From c8d95987e5459d3522b2ebacd1db74758551309c Mon Sep 17 00:00:00 2001
From: AkmalFairuz <akmalf475@gmail.com>
Date: Mon, 21 Apr 2025 21:40:51 +0700
Subject: [PATCH] compression.go: prevent ZIP bomb attacks

---
 minecraft/protocol/packet/compression.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/minecraft/protocol/packet/compression.go b/minecraft/protocol/packet/compression.go
index 3a4e8a51..d30e92d8 100644
--- a/minecraft/protocol/packet/compression.go
+++ b/minecraft/protocol/packet/compression.go
@@ -56,6 +56,9 @@ var (
 	}
 )
 
+// maxDecompressedLen is the maximum size of a decompressed packet.
+const maxDecompressedLen = 1024 * 1024 * 8 // 8 MB
+
 // EncodeCompression ...
 func (nopCompression) EncodeCompression() uint16 {
 	return CompressionAlgorithmNone
@@ -114,7 +117,7 @@ func (flateCompression) Decompress(compressed []byte) ([]byte, error) {
 
 	// Guess an uncompressed size of 2*len(compressed).
 	decompressed := bytes.NewBuffer(make([]byte, 0, len(compressed)*2))
-	if _, err := io.Copy(decompressed, c); err != nil {
+	if _, err := io.Copy(decompressed, io.LimitReader(c, maxDecompressedLen)); err != nil {
 		return nil, fmt.Errorf("decompress flate: %w", err)
 	}
 	return decompressed.Bytes(), nil