Diablo 3 crashing due to fake item hotlinking

EDIT: Blizzard has addressed this with Diablo 3 patch 1.0.2c (build 9991). Under “Bug Fixes”, the ChangeLog states: “Fixed several crashes which occurred when clicking on player-generated item links in the game client”.

It appears that some nefarious Diablo 3 players have found a way to crash another player’s client by sending a malformed “item hotlink”. Apparently individuals have found a way to exploit the hotlinking feature, allowing for non-existent items to appear (such as potions that have sockets on them, etc.). However, in some cases these fake items result in the client itself crashing when clicked upon.

Here are threads which are directly related to this issue:

Reddit also mentions the issue:

There is obviously no workaround other than to avoid clicking on ANY link in chat, whether it be private or public.

One such item which absolutely crashes the client (if the name is clicked on) is the following string:

|HItem:2,1236607151:-877003260:-362610042,-362610042,-362610042,-362610042,-362610042,-362610042,-362610042,1791308545,1791308545,1791308545,1791308545,1791308545,1791308545,-362610042,-362610042,810509133,810509133,810509133-1008238675,-1008238675,-1008238675,-1243748674,-1243748674,-1243748674:-1:0:-1:-1:-1:9:444:444:0:0:4:0:|h [{c:ffff00ff}Diablo's Claw{/c}]|h

It amazes me that Blizzard continues to use a hotlinking model that allows for players to manually insert such text, not to mention provide a player to actually send something across the wire that will get parsed into an invalid item. Was it simply too hard to use a syntax that involved a high-bit (e.g. not possible to input by a player) character sequence, and directly refer to an item number? Such an example would be:


…where the hex strings 0xBEEFCAFEF00DFACE and 0x00 are literal binary, and the number 263 refers to item 263. Item colour, etc. would be part of the data structure associated with the item itself, not something a player could input.

For modifiable items (e.g. with sockets which are populated with variable gems), a comma-delimited syntax could be used — where the comma-delimited values only applied if the preceding item number actually had sockets in it, and assuming the sockets were filled with items that were denoted in the internal data structure as socketable. An example where item 92145 was filled with 2 socketable items (9801 and 7625, respectively):


This isn’t rocket science. This is “secure programming 101”; it’s a combination of sanitizing input, and not provide humans the ability to enter characters/data which could cause a problem. The |HItem:...|h stuff is a disgrace.