The plistlib module is vulnerable to OOM. It reads from the file the amount of data specified in the file (which can be up to 2**64 bytes), and both FileIO,read() and BufferedReader.read() preallocates the bytes object of the specified size. Specially prepared Plist file can be used to organize a DOS attack.
Linked PRs
The
plistlibmodule is vulnerable to OOM. It reads from the file the amount of data specified in the file (which can be up to2**64bytes), and bothFileIO,read()andBufferedReader.read()preallocates the bytes object of the specified size. Specially prepared Plist file can be used to organize a DOS attack.Linked PRs