CVE-2026-54592

Oj::Doc#each child, when invoked recursively over a deeply nested JSON document, overflows a fixed-size stack buffer and aborts the process. This is a denial of service reachable from untrusted JSON.

Two-step chain in ext/oj/fast.c:

Leaf save path[MAX STACK];      // 800-byte stack buffer
size t wlen = doc->where - doc->where path;
if (0 < wlen) {
  memcpy(save path, doc->where path, sizeof(Leaf) * (wlen + 1));
}

When the previous recursive call left doc->where past where path[100], wlen exceeds MAX STACK and the memcpy overflows save path on the C stack.

The Oj::Doc parser imposes no JSON nesting-depth limit (it relies on a C-stack pressure check), so deeply nested attacker input reaches this path.

require 'oj'
depth = 200
payload = '[' * depth + '1' + ']' * depth
Oj::Doc.open(payload) do |doc|
 r = lambda { doc.each child { | | r.call } }
 r.call
end

Recursion depth <= 99 iterates normally; depth >= 101 aborts. lldb backtrace on the affected build (ruby 3.3.8 / arm64-darwin24):

SIGABRT
#2  abort
#3  stack chk fail
#4 doc each child  (oj.bundle, fast.c)

Reliable denial of service: any endpoint that calls Oj::Doc.open(untrusted) { |d| d.each child ... } recursively can be crashed with a small deeply-nested payload. On builds with a stack protector (the default, -fstack-protector-strong) the canary aborts the process before the saved return address is used. The Step-1 heap OOB writes into struct doc fields do occur, but are masked in practice because the Step-2 stack overflow crashes first; turning them into anything beyond a crash has not been demonstrated.

Fixed in 3.17.3: doc each child now bounds-checks before incrementing doc->where (raising Oj::DepthError) and restores doc->where after the loop, matching the existing each leaf pattern. Verified on the fixed build: depth >= 101 raises a clean Oj::DepthError instead of aborting.

Reported by Zac Wang (@7a6163).