From 6c351357abfdb9c57426129f0b4f0bb063f93bd8 Mon Sep 17 00:00:00 2001
From: "Dylan K. Taylor" <dktapps@pmmp.io>
Date: Sun, 11 Apr 2021 16:02:41 +0100
Subject: [PATCH 1/2] NetworkBinaryStream: bail if finding unexpected trailing
 data on item extradata this may help to discover additional bugs and/or
 missing data on items that we don't know about yet.

---
 src/pocketmine/network/mcpe/NetworkBinaryStream.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/pocketmine/network/mcpe/NetworkBinaryStream.php b/src/pocketmine/network/mcpe/NetworkBinaryStream.php
index 506b7706d3..d7003b9769 100644
--- a/src/pocketmine/network/mcpe/NetworkBinaryStream.php
+++ b/src/pocketmine/network/mcpe/NetworkBinaryStream.php
@@ -260,6 +260,11 @@ class NetworkBinaryStream extends BinaryStream{
 			if($netId === ItemTypeDictionary::getInstance()->fromStringId("minecraft:shield")){
 				$extraData->getLLong(); //"blocking tick" (ffs mojang)
 			}
+
+			if(!$extraData->feof()){
+				throw new \UnexpectedValueException("Unexpected trailing extradata for network item $netId");
+			}
+
 			if($nbt !== null){
 				if($nbt->hasTag(self::DAMAGE_TAG, IntTag::class)){
 					$meta = $nbt->getInt(self::DAMAGE_TAG);

From f74ff1fcd4005a3f9712a8498393971efd5ad1d7 Mon Sep 17 00:00:00 2001
From: "dependabot-preview[bot]"
 <27856297+dependabot-preview[bot]@users.noreply.github.com>
Date: Sun, 11 Apr 2021 16:03:41 +0100
Subject: [PATCH 2/2] Bump adhocore/json-comment from 1.1.0 to 1.1.2 (#4158)

Bumps [adhocore/json-comment](https://github.com/adhocore/php-json-comment) from 1.1.0 to 1.1.2.
- [Release notes](https://github.com/adhocore/php-json-comment/releases)
- [Changelog](https://github.com/adhocore/php-json-comment/blob/main/CHANGELOG.md)
- [Commits](https://github.com/adhocore/php-json-comment/compare/1.1.0...1.1.2)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
---
 composer.lock | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/composer.lock b/composer.lock
index a01c5ce143..7828a6cf89 100644
--- a/composer.lock
+++ b/composer.lock
@@ -8,16 +8,16 @@
     "packages": [
         {
             "name": "adhocore/json-comment",
-            "version": "1.1.0",
+            "version": "1.1.2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/adhocore/php-json-comment.git",
-                "reference": "cf7998124d1050b83d7d985447fefd630e09c1a2"
+                "reference": "fc2f76979f0a44a5f5bc2a2b600d0762fe0e78e7"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/adhocore/php-json-comment/zipball/cf7998124d1050b83d7d985447fefd630e09c1a2",
-                "reference": "cf7998124d1050b83d7d985447fefd630e09c1a2",
+                "url": "https://api.github.com/repos/adhocore/php-json-comment/zipball/fc2f76979f0a44a5f5bc2a2b600d0762fe0e78e7",
+                "reference": "fc2f76979f0a44a5f5bc2a2b600d0762fe0e78e7",
                 "shasum": ""
             },
             "require": {
@@ -51,7 +51,7 @@
             ],
             "support": {
                 "issues": "https://github.com/adhocore/php-json-comment/issues",
-                "source": "https://github.com/adhocore/php-json-comment/tree/1.1.0"
+                "source": "https://github.com/adhocore/php-json-comment/tree/1.1.2"
             },
             "funding": [
                 {
@@ -59,7 +59,7 @@
                     "type": "custom"
                 }
             ],
-            "time": "2021-04-05T13:11:13+00:00"
+            "time": "2021-04-09T03:06:06+00:00"
         },
         {
             "name": "pocketmine/binaryutils",