PT-2026-51064 · Rubygems · Oj

Publicado

2026-06-19

·

Atualizado

2026-06-19

·

CVE-2026-54502

CVSS v4.0

8.7

Alta

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Summary

Oj.dump is vulnerable to a stack-based buffer overflow when a large :indent value is provided by the developer. fill indent in dump.h calls memset(indent str, ' ', (size t)opts->indent) without validating the size. When opts->indent is set to INT MAX (2,147,483,647), the (size t) cast preserves the large value and memset writes 2 GB into the stack-allocated out buffer (4,184 bytes), corrupting the stack and crashing the process.

Version

  • Software: oj gem
  • Affected: all versions with ext/oj/dump.h
  • Latest tested: 3.17.1 (confirmed present)

Details

ext/oj/dump.h, line 77:
c
static void fill indent(Out out, int depth) {
  if (0 < out->opts->indent) {
    size t len = (size t)(out->opts->indent * depth);
    // ...
    memset(out->buf + ..., ' ', len); // len = 2147483647 * depth
The indent option is accepted as a plain Ruby integer and stored as int without range validation. Multiplying by depth can produce a value larger than any stack or heap buffer.
ASAN report:
==69820==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fd1fc201278
WRITE of size 2147483647 at 0x7fd1fc201278 thread T0
  #0 memset
  #1 fill indent /ext/oj/dump.h:77
  #2 dump array  /ext/oj/dump compat.c:165
  #3 oj dump obj to json using params /ext/oj/dump.c:818
  #4 dump body  /ext/oj/oj.c:1429
  #5 dump     /ext/oj/oj.c:1480
Address is in stack of thread T0 at offset 4728 in frame:
  #0 dump /ext/oj/oj.c:1453
 [544, 4728) 'out' <== Memory access at offset 4728 overflows this variable

Reproduce

ruby
require "oj"
obj = [0]
Oj.dump(obj, mode: :compat, indent: 2 147 483 647)

Workaround

The develop should not use extreme indents and should not offer the option for users to dump Ruby data with unlimited indentation size.

Correção

Stack Overflow

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-121

Identificadores relacionados

CVE-2026-54502
GHSA-3V45-F3VH-WG7M

Produtos afetados

Oj