigInteger) inputStream.readObject();
70-
} catch (Exception e) {
71-
throw new RuntimeException("Failed to read big int");
73+
} catch (IOException | ClassNotFoundException e) {
74+
RebornCore.LOGGER.error(e);
75+
return BigInteger.ZERO;
7276
}
7377
}
7478

0 commit comments

Comments
 (0)