Skip to content

Fix server freezing with /give#6449

Merged
JRoy merged 2 commits intoEssentialsX:2.xfrom
UDPSendToFailed:2.x
Feb 28, 2026
Merged

Fix server freezing with /give#6449
JRoy merged 2 commits intoEssentialsX:2.xfrom
UDPSendToFailed:2.x

Conversation

@UDPSendToFailed
Copy link
Contributor

Information

This PR fixes a bug where anyone with access to the /give command could freeze the server.

Details

Currently, if a user has permission to spawn items with metadata, they can freeze or completely crash the server by supplying a massive integer for a book's page number (e.g., /give <player> written_book 1 page2147483647:payload).

Because there is no upper bound check in MetaItemStack.java, the internal for loop tries to allocate an ArrayList with billions of empty strings to reach that requested page index. This instantly exhausts the JVM heap and triggers an OutOfMemoryError, hard-crashing the server thread, or at least freezing it entirely for seconds.

This PR fixes the issue by introducing a hard limit of 100 pages for book metadata parsing. If the requested page exceeds this limit, the loop doesn't execute and it instead throws a newly added pageLimitExceeded translatable exception.

Environments tested:

OS: Windows 11 25H2 26200.7922

Java version: Java 21 (OpenJDK 64-Bit Server VM 21.0.10+7-LTS; Eclipse Adoptium Temurin-21.0.10+7)

Purpur version 1.21.11-2545

Demonstration:

Before:

image

After:

image

@JRoy JRoy enabled auto-merge February 28, 2026 23:01
@JRoy JRoy added this pull request to the merge queue Feb 28, 2026
Merged via the queue into EssentialsX:2.x with commit 5abe8b6 Feb 28, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants