Merged
Conversation
mdcfe
approved these changes
Feb 28, 2026
JRoy
approved these changes
Feb 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Information
This PR fixes a bug where anyone with access to the /give command could freeze the server.
Details
Currently, if a user has permission to spawn items with metadata, they can freeze or completely crash the server by supplying a massive integer for a book's page number (e.g.,
/give <player> written_book 1 page2147483647:payload).Because there is no upper bound check in
MetaItemStack.java, the internalforloop tries to allocate anArrayListwith billions of empty strings to reach that requested page index. This instantly exhausts the JVM heap and triggers an OutOfMemoryError, hard-crashing the server thread, or at least freezing it entirely for seconds.This PR fixes the issue by introducing a hard limit of 100 pages for book metadata parsing. If the requested page exceeds this limit, the loop doesn't execute and it instead throws a newly added
pageLimitExceededtranslatable exception.Environments tested:
OS: Windows 11 25H2 26200.7922
Java version: Java 21 (OpenJDK 64-Bit Server VM 21.0.10+7-LTS; Eclipse Adoptium Temurin-21.0.10+7)
Purpur version 1.21.11-2545
Demonstration:
Before:
After: