Name of the Vulnerable Software and Affected Versions PocketMine-MP (affected versions not specified)

Description The issue arises from the LoginPacket using BinaryStream->getLInt() to read JSON payload lengths. Since BinaryStream->getLInt() returns a signed integer, a malicious client can craft a packet with a large uint32 value for the payload buffer size, which is interpreted as a negative signed int32. This causes BinaryStream->get() to throw an exception, leading to a server crash in the context of PocketMine-MP.

Recommendations For PocketMine-MP, consider registering a custom LoginPacket implementation into PacketPool which overrides the vulnerable code to patch it. At the moment, there is no information about a newer version that contains a fix for this vulnerability.