Validate staticdata and object property length limits (#11511)

Some games provide users with enough freedom to create items with metadata longer than 64KB, preventing this from causing issues is on them but we'll still do the minimum not to abort the server if this happens.
2025-06-27 16:36:03 +00:00 · 2021-08-19 20:14:22 +02:00 · 2021-08-19 20:14:22 +02:00 · e7b05beb7d
commit e7b05beb7d
parent 1320c51d8e
4 changed files with 61 additions and 1 deletions
--- a/src/staticobject.cpp
+++ b/src/staticobject.cpp
@ -37,6 +37,7 @@ void StaticObject::serialize(std::ostream &os)
 	// data
 	os<<serializeString16(data);
 }
+
 void StaticObject::deSerialize(std::istream &is, u8 version)
 {
 	// type
@ -49,6 +50,29 @@ void StaticObject::deSerialize(std::istream &is, u8 version)

 void StaticObjectList::serialize(std::ostream &os)
 {
+	// Check for problems first
+	auto problematic = [] (StaticObject &obj) -> bool {
+		if (obj.data.size() > U16_MAX) {
+			errorstream << "StaticObjectList::serialize(): "
+				"object has excessive static data (" << obj.data.size() <<
+				"), deleting it." << std::endl;
+			return true;
+		}
+		return false;
+	};
+	for (auto it = m_stored.begin(); it != m_stored.end(); ) {
+		if (problematic(*it))
+			it = m_stored.erase(it);
+		else
+			it++;
+	}
+	for (auto it = m_active.begin(); it != m_active.end(); ) {
+		if (problematic(it->second))
+			it = m_active.erase(it);
+		else
+			it++;
+	}
+
 	// version
 	u8 version = 0;
 	writeU8(os, version);