PT-2026-51064 · Rubygems · Oj
Published
2026-06-19
·
Updated
2026-06-19
·
CVE-2026-54502
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Summary
Oj.dump is vulnerable to a stack-based buffer overflow when a large :indent value is provided by the developer. fill indent in dump.h calls memset(indent str, ' ', (size t)opts->indent) without validating the size. When opts->indent is set to INT MAX (2,147,483,647), the (size t) cast preserves the large value and memset writes 2 GB into the stack-allocated out buffer (4,184 bytes), corrupting the stack and crashing the process.Version
- Software: oj gem
- Affected: all versions with
ext/oj/dump.h - Latest tested: 3.17.1 (confirmed present)
Details
ext/oj/dump.h, line 77:c
static void fill indent(Out out, int depth) {
if (0 < out->opts->indent) {
size t len = (size t)(out->opts->indent * depth);
// ...
memset(out->buf + ..., ' ', len); // len = 2147483647 * depthThe
indent option is accepted as a plain Ruby integer and stored as int without range validation. Multiplying by depth can produce a value larger than any stack or heap buffer.ASAN report:
==69820==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fd1fc201278
WRITE of size 2147483647 at 0x7fd1fc201278 thread T0
#0 memset
#1 fill indent /ext/oj/dump.h:77
#2 dump array /ext/oj/dump compat.c:165
#3 oj dump obj to json using params /ext/oj/dump.c:818
#4 dump body /ext/oj/oj.c:1429
#5 dump /ext/oj/oj.c:1480
Address is in stack of thread T0 at offset 4728 in frame:
#0 dump /ext/oj/oj.c:1453
[544, 4728) 'out' <== Memory access at offset 4728 overflows this variableReproduce
ruby
require "oj"
obj = [0]
Oj.dump(obj, mode: :compat, indent: 2 147 483 647)Workaround
The develop should not use extreme indents and should not offer the option for users to dump Ruby data with unlimited indentation size.
Fix
Stack Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Oj