From 6492cac5c10f9fa8443ceddd2191a7b65b73f601 Mon Sep 17 00:00:00 2001
From: Dylan T <odigiman@gmail.com>
Date: Tue, 4 Jan 2022 20:40:55 +0000
Subject: [PATCH] Merge pull request from GHSA-c6fg-99pr-25m9

---
 src/entity/Skin.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/entity/Skin.php b/src/entity/Skin.php
index 0542bd75a..68dfd6e7b 100644
--- a/src/entity/Skin.php
+++ b/src/entity/Skin.php
@@ -24,6 +24,7 @@ declare(strict_types=1);
 namespace pocketmine\entity;
 
 use Ahc\Json\Comment as CommentedJsonDecoder;
+use pocketmine\utils\Limits;
 use function implode;
 use function in_array;
 use function json_encode;
@@ -48,7 +49,17 @@ final class Skin{
 	/** @var string */
 	private $geometryData;
 
+	private static function checkLength(string $string, string $name, int $maxLength) : void{
+		if(strlen($string) > $maxLength){
+			throw new InvalidSkinException("$name must be at most $maxLength bytes, but have " . strlen($string) . " bytes");
+		}
+	}
+
 	public function __construct(string $skinId, string $skinData, string $capeData = "", string $geometryName = "", string $geometryData = ""){
+		self::checkLength($skinId, "Skin ID", Limits::INT16_MAX);
+		self::checkLength($geometryName, "Geometry name", Limits::INT16_MAX);
+		self::checkLength($geometryData, "Geometry data", Limits::INT32_MAX);
+
 		if($skinId === ""){
 			throw new InvalidSkinException("Skin ID must not be empty");
 		}