Also check for the actual character length in ResourceLocation validation

patches/api/Return-null-for-empty-String-in-NamespacedKey.fromSt.patch

@@ -9,20 +9,20 @@ index 0000000000000000000000000000000000000000..00000000000000000000000000000000
 --- a/src/main/java/org/bukkit/NamespacedKey.java
 +++ b/src/main/java/org/bukkit/NamespacedKey.java
 @@ -0,0 +0,0 @@ public final class NamespacedKey implements net.kyori.adventure.key.Key, com.des
-         this.namespace = namespace;
          this.key = key;
  
--        String string = toString();
+         String string = toString();
 -        Preconditions.checkArgument(string.length() < 256, "NamespacedKey must be less than 256 characters", string);
++        Preconditions.checkArgument(string.length() <= Short.MAX_VALUE, "NamespacedKey must be less than 32768 characters", string); // Paper - Fix improper length validation
      }
  
      /**
 @@ -0,0 +0,0 @@ public final class NamespacedKey implements net.kyori.adventure.key.Key, com.des
-         Preconditions.checkArgument(isValidNamespace(this.namespace), "Invalid namespace. Must be [a-z0-9._-]: %s", this.namespace);
          Preconditions.checkArgument(isValidKey(this.key), "Invalid key. Must be [a-z0-9/._-]: %s", this.key);
  
--        String string = toString();
+         String string = toString();
 -        Preconditions.checkArgument(string.length() < 256, "NamespacedKey must be less than 256 characters (%s)", string);
++        Preconditions.checkArgument(string.length() <= Short.MAX_VALUE, "NamespacedKey must be less than 32768 characters", string); // Paper - Fix improper length validation
      }
  
      @NotNull
@@ -31,10 +31,10 @@ index 0000000000000000000000000000000000000000..00000000000000000000000000000000
      @Nullable
      public static NamespacedKey fromString(@NotNull String string, @Nullable Plugin defaultNamespace) {
 -        Preconditions.checkArgument(string != null && !string.isEmpty(), "Input string must not be empty or null");
-+        // Paper - Return null for empty string
++        // Paper - Return null for empty string, check length
 +        Preconditions.checkArgument(string != null, "Input string must not be null");
-+        if (string.isEmpty()) return null;
-+        // Paper end - Return null for empty string
++        if (string.isEmpty() || string.length() > Short.MAX_VALUE) return null;
++        // Paper end - Return null for empty string, check length
  
          String[] components = string.split(":", 3);
          if (components.length > 2) {

patches/server/Validate-ResourceLocation-in-NBT-reading.patch

@@ -29,7 +29,13 @@ index 0000000000000000000000000000000000000000..00000000000000000000000000000000
      private final String path;
  
      protected ResourceLocation(String namespace, String path, @Nullable ResourceLocation.Dummy extraData) {
-+        if (io.netty.buffer.ByteBufUtil.utf8MaxBytes(namespace + ":" + path) > 2 * Short.MAX_VALUE + 1) throw new ResourceLocationException("Resource location too long: " + namespace + ":" + path); // Paper - Validate ResourceLocation
++        // Paper start - Validate ResourceLocation
++        // Check for the max network string length (capped at Short.MAX_VALUE) as well as the max bytes of a StringTag (length written as an unsigned short)
++        final String resourceLocation = namespace + ":" + path;
++        if (resourceLocation.length() > Short.MAX_VALUE || io.netty.buffer.ByteBufUtil.utf8MaxBytes(resourceLocation) > 2 * Short.MAX_VALUE + 1) {
++            throw new ResourceLocationException("Resource location too long: " + resourceLocation);
++        }
++        // Paper end - Validate ResourceLocation
          this.namespace = namespace;
          this.path = path;
      }