In 1.21.6, the PaintingVariant codecs were updated to use a RegistryFixedCodec, no longer allowing inline definitions, which makes it consistent with other variant components. However, the stream codec used has not been updated and now incorrectly uses a ByteBufCodec.holder codec, which allows inline definitions to be encoded.
This results in allowing inline definitions to be sent over network, while they are not allowed to serialise to NBT, JSON or a hashed integer, which can cause bugs. A solution is to switch to using ByteBufCodec.holderRegistry for the stream codec.
Environment
Minecraft 1.21.6-rc1
Java version: 21
OS: Arch Linux, 64 bit
Comments 3
Hello, in vanilla gameplay, this issue is unlikely to have any impact. Modified clients however, can send an invalid instance of the painting_variant component to the server in serverbound packets where components are sent, which the server will accept at first instance.
However, when the server later tries to serialise that component to JSON, NBT, or a different ops (using its normal codec), this will result in an error. This could potentially lead to exploits, however, I haven’t found any in my testing.
Hi there,
Thanks for taking the time to report a bug! Could you please elaborate on how this issue impacts vanilla gameplay, and provide steps to reproduce it?